SSO via SAML 2.0 is available on Custom Plans and all our 2022 new plans.
SSO Options
We're not limited to only Google and Okta, we do support setup with any IdP. We just don't have the documentation to walk you through other IdP's but please send us the necessary information so we can manually enable SSO for you:
Identity Provider SSO URL
Identity Provider Issuer
Certificate (Download this and send as an attachment to your Vitally contact)
FAQ
Q: Do you support SAML just-in-time provisioning?
A: Yes, Vitally supports Just-In-Time (JIT) provisioning. When a user logs in for the first time using a unique SSO login link, a user profile will be automatically created for them in Vitally based on the SSO attributes provided. If you've added the vitallyRole attribute, that will determine the user's permission level in Vitally. Otherwise, they will default to the 'Observer' role. This process ensures seamless onboarding for users and eliminates the need for manual invites through the Vitally application.
Adding Team Members through JIT Provisioning
Enable SSO in Vitally: Ensure that your Vitally instance is properly configured for SSO through your SSO provider.
Grant Access via SSO: Add the new team member to the Vitally SAML application within your SSO provider.
First Login: Provide the team member with the login link for Vitally. During their first login, a user profile is automatically created based on their SSO attributes, and they will gain access with a default role.
Q: Will users be able to log in with a password anymore?
A: No, password login is disabled as soon as SAML 2.0 login is enabled.
Q: Will SAML login go into effect immediately?
A: Existing user sessions will be valid for up to 7 days. Ask each of your users to log out and log back into Vitally to force them to immediately start using SAML login.
Q: Where do I invite new team members once SAML is enabled?
A: The ability to invite team members to join Vitally has been disabled within the Vitally app. Any new Vitally access will need to be provisioned through your SSO provider by adding them to the relevant SAML application. Ensure that their first login is completed using the unique SSO login link to automatically create their profile in Vitally.
Q: Where can I set the default role for new Vitally users when SAML is enabled?
A: vitallyRole
can be passed as an attribute with a string value for admin, leader, team, or observer. If this attribute is not provided, Vitally will default to the 'Observer' role or as specified under Settings -> Account & Billing -> Default role for new users. Additional optional attributes include Avatar and Timezone, which users can update manually in their profiles. To ensure smooth onboarding, the following required attributes must be mapped from your SSO provider:
First Name
Last Name
Email Admins can later modify user roles through the Team Settings within Vitally.
If you send vitallyRole
on each user profile, we will respect that setting every time the user logs into Vitally. Any changes made to permissions within the Vitally app will be reset the next time the user re-authenticates via SAML.
When optional attributes such as vitallyRole
are not mapped, default assignments will apply, and users can manually adjust profile settings like their avatar and timezone post-creation.