Skip to content

Integrate with a SAML Identity Provider

This guide serves as a reference for configuring SSO with an Identity Provider (IdP) using the SAML2 protocol.

Steps

To integrate VECTR with your SAML IdP, you must:

  1. Determine your IdP's Federation Metadata URL
  2. Configure user claims with your IdP
  3. Configure SAML signing certificate with your IdP
  4. Configure your IdP in VECTR
  5. Enter VECTR's callback URL and other pertinent information into your IdP

Prerequisites

Note

The process of configuring varies depending on the IdP, so you will need to follow your IdP's documentation to complete the steps listed in this section.

Determine Your IdP's Federation Metadata URL

Attention

In order to integrate VECTR with your IdP, your IdP must provide its Federation Metadata through a URL that is accessible from VECTR.

The Federation Metadata URL contains information about the server's certificates and supported connection features.

Make note of the Federation Metadata URL, you will need this later.

Configure Your IdP

You will need to configure the following with your IdP in order to integrate VECTR:

1. Configure user claims

This step is usually not needed, however, if your IdP does not provide the following claims, you will need to configure it to provide the claims that VECTR is expecting.

Claim name Value
Username http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Display Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

2. Configure SAML signing certificate

Your IdP must sign both the SAML response and assertion.

3. Configure NameID assertion format

Configure your IdP use the following format for the NameID assertion:

urn:oasis:names:tc:SAML:2.0:nameid-format:persistent

Configure an Identity Provider in VECTR

  1. Log into VECTR as an admin

  2. Navigate to Administration -> Access Management -> Identity Providers

  3. Click Add Provider -> SAML2 SAML SSO

  4. Enter the Identity Provider's information, then click Next:

    Field Description Required
    Display Name The name used to customize the login button on the login page. When set, the button will read "Log in with [Display Name]". YES
    Logo URL URL of an image to use to for the login button. When set, the button will display the image as a 20px by 20px square. NO
    Metadata URL Your IdP's Federation Metadata URL. YES

    SAML SSO

  5. Claims mapping. You can generally use the default values provided. Click Save when you are done.

    Attention

    If you make changes to the claims mapping, be sure that the value mapping is configured in your IdP as well.

  6. Copy the information provided on the Configuration Info tab to your IdP. You must configure your IdP to use the values in their respective configuration locations in your IdP.

    SAML SSO

  7. Click Close when you are done

Test the Connection

To test the integration, open a new Incognito window and go to your VECTR instance. You should see a new login method for your IdP. Click on the button and follow the your IdP's authentication flow. After you have authenticated, you should see a screen requesting access to VECTR:

VECTR Auth Request

This is the access pending page that all SSO users will see the first time they authenticate with VECTR using your IdP. To read more about managing SSO users, see the Managing SSO Users page.