Contents

• Overview
  
  • How it Works
  • Main advantages of SSO
  • Requirements
• Configuring SSO (for IT Admin)
  • Configuring Verbit SSO
  • Configuring Identity Provider
  • Configuring Verbit SSO (Contd)
• Enabling Verbit SSO
  • Identity Provider side
  • Configuring Verbit SSO (Contd)
• Role Mapping
  • Identity Provider Side
  • Configuring Verbit SSO (Contd)
• Sign in using SSO (for customers)

---

Overview

Verbit is pleased to announce that it now supports Single Sign-On (SSO). Once SSO is configured for a customer (Configuring SSO), it will allow its users to login to Verbit using their existing credentials internally (in their IdP).

Therefore, the user management for these customers will be handled directly by them, and not by Verbit anymore, easing them the access to our solution.

This new capability is in response to several requests received from both existing and potential customers, especially from Corporate and Education verticals.
SSO is yet another vital feature emphasizing our vision of scaling our business, and 100% dedication to our customers.

How it works

SSO is a system that enables users to securely authenticate with multiple applications and websites by logging in only once via their IdP.

Each SSO enabled customer, will have all its non-admin users managed by its company’s IdP (Identity Provider), granting full control of allowing and restricting application visibility

• The company’s admin will be responsible for configuring the SSO in Verbit as well as in its company’s IdP.
• Once SSO is configured by IT Admin, ALL of its non-admin users will be required to sign on via SSO login.

NOTE: Admin role, which is not limited to one user, will remain via login of user/password.

Main advantages of SSO:

For Verbit Users

• No need to type in credentials on Verbit side
• Very easy login flow

IdP Benefits

• Helps users to generate, remember, and utilize stronger passwords
• Increased adherence to password policies
• Less time lost on password recovery

For Company

• Manage the users in-house in the IdP (identity provider), no need to create users in the system itself. IdP is now responsible for the complete user lifecycle
• SSO solves the need of the admin to set up all of the company users
• No weak passwords and strong authentication
• Managing credentials internally rather than storing them externally

Requirements

1. Currently, Verbit SSO works with the following providers, along with extended support for other SAML2 providers:
   • Azure 
   • Okta
     Note:  Additional providers will be supported in the near future.
2. In order to enable SSO for users, first configure your Identity Provider. This preparation consists in creating a new enterprise application dedicated to Verbit login flow, which enables IT to assign all users with Verbit solution. Refer to Configuring SSO (for Customer Admin)
3. Once IdP application is configured, you will access Verbit, using an administrator account, and then enable on Verbit end your dedicated SSO configuration.

---

Configuring SSO (for Customer Admin)

For IT Admin
NOTE: Only Customer Admins can configure SSO settings for their company.

Configuring Verbit SSO

NOTE: The instructions below include how to configure SSO for both Azure and Okta. In the tables below, select accordingly

1. Login to your Verbit account using customer admin credentials.
   

   

2. Click the Admin menu bar and choose Admin SSO
   Note: Contact Support to set up SSO capability for your customer account
   

   

3. Go to your Verbit SSO Admin page and follow the instructions below based on IdP type:
   1. For IdP Azure
      • Click and save both Reply URL and the Identifier to ensure the creation of a Verbit-dedicated application in your IdP.
        

        

   2. For IdP Okta
      • Click and save the SSO URL and the Audience URL to ensure the creation of a Verbit-dedicated application in your IdP
        

        

4. Leave this page open and open a new browser window to configure your Identity Provider for Verbit SSO. Proceed to Configuring Identity Provider.

Configuring Identity Provider

NOTE: In order to allow Verbit SSO to work, we need to create an application dedicated to Verbit.

1. Open your IdP directory. Select accordingly in the table below.
   1. For IdP Azure
      1. Open Azure Directory
         

         

      2. In the left-hand menu, click Enterprise Applications.

         

      3. To create a new application, click + New application in the top bar.

         

      4. Click + Create your own application to create our own application as opposed to Microsoft template.
         

         

      5. Name your new application; we recommend Verbit-app, and choose the third option, Integrate any other application you don’t find in the gallery (Non gallery).
         

         

      6. The application verbit-app is created. Click 2. Set up single sign-on.
         

         

      7. Choose SAML as single sign-on method.
         

         

      8. In the SAML-based Sign-on page of your newly created application, click Edit button of the Basic SAML Configuration section
         

         

      9. Click Add identifier in the Identifier (Entity ID) section and enter the Identifier link retrieved previously on Verbit SSO Admin page (refer to Step 1).
      10. .Click Add reply URL in the Reply URL (Assertion Consumer Service URL) section and enter the Reply URL retrieved previously on Verbit SSO Admin page.
          

          

      11. Click the Save button to validate these changes.
          

          

      12. In the SAML-based Sign-on page of your newly created application, copy to clipboard the App Federation Metadata URL of your newly created application, you will need it in the next phase.
          

          

   2. For IdP Okta
      1. Open Okta Directory and expand Applications.
         

         

      2. Click Create App Integration to create your new application.

         

      3. Select SAML 2.0 as sign-in method and click Next.
         

         

      4. Name your application. We recommend verbit-app and click Next.

         

      5. Enter the previously retrieved Single sign-on URL and Audience URI (refer to Step 1).

         

      6. Scroll down, if necessary, and enter: -- In the Attribute Statements (optional) section, this value for the Name field :
         http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email address
         
         • In the Value field, use the dropdown arrow, select user.email and click Next. Select the first option “I’m an Okta customer adding an external app”, select the checkbox “This is an internal app that we have created” and click the Finish.
           

           

      7. Select the first option "I'm an Okta customer adding an external app", select the checkbox "This is an internal app that we have created" and click the Finish.
         

         

      8. Now that our application is created, let’s retrieve the Metadata URL for it. Click the View SAML setup instructions button.

         

      9. In the newly opened page, please retrieve and copy the Identity Provider Single Sign-On URL (refer to Step 1)
         

         >

Configuring Verbit SSO (Contd)

Let’s go back to the Verbit SSO Configuration page that you have previously kept open

1. Paste the App Federation Metadata URL/Identity Provider Single Sign-On URL previously retrieved to the Metadata URL field and enter the Email Domains for which you want to enable SSO login.
2. Click the Save button to save your SSO Configuration! You have now completed the first part of the configuration of your SSO flow in Verbit.

NOTE: Verbit encourages mapping roles prior to saving configuration. For more details, refer to Role Mapping.

---

Enabling Verbit SSO

Identity Provider side

In order to use Verbit SSO assign a user to our newly created Verbit dedicated application in the Identity Provider.

1. For IdP Azure
   1. Assign a first user to our newly created application. Click User and groups in the left-side menu.
      

      

   2. Click + Add user/group.
      

      

   3. Click None Selected.

      

   4. Choose from the search bar the user you want to add and click his/her name in the result list.

      

   5. Click Select located in the bottom right hand of the page.

      

   6. Click Assign located in the bottom left-hand of the page to complete the addition of your first user to your newly created application.

      

2. For IdP Okta
   1. Click Assign and then Assign to People in order to assign a first user to your newly created application for Verbit SSO.

      

   2. Search for the user you want to assign your application to and click Assign

      

   3. To validate the assignation, click Save and Go Back

      

   4. Click Done to finalize the assignation

      

   5. Verify that your application has one assigned user.

      

Configuring Verbit SSO (Contd)

Now let’s go back to Verbit to enable the SSO Configuration, by clicking on the toggle button
for SSO Authentication on the top part of the page, and click on the Save button one more time

You know have a first working SSO login flow on Verbit.

Important: We have not set role mapping yet. The user connected via SSO will not be assigned with any valid role for now. Continue to Role Mapping.

---

Role Mapping

Identity Provider side

The first thing we need to do, is to make sure than any claim we want to use for the role mapping is correctly exposed in our newly created application in our IdP.

NOTE: Currently the mapping of roles presents the following limitation: The Guest Editor Participant role attribution cannot be assigned along another role.

1. For IdP Azure
   1. Go back to the SAML-based Sign-on page, by clicking Single sign-on button in the left-hand
      menu.

      

   2. In the Attributes & Claims section, click Edit

      

   3. A list of claims are displayed. To add an additional claim, click + Add a group claim button, or the + Add new claim button depending on the claim type
      

      

   4. To add a group claim, click + Add a group claim.

      

   5. Choose the type of groups you want to associate with this claim. In the figure below, we selected All groups option and keep the default Group ID as source attribute.

      

   6. Verify that the new claim appears now in the list. Retrieve and keep its Claim name, we will need it to setup the mapping in the Verbit SSO Admin page.
   7. Now that we have exposed the claim, we need to get the relevant Group ID for the group we
      want to assign our user to

      

   8. Click the top search bar, enter groups, and then click the service Groups as shown below
      

      

   9. Search the group you want to use, by entering its name in the search field.
   10. Click the Copy icon next to the Object ID row. We will need it soon for the last part of the mapping in the Verbit SSO Admin page.
       

       

2. For IdP Okta
   1. For our first mapping, we want to map a specific group in Okta with a role on Verbit. Go to the Directory > Groups in the left side panel.
      

      

   2. To create a test-group (for our tutorial), click Add group button.

      

   3. Name the group, test-group and click Save

      

   4. Let’s assign our user to this group, by clicking the name of our group in the list shown below

      

   5. Click Assign people to add our user to that group.

      

   6. Search for your user and click “+”

      

   7. Verify that the user was added.

      

   8. Click Done
      
   9. Expand Applications section and then click Applications.
      

      

   10. Click the verbit-app application name to enter back to your application configuration.

       

   11. Click the General tab, then click Edit in the SAML Settings Section.

       

   12. Click Next

       

   13. If necessary, scroll down in the Group Attribute Statements (optional) section and
       enter the following:
       • Name field: groups
       • Filter : Matches Regex.
       • *: leave as is
   14. Click Next.

       

   15. Click Finish.

       

Configuring Verbit SSO (Contd)

We are now going to setup our mapping in the Verbit SSO Admin page.

1. For IdP Azure
   1. Enter the Claim name saved earlier in the No Key field, and the Group ID in the No Value field.

      

   2. Click the Select dropdown list and choose the role(s) you want to assign your users with, if they
      belong to the group created previously.
      

      

   3. Click Save

      

   4. Your SSO configuration is now set up and you can update/remove users from the groups (once sign out / sign in to IdP takes place).
      NOTE: Role mapping is optional. However, Verbit recommends role mapping since users without roles, will have limited visibility
2. For IdP Okta
   1. Enter groups in the No Key field, and testgroup in the No Value field.

      

   2. . Click the Select dropdown list and choose the role(s) you want to assign your users with, if they
      belong to the group created previously.
      

      

   3. Click Save.

      

   4. Your SSO configuration is now set up and you can update/remove users from the groups (once sign out / sign in to IdP takes place).
      NOTE: Role mapping is optional. However, Verbit recommends role mapping since users without roles, will have limited visibility

Current mapping limitations

Currently the mapping of roles presents the following limitations :

• On the IDP side, we only support one key. Customers cannot choose multiple keys for mapping: For example, customer can choose either Group or Role
• The Guest Editor Participant role attribution cannot be assigned along another role.

---

Sign in using SSO (for customers)

If the user email matches a domain used by an active SSO configuration, it then triggers the following SSO flow:

1. User with a verified email address, can log in via:
   1. Verbit Sign in page
      1. Enter Email address and click Log In
         NOTE: Only Email is required.

If the user email does not match a domain used by an active SSO configuration, it then triggers
the following SSO flow:

1. User is navigated to the following screen. Enter Password and click Login.