Introduction

Zivver supports Single Sign-On (SSO) via OneLogin, so that users can log in to Zivver using their workplace credentials. This manual explains how, as an administrator, you can set up SSO. SSO operates using Security Assertion Markup Language (SAML) v2.0. OneLogin is the Identity Provider (IdP), and Zivver is the Service Provider (SP).

To activate SSO in Zivver, you need the following:

1. You are a Zivver administrator.
2. You have access to the OneLogin administrator dashboard.
   Example URL: https://www.onelogin.com/

SSO setup in OneLogin

The first step is to set up Zivver as a custom application connector in OneLogin.

1. Log in to OneLogin.

2. Go to Apps > Add Apps.

3. Search for SAML Test Connector (Advanced) and select the first result.

4. Go to the Info tab.

5. Enter Zivver as Display Name.

6. Go to the Configuration tab.

7. Fill in the following information:

   Setting	Value
   Audience (EntityID)	https://app.zivver.com/SAML/Zivver
   Recipient	https://app.zivver.com/SAML/Zivver
   ACS (Consumer) URL Validator*	^https:\\/\\/app\\.zivver\\.com\\/api\\/sso\\/saml\\/consumer\\/$
   ACS (Consumer) URL	https://app.zivver.com/api/sso/saml/consumer/
   Login URL	https://app.zivver.com/api/sso/saml/consumer/
   SAML not valid before	3
   SAML not valid after	3
   SAML initiator	OneLogin
   SAML nameID format	Email
   SAML issuer type	Specific
   SAML signature element	Assertion
   SAML encryption method	TRIPLEDES-CBC
   SAML sessionNotOnOrAfter	1440

8. Go to the Parameters tab.

9. Select Configured by admin.

10. Add the following parameters:

    NameID (fka Email)	Email
    https://zivver.com/SAML/Attributes/ZivverAccountKey	user.id

11. Go to the SSO tab.

12. Select Standard Strength Certificate (2048-bit) for X.509 Certificate.

13. Select *SHA-256 for SAML Signature Algorithm.

14. Copy the Issuer URL. You will need this URL in the next chapter.

15. Click Save.
    The app is now created, but none of your users can access it yet. You can assign them individually via Users > All Users or as part of roles (Users > Roles) and groups (Users > Groups). OneLogin is now correctly set up for Zivver.

Setting SSO in Zivver

The final step is to set up SSO in Zivver via the Zivver WebApp:

1. Log in to the Zivver WebApp.
2. Click Organization Settings.
3. Expand User administration.
4. Click Single Sign-on.
5. Select Automatically recommended.
6. Paste the Issuer URL you copied in SSO setup in OneLogin into the field under URL.
7. Click Save.
8. Click Enable Single sign-on in the top right of the page.
   OneLogin SSO in Zivver is now configured and ready for use.

Warning

Once you enable SSO, Zivver will attempt to log in users via SAML. It is therefore recommended to keep SSO switched off in Zivver until everything is correctly configured on OneLogin. Users who are already logged in will remain logged in after SSO is enabled.

Zivver 2FA exemption (optional)

A Zivver account is protected, by default, with an additional login method (2FA). 2FA is also required when logging in via SSO. It is possible to disable Zivver’s 2FA when users log in via OneLogin’s SSO. Unfortunately, OneLogin cannot indicate in the SAML response whether the user has already completed an additional login method. OneLogin always returns the following SAML response: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. This means that the SAML response does not contain any information Zivver can use to determine whether the user has logged in securely with 2FA. Read the warning below carefully.

Warning

Zivver will never prompt for 2FA if you exempt this authentication context from 2FA in the SSO settings. This creates a security risk when users log in to OneLogin without 2FA while a 2FA exemption is configured in Zivver. Therefore, it is important that users are required to log in to OneLogin with 2FA if you exempt the above authentication context in Zivver.

Follow the steps below to set the 2FA exemption for OneLogin in Zivver:

1. Log in to the Zivver WebApp.
2. Click Organization Settings.
3. Expand User administration.
4. Click Single Sign-on.
5. Scroll down to the Zivver 2FA exemptions card.
6. In the Authentication methods to be exempted field, enter this value:
   • urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
7. Click Save.
   You have now successfully set a 2FA exemption for OneLogin. When users log in via SSO, Zivver will not prompt for 2FA.

Log in to the WebApp with SSO

1. Go to the Zivver WebApp.
2. Enter your e-mail address.
3. Depending on your role in Zivver:
   • As a user: you are immediately redirected to your organization’s login screen.
   • As an administrator: you choose between logging in with your Zivver password or your workplace credentials.
4. Log in using your organization’s workplace credentials.
   Depending on whether a 2FA exemption applies, you may be prompted for an additional login method. If a 2FA exemption is in place, this step is skipped.
5. Enter your additional login factor.
   You are now logged in to the Zivver WebApp.

Log in to Outlook with SSO

In the Zivver Office Plugin for Outlook, you can log in via SSO using these steps:

1. Click the Zivver tab.
2. Click Manage accounts.
3. Click the link add_circle Add an account.
4. Enter the e-mail address you want to use for login.
5. Click Next.
   You will be redirected to your organization’s login screen.
6. Log in using your organization’s workplace credentials.
   Depending on whether a 2FA exemption applies, you may be prompted for an additional login method. If a 2FA exemption is in place, this step is skipped.
7. Enter your additional login method.
   You are now logged in to Outlook.