Configure Single Sign On (SSO)
Rev provides Single Sign On (SSO) functionality via the SAML 2.0 protocol. Use the Single Sign On section in System Settings to configure Rev as the SAML Service Provider if you are using an Enterprise SSO system set up and want to configure it for use with your enterprise Identity Provider server. You should be familiar with SAML and SSO deployment methods before attempting to configure the fields below.
A good, high level overview may be reviewed on the Eclipse open source SAML2 wiki page.
Note: Rev also provides Single Sign On (SSO) with user provisioning so that user accounts may be created upon log-in without the need for an LDAP connector deployment. See: Configure Single Sign On (SSO) with User Provisioning Enabled. User provisioning must be enabled on the root account by Vbrick Support Services before this feature may be used. |
To configure single sign on in Rev:1. Navigate to Admin > System Settings > Security.
2. Select Enable Single Sign On checkbox under Single Sign On section.
3. Complete the fields below as necessary.
Field Name | Required | Description |
|---|---|---|
Enable Single Sign On | Yes | Select to enable SSO in Rev. |
Identity Provider Metadata | Yes | Paste your Identity Provider server’s metadata XML code in this field. You will need to obtain the Identity Provider metadata (XML) from your Identity Provider server. |
SAML Identity Location | Choose either the NameIdentifier Element or Attribute Element depending upon which element in the SAML Authentication Response will have the username. Note that if you select Attribute Element (default), you must provide the Identify Attribute Element Name or Rev will not authenticate. | |
Identity Attribute Element Name | Yes | If Attribute Element is selected as the SAML Identity Location, this field must be completed or SSO will not work. The Identity Attribute Element Name is the field in the SAML Authentication Response (XML) that will contain the username. For example, in the code below, name is specified as SFDC_USERNAME. This is what would be pasted in Identify Attribute Element Name field in Rev, as seen in the image above. <saml:AttributeStatement> <saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> user101@salesforce.com </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> |
Signature Algorithm | Yes | Options to be used for signing. Select either SHA1withRSA or SHA256withRSA. |
Sign SAML Request | Only enabled when the URL of the redirect exceeds 2048 characters which may occasionally cause issues with Internet Explorer or IIS/ADFS. Be aware that checking and un-checking this box will require the service provider metadata be re-downloaded to get the latest version again once saved. Contact Vbrick Support Services for assistance with this option. | |
Download Service Provider MetaData | This is the Rev Service Provider XML metadata that is provided to the Identity Provider server. It should be downloaded and used with the IDP server similar to how the IDP’s metadata XML is pasted in the Identity Provider Metadata field above. | |
Regenerate Cert | This will regenerate the Service Provider’s certificate and metadata. If you decide to do this, keep in mind you will need to download the Service Provider MetaData again for re-insertion into the IDP server. |
The diagram below represents the technical implementation of SSO in Rev.
Keep in mind:
●If SSO is enabled without user provisioning, user accounts must be created in Rev manually or through the LDAP connector. See: Configure Single Sign On (SSO) with User Provisioning Enabled.
●If an admin creates a user account manually with SSO enabled, the user created is set to “Unlicensed” until log in and then set to “Active”. No user or email confirmation is required. If no licenses are available for the Rev account, the user will be displayed a message to contact the Account Admin and will not be logged in.
●When SSO is enabled, an SSO login page is created for authentication that is different from the native Rev login page. For example:
○Rev Native Login Page: http://<RevURL>/#/login
○SSO Login Page: http://<RevURL>/SSO/login