Pending Migration
We're updating how SAML Single Sign-On (SSO) configurations are managed in Virtru Control Center to improve security, stability, and drive alignment across our platform. This update will steadily roll out across our product suite in the coming months. During that time, all SAML customers must have a Legacy SAML configuration and a new SAML Configuration setup in the Virtru Control Center. This will require two separate apps on the Identity Provider side. Additional details are below.
About
Authentication and authorization are core and foundational tenets to any information security program. Due to many risks associated with these, there has been a continuing evolution of solutions in this space with the intent to consolidate and standardize authentication, authorization, and single-sign-on (SSO).
One such solution is what is referred to as SAML (Security Assertion Markup Language). SAML, in a nutshell, is a standard to allow for the passing of authentication and authorization data between identity providers and service providers.
If you are leveraging SAML in your organization, Virtru can be integrated into your continued work to secure authentication by integrating and providing a single sign on option.
This is a domain-wide configuration
If enabled, SAML activation will be required for all users from your recognized domain(s) when activating and verifying on any Virtru platform. This includes internal recipients verifying their identity to access content in the Secure Reader. The other authentication methods, (federated and one-time email), will be disabled.
Jump to:
SSO Configuration Guide
Getting started
Creating an SSO Configuration in the Virtru Control Center
Activating an SSO Configuration
Deactivating an SSO Configuration
Common Provider Guides
SSO Configuration Guide
This guide will cover the following
- Configure and enable Virtru SSO
- Configure additional Virtru identity administrator(s)(recommended)
- Register a multi-factor authentication (MFA) token for at least one identity administrator
Getting started
This feature is not enabled by default
Please contact your customer success manager or support to enable this feature for your team.
Information you will need from Virtru
| Attribute | SAML CONFIGURATION value | LEGACY SAML CONFIGURATION value |
| Single Sign On URL (or ACS URL) | https://login.virtru.com/sso/saml2 | https://api.virtru.com/accounts/saml?orgId={your_org_id} (provided on setup page) |
| Entity ID | https://api.virtru.com | virtru.com |
| Name ID format | Primary email | Primary email |
Search for Virtru in your identity provider's application store (Legacy config only)
Some providers, like Okta and OneLogin, have existing entries for Virtru in their Applications store. Before configuring a custom application within your identity provider, you can see if Virtru is already available. If so, you will not need to fill in all of the details above as some details will be pre-configured in the application.
Note: this is only available for legacy SAML configurations. For the new Virtru SAML config, you will need to create a custom app.
Information needed from your identity provider
- SAML login endpoint URL (known also as the SAML 2.0 endpoint or SSO Endpoint)
- Issuer URL
- X.509 certificate in PEM format
Creating an SSO Configuration in the Virtru Control Center
1. Log in to the Virtru Control Center using a current Virtru Administrator account for your domain
2. In the Admin section, click on the Authentication tab
3. Start with the LEGACY SAML CONFIGURATION tab, and select ADD AN SSO CONFIGURATION
4. Enter a name for the new configuration as well as the information from the identity provider into the form (see “Information needed from your identity provider” above).
Note: The certificate should be in PEM format (starts with "-----BEGIN CERTIFICATE-----")
5. Prior to clicking SAVE, the configuration must be validated by clicking the VALIDATE button. This will trigger a page navigation and an SSO login flow
- Upon a successful log in through the identity provider page, you should be redirected back to the Virtru SAML Configuration form and the banner at the bottom of the page should now show a success message
- Upon some unsuccessful validations, you will be redirected back to the SAML Configuration form but the banner will display an error message. Check the provider information in the form and try again
- Upon some other unsuccessful validation attempts, the redirect may fail and you will need to manually return to the configuration page by going to the Control Center again. Check the provider information in the form and try again
6. Assuming you see "Configuration valid,"click SAVE to save the new configuration in a “Inactive” state. The configuration will not yet be active
7. Once complete, navigate to the SAML CONFIGURATION tab, and repeat steps 3-6 (using a separate app on the Identity Provider side). This will ensure all Virtru products are covered for our pending migration
⚠️ Do Not Delete or Deactivate Your Legacy Configuration
Both your Legacy SAML Configuration and your new SAML Configuration must remain active at the same time throughout the migration period. Removing or deactivating your legacy configuration before Virtru has fully migrated all of your products will result in SSO disruption for your users.
Virtru will notify you directly when it is safe to deactivate and remove the legacy configuration. Do not remove it until you receive that notification.
Activating an SSO Configuration
1. Log in to the Virtru Control Center using a Virtru Administrator account for the target organization domain using the established federated OAuth login method
2. In the Admin section, click on the Authentication tab, and select the tab for the configuration you want to activate - SAML CONFIGURATION or LEGACY SAML CONFIGURATION.
3. Check the checkbox on an existing configuration that is in the “Inactive” state
4. Open the “Actions” dropdown, select Activate, and click Apply
5. Read the warning modal, then when ready, click the Activate button. Users will no longer be able to use standard sign-in methods like federated OAuth to log in to Virtru applications. This will apply to all users from your team's recognized domains
6. Read the warning modal, then click the Logout button. You will be required to log in again using the SSO method instead of the federated OAuth login method
7. Once this is complete, you will see the state of your SSO has changed to "Active" and your "Standard Virtru sign in methods" have been "Disabled." Moving forward, SSO will be required for all users from your domain(s) to activate/verify on any Virtru platform
Deactivating an SSO Configuration
Note on Legacy Configurations
In order to avoid disruption, admins will need to keep both the new and legacy configurations active throughout the migration period. Virtru will notify teams when the migration is complete and they can safely remove the legacy configuration.
1. Log in to the Virtru Control Center using a Virtru Administrator account for the target organization domain using the SSO login method
2. In the Admin section, click on the Authentication tab, and select either the SAML CONFIGURATION or LEGACY SAML CONFIGURATION tab
3. Check the checkbox on an existing configuration that is in the “Active” state
4. Open the “Actions” dropdown, select Deactivate, and click Apply
5. Read the warning modal, then when ready, click the Deactivate button. Users will once again be able to use standard sign-in methods like federated OAuth to log in to Virtru applications instead of SSO
6. Once this is complete you will see the state of your SSO has changed to "Inactive" and your "Standard Virtru sign in methods" have been "Enabled" again