User Guide
Release Notes

SAML Migration FAQ

Frequently Asked Questions (FAQ) - SAML Service Provider Migration

What is happening?

We are migrating our SAML service providers to enhance our platform's security and performance. Customers will need to update their Single Sign-On settings using new service provider metadata from Veza.

What do I need to do?

  1. Create a New Application: Create a new SAML application within your identity provider (IdP) that corresponds to Veza's updated SAML provider.

    • To configure the application, you will need the new Veza Single Sign On URL and Entity ID. To retrieve these values, go to Veza Administration > Sign-in Settings. Under Enable SAML, click Configure.

  2. Reconfigure Single Sign-On (SSO) Settings: In Veza, update your SAML configuration to use the new application created in your IdP.

    • Any role mappings configured for the original application will carry over to the new SAML configuration.

  3. Test the New Configuration: On the Veza Sign-in Settings page, click Test in the SAML Settings migration banner.

    • Click Test Local SAML SSO Login to test the updated SAML settings. You will be redirected to your IdP for login and should be able to access Veza with the expected role.

    • If sign-in fails, you can log in with the original settings by clicking Login with SSO. You can also log in with a local username and password unless an administrator has disabled this option.

  4. Migrate SAML Providers: Click Migrate on the Sign-In Settings page to enable the new authorization provider. Users can click Log in With SSO on the Veza home page to authenticate with the new SAML app.

    • The info banner will persist after migrating. It will be removed once the campaign is over (end of 2024).

Where can I find the new configuration details?

The new configuration details are available on your administration dashboard, after refreshing your SSO settings:

  1. Log into Veza as an administrator.

  2. Go to Administration > Sign-in Settings. Under Enable SAML, click configure.

  3. Copy the values that appear for Single Sign-On URL and Service Provider Entity ID.

How do I create a new application?

  1. In your identity provider, go to the application management section.

  2. Select 'Create New Application' or the equivalent option.

  3. Follow the prompts to set up the application, using the configuration details from the Veza SAML provider metadata.

  4. Configure an optional SAML attribute statement containing application roles assigned to users in your identity provider. Veza interprets this claim to assign teams and roles according to Veza's role mapping settings when users first log in.

See the following pages for more details:

As part of the migration, Veza no longer supports the deprecated SHA-1 signing algorithm. Your identity provider app integration must use SHA256 certificates. This is typically enabled by default for newly-created apps, but you may need to update older integrations.

How do I reconfigure my SSO settings?

  1. Log into Veza as an administrator.

  2. Go to Administration > Sign-in Settings. Under Enable SAML, click configure.

  3. Replace the existing SAML settings with the values for your new application, and save the configuration.

  4. Update the Role Mapping section to associate groups assigned to users in your identity provider with Veza roles such as Operator, Admin, and Reviewer.

See the following pages for more details:

Can I still log in with the old application?

Yes, you can. The original SAML application can remain unchanged. Your team can continue to use the original IdP application to log in until the migration is complete.

Do all users need to migrate before I finish migration?

No, they don't. You can safely migrate after at least one user logs in with the updated SAML settings.

The migration banner indicates how many users have logged in with the new SAML settings. The number of not-migrated users does not need to reach zero before migrating.

The SAML configuration in Veza has not changed after saving it, is this a bug?

SAML settings are cached for 30 seconds, after which the new settings will apply.

Testing SAML login results in a redirect loop

This can occur if your organization still uses the cookiecloud domain, or if the SSO URL and entity ID do not match your actual domain for any reason. You should confirm that the SSO URL and Entity ID are consistent with the URL you use to access Veza. Use the Alternative Domain Properties when configuring Veza SSO to retrieve alternate values if needed.

How can I troubleshoot issues with a SAML connection?

You can use the SAML-tracer browser extension to investigate issues or share details with the Veza support team. Inspect the sign-in request from your Identity Provider to confirm that the URLs match those shown when configuring SAML in Veza.

Who can I contact for support?

If you encounter any issues, please contact our support team at support@veza.com.

PreviousSign-In SettingsNextSingle Sign-On with Okta

Last updated