SSO via SAML 2.0 is available on Custom Plans and all our 2022 new plans.
Create a new Vitally application in OneLogin
In the OneLogin administrator dashboard, navigate to Applications > Applications > Add Apps. Search for SAML Custom Connector (Advanced) and select the first result from the search results.
Set the Display Name for the application as "Vitally" and choose the appropriate visibility settings for your organization:
You can use the following image for the app logo:
Configure SAML settings
Add the following settings to your SAML Custom Connector (Advanced) config.
The single sign-on URL and Audience URL are both based on your account's subdomain in Vitally. When you login to Vitally, your account is hosted at https://yoursubdomain.vitally.io (or https://yoursubdomain.vitally-eu.io if your account is EU). Make sure to update 'yoursubdomain' with your specific account's subdomain.
The table here contains the configuration you should set up for the Vitally application's SAML settings:
Application Details
Config Option | Config Value |
RelayState |
|
Audience (EntityID) | https://app.vitally.io/saml/yoursubdomain/ (or https://app.vitally-eu.io/saml/yoursubdomain/ if your account is EU) |
Recipient |
|
ACS (Consumer) URL Validator | https://app.vitally.io/saml/yoursubdomain/assert (or https://app.vitally-eu.io/saml/yoursubdomain/assert if your account is EU) |
ACS (Consumer) URL | https://app.vitally.io/saml/yoursubdomain/assert (or https://app.vitally-eu.io/saml/yoursubdomain/assert if your account is EU) |
Single Logout URL |
|
Login URL | https://app.vitally.io/saml/yoursubdomain/login (or https://app.vitally-eu.io/saml/yoursubdomain/login if your account is EU) |
SAML not valid before | 3 |
SAML not valid on or after | 3 |
SAML Initiator | OneLogin |
SAML nameID format | |
SAML issuer type | Specific |
SAML signature element | Response |
Encrypt assertion | True |
SAML encryption method | AES-256-CBC |
Send NameID Format in SLO Request | False |
Generate AttributeValue tag for empty values | False |
SAML sessionNotOnOrAfter | 1440 |
Sign SLO Request | False |
Sign SLO Repsonse | False |
'RelayState' and 'Single Logout URL' are left blank intentionally - leave them empty in your config as well
SAML Encryption
The encryption certificate you need to enter into the Public Key is attached here:
Configure SAML Parameters
You can configure OneLogin to send parameters about each user to Vitally that will be synced on login. Vitally supports the following attributes:
Attribute | Type | Description |
firstName | string | The user's first name |
lastName | string | The user's last name |
vitallyRole | string | Provide a string value for vitallyRole: admin, leader, team, observer |
title | string | The user's job title |
timezone | string | The user's home timezone, used for sending windows and email notifications |
avatar | string (url) | The user's profile picture |
We recommend setting up at least the firstName and lastName attributes.
Send SSO Instructions to Vitally
Once you've set up Vitally as an application in OneLogin, we'll need to manually enable OneLogin as the identity provider in Vitally. From the OneLogin application, press View Setup Instructions:
Vitally will need the following three pieces of information to finish the setup:
Identity Provider SSO URL
Identity Provider Issuer
X.509 Certificate (Download this and send as an attachment to your Vitally contact
Please send these three items to your CSM or to support via the in-app chat. We will then confirm with you once the setup has been completed and is ready for use.
Login
That's it! When Vitally has completed our server-side setup, you'll be presented with the following login screen the next time you login!
If your users have already logged in using password authentication, their existing authorization will be valid for up to a week. Ask them to log out & log back in to force SAML authentication.