SAML Single Sign-On

Enabling Multi-factor Authentication and Single Sign-On for Veza

Overview

Veza supports SAML, the XML-based standard for single-sign-on. When enabled, users can log in to Veza using a third-party Identity Provider, such as OneLogin, Okta, Azure AD, or a custom provider.

After registering Veza as a SAML service provider (SP) with your IdP and configuring the connection from Administration > Sign-in Settings, you can assign access to Veza directly from the IdP. The login page will offer the option to "Login with SSO" and redirect users to your IdP for authentication.

SSO flows can be:

Service Provider-initiated: Users log in at the Veza home page (yourorg.vezacloud.com)
Identity Provider-Initiated: Users log in to Veza via their IDP app dashboard (such as your organization's Okta Portal)

For a step-by-step guide to configure SAML for Okta, which may be adapted for other providers, please see SSO For Okta. Instructions are also available for Microsoft Entra (Azure AD).

For advanced user lifecycle management, Veza supports SCIM Provisioning in addition to SAML. When SCIM provisioning is enabled, it becomes the authoritative source for user profile updates, and SAML Just-in-Time (JIT) provisioning is automatically disabled to prevent conflicts.

We have detailed the steps to configure SAML for the following Identity Providers:

Enabling SAML

Prerequisites: To enable SSO, your Identity Provider and Veza must both be configured to establish the trusted connection:

You'll need administrator access to your IdP and Veza.
You'll need your IdP Sign-in (Log-in) URL and X.509 SAML Certificate.
Your IdP must support the SAML 2.0 standard.
The SAML NameID used by the IdP must contain the user's email address.

You can download service provider (SP) metadata from Veza to reference when configuring the connection in your Identity Provider. When configuring your IdP, you should retrieve an X.509 certificate and the Single Sign-On URL, which Veza will need to enable SSO.

The following order of operations is recommended:

Connect to your identity provider to get the required IdP SAML metadata. You will need the X.509 certificate, Sign-In URL, and SAML request protocol binding. You will also need the signing request algorithm and digest, unless your IdP doesn't support signed requests.
Log in to Veza using your administrator username and password. Navigate to Administration > Sign-in Settings, and choose to enable SAML. Click "Configure."
Complete the required fields, save the configuration, and download the service provider (SP) metadata.
Log in to your Identity Provider (IdP), and use the SP metadata from Veza to register a new SAML service provider.
Enable the SSO connection from Veza Administration > Sign-in Settings panel

See Veza Configuration and Identity Provider Configuration below for details on the information you will need to provide at each step.

Configure Veza for Single Sign-On

1. Create a new SAML connection

You can download SP metadata from Veza, which contains information you'll need to set up SSO within your IdP. First, you'll need to save a new SAML configuration from Administration > Sign-in Settings. You will need to provide the following information:

Field

Details

IdP Sign-in URL

Provide the IdP sign-in URL used to access your company portal.

X509 Signing Certificate

`Upload the SAML public certificate (X.509) used to verify the IdP (Base64 Encoded String).

Sign Request Algorithm

The signature algorithm used to sign SAML AuthnRequest messages sent to the Identity Provider. Valid values are: rsa-sha256.

Sign Request Algorithm Digest

The digest algorithm used to digitally sign the SAML assertion and response. Valid values are: sha256.

SAML Request protocol binding: (HTTP-POST or HTTP-Redirect)

Select the binding to be used by the IdP when sending the SAML Response XML, literally: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" (default) or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect".

Enable IdP Initiated Login

Allows IDP-initiated sign-in requests

Button Logo URL

Custom logo displayed on the “Continue with SAML SSO” button on Veza's login screen. The image must be in PNG or SVG format. It should be 32×32 pixel for optimal display.

Issuer ID

The URL that uniquely identifies your identity provider in the SAML assertion, e.g., http://www.okta.com/ackfl76549mHKsk9q5d7 (Okta), https://sts.windows.net/00000000-0000-0000-0000-000000000000 (Entra)

2. Enable Identity Provider-initiated Single Sign On (optional)

When enabled, authorized IdP users accessing Veza via the IdP app portal will be logged in automatically.

3. Download the service provider metadata

Once you have saved the SSO configuration, you can download the service provider metadata for Veza in SAML format. This information can be imported into most identity providers or used for reference if you need to input the values manually.

4. Enable or Disable an SSO connection

Enable the SAML connection from the Authentication panel after registering Veza with your Identity Provider (see below). Once enabled, visitors to your Veza instance can log in with a username/password or authenticate via the IdP sign-in URL.

Configure Identity Provider for Single Sign-On

The exact steps to create a new integration vary depending on your IdP. Typically, you will need to register a new application or service provider and specify the Single Sign-On URL assigned for your Veza instance (responsible for handling SAML assertions).

If you want to enable Single Logout, you should do so after creating the connection in Veza, and obtaining the SLO Url, SP Issuer (SP Entity ID), and the SP Certificate from Veza's SP metadata.

For additional resources on adding a new SAML provider with common IdPs, you can refer to the standard documentation for AzureAD, Okta, and Google.

Managing SAML users

After configuring a SAML identity provider, you can manage Veza users from your Identity Provider by assigning an IdP user or group to the Veza application. The first time a user logs in to Veza with SSO, a local Veza user account is created and shown on the Administration > User Management page.

Notes:

IdP user passwords cannot be changed from the Veza UI
No account creation email will be sent until the user first logs in. You may want to inform users that they can now access Veza using their IdP credentials.
You should retain a Veza admin account configured for password authentication to use if the SSO connection is disrupted.

Attribute Mapping

Click on the Attribute Mapping header to expand the section.

When configuring SAML, you can map user attributes from your IdP to Veza. The following attributes are supported:

See Attribute Mapping for details on how to configure attribute mapping for SSO users.

Teams (Role Assignments) with Single Sign-On

Role mapping allows you to assign teams and roles based on a user's groups during login.

See Role Mapping for details on how to configure teams and roles for SSO users.

PreviousSign-In Settings NextSingle Sign-On with Okta

Last updated 10 days ago

Was this helpful?