Skip to main content

Setting up SAML v2 SSO

Laura Bedoya avatar
Written by Laura Bedoya
Updated this week

SSO via SAML 2.0 is available on Custom Plans and all our 2022 new plans.

SSO Options

We're not limited to only Google and Okta, we do support setup with any IdP. We just don't have the documentation to walk you through other IdP's but please send us the necessary information so we can manually enable SSO for you:

  1. Identity Provider SSO URL

  2. Identity Provider Issuer

  3. Certificate (Download this and send as an attachment to your Vitally contact)

FAQ

Q: Do you support SAML just-in-time provisioning?

A: Yes, Vitally supports Just-In-Time (JIT) provisioning. When a user logs in for the first time using a unique SSO login link, a user profile will be automatically created for them in Vitally based on the SSO attributes provided. If you've added the vitallyRole attribute, that will determine the user's permission level in Vitally. Otherwise, they will default to the 'Observer' role. This process ensures seamless onboarding for users and eliminates the need for manual invites through the Vitally application.

Adding Team Members through JIT Provisioning

  1. Enable SSO in Vitally: Ensure that your Vitally instance is properly configured for SSO through your SSO provider.

  2. Grant Access via SSO: Add the new team member to the Vitally SAML application within your SSO provider.

  3. First Login: Provide the team member with the login link for Vitally. During their first login, a user profile is automatically created based on their SSO attributes, and they will gain access with a default role.

Q: Will users be able to log in with a password anymore?

A: No, password login is disabled as soon as SAML 2.0 login is enabled.

Q: Will SAML login go into effect immediately?

A: Existing user sessions will be valid for up to 7 days. Ask each of your users to log out and log back into Vitally to force them to immediately start using SAML login.

Q: Where do I invite new team members once SAML is enabled?

A: The ability to invite team members to join Vitally has been disabled within the Vitally app. Any new Vitally access will need to be provisioned through your SSO provider by adding them to the relevant SAML application. Ensure that their first login is completed using the unique SSO login link to automatically create their profile in Vitally.

Q: Where can I set the default role for new Vitally users when SAML is enabled?

A: vitallyRole can be passed as an attribute with a string value for admin, leader, team, or observer. If this attribute is not provided, Vitally will default to the 'Observer' role or as specified under Settings -> Account & Billing -> Default role for new users. Additional optional attributes include Avatar and Timezone, which users can update manually in their profiles. To ensure smooth onboarding, the following required attributes must be mapped from your SSO provider:

  • First Name

  • Last Name

  • Email Admins can later modify user roles through the Team Settings within Vitally.

If you send vitallyRole on each user profile, we will respect that setting every time the user logs into Vitally. Any changes made to permissions within the Vitally app will be reset the next time the user re-authenticates via SAML.

When optional attributes such as vitallyRole are not mapped, default assignments will apply, and users can manually adjust profile settings like their avatar and timezone post-creation.

Did this answer your question?