About
Authentication and authorization are core and foundational tenets to any information security program. Due to many risks associated with these, there has been a continuing evolution of solutions in this space with the intent to consolidate and standardize authentication, authorization, and single-sign-on.
One such solution is what is referred to as SAML (Security Assertion Markup Language). SAML, in a nutshell, is a standard to allow for the passing of authentication and authorization data between identity providers and service providers.
If you are leveraging SAML in your organization, Virtru can be integrated into your continued work to secure authentication by integrating and providing a single sign on option.
Jump to:
SSO Configuration Guide
Getting started
Creating an SSO Configuration in the Virtru Control Center
Activating an SSO Configuration
Deactivating an SSO Configuration
Common Provider Guides
SSO Configuration Guide
This guide will cover the following
- Configure and enable Virtru SSO
- Configure additional Virtru identity administrator(s)(recommended)
- Register a multi-factor authentication (MFA) token for at least one identity administrator
Getting started
This feature is not enabled by default
Please contact your customer success manager or support to enable this feature for your team.
Information you will need from Virtru
- Virtru Organization ID
- Single Sign On URL (sometimes referred to as the ACS URL): https://api.virtru.com/accounts/saml/callback?orgId= (plus your Organization ID from above)
- Entity ID: virtru.com
- Name ID format: Primary email
Search for Virtru in your identity provider's application store
Some providers, like Okta and OneLogin, have existing entries for Virtru in their Applications store. Before configuring a custom application within your identity provider, please see if Virtru is already available. If so, you will not need to fill in all of the details above as some details will be pre-configured in the application.
Information needed from your identity provider
- SAML login endpoint URL (known also as the SAML 2.0 endpoint or SSO Endpoint)
- SAML logout endpoint URL (known also as the SLO Endpoint)
- Authentication certificate (format: PEM or x.509)
Creating an SSO Configuration in the Virtru Control Center
1. Log in to the Virtru Control Center using a current Virtru Administrator account for your domain
2. In the Admin section, click on the Authentication tab
3. Select Add an SSO Configuration
4. Enter a name for the new configuration as well as the information from the identity provider into the form (see “Information needed from your identity provider” above)
5. Prior to clicking Save, the configuration must be validated by clicking the Validate button. This will trigger a page navigation and an SSO login flow
- Upon a successful log in through the identity provider page, you should be redirected back to the Virtru Control Center New SSO Configuration form and the banner at the bottom of the page should now show a success message
- Upon some unsuccessful validations, you will be redirected back to the Control Center New SSO Configuration form but the banner will display an error message. Check the provider information in the form and try again
- Upon some other unsuccessful validation attempts, the redirect may fail and you will need to manually return to the configuration page by going to the Control Center again. Check the provider information in the form and try again
6. Click Save to save the new configuration in a “Inactive” state. The configuration will not yet be active
Activating an SSO Configuration
1. Log in to the Virtru Control Center using a Virtru Administrator account for the target organization domain using the established federated OAuth login method
2. In the Admin section, click on the Authentication tab
3. Check the checkbox on an existing configuration that is in the “Inactive” state
4. Open the “Actions” dropdown, select Activate, and click Apply
5. Read the warning modal, then when ready, click the Activate button. Users will no longer be able to use standard sign-in methods like federated OAuth to log in to Virtru applications. This will apply to all users from your team's recognized domains
6. Read the warning modal, then click the Logout button. You will be required to log in again using the SSO method instead of the federated OAuth login method
7. Once this is complete you will see the state of your SSO has changed to "Active" and your "Standard Virtru sign in methods" have been "Disabled"
Deactivating an SSO Configuration
1. Log in to the Virtru Control Center using a Virtru Administrator account for the target organization domain using the SSO login method
2. In the Admin section, click on the Authentication tab
3. Check the checkbox on an existing configuration that is in the “Active” state
4. Open the “Actions” dropdown, select Deactivate, and click Apply
5. Read the warning modal, then when ready, click the Deactivate button. Users will once again be able to use standard sign-in methods like federated OAuth to log in to Virtru applications instead of SSO
6. Once this is complete you will see the state of your SSO has changed to "Inactive" and your "Standard Virtru sign in methods" have been "Enabled" again