Vivi SAML for Administrators

Vivi SAML for Administrators Setup Guide This documents outlines the process for configuring your Vivi environment to accept SAML authentication. How Does SAML work? Your organisation s SAML login page will appear in the Vivi client When the user logs in, they will inherit the appropriate roles depending the groups they are already assigned to in your organisation s SAML To enable SAML Log in to the Vivi admin portal using your admin credentials Edit your organisation and you will see a section called Authentication Set the Authentication Type to SAML and hit save Be aware that this will prevent normal login from working unless authentication type is switched back to Vivi Once you have enabled SAML, Vivi creates the metadata URL. This can be used to automatically configure your relying party trust in ADFS. It will look something like this: https://api.vivi.io/api/v1/users/saml_metadata/xxxx-xxxx-xxxx xxxx is your organisation s unique ID.

Set up Claims You will need to log in to your ADFS instance and configure an LDAP claim that provides: username, display name, and email. We need information about group membership to assign permissions. Set up two Send Group Membership as a Claim claims as in above, one for presenters and one for students. Currently, the outgoing claim value must be exactly presenters and students respectively. Finally, clicking the View Rule Language... button in the bottom left of each edit claim window shows the particular IDs used for each claim. You'll need to include these in the information below so that we can extract the claims on our end.

SAML Settings The following information is required for Vivi to enable signing in with your SAML. Please send us this information to help verify it, rather than entering it straight into the admin portal. Setting SAML Default Email Domain SAML SSO URL SAML SLO URL SAML Token-Signing Certificate SAML Name Attribute SAML Email Attribute SAML Group Attribute Description A default email domain to use in case a user has no email address, e.g. myschool.com.au, then emails will be username@myschool.com.au Full URL to your IdP SSO endpoint, e.g. https://dc.example.com/adfs/ls/ Full URL to your IdP SLO endpoint. This may be left blank if this is the same as the SSO endpoint. Exported Token-Signing Certificate from your ADFS, in PEM format. Name used by your IdP for the claim mapping a user's display name, e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Name used by your IdP for the claim mapping a user's email, e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress SAML Group Attribute: Name used by your IdP for the claim mapping a user's group membership, e.g. http://schemas.xmlsoap.org/claims/group SAML should now be ready to test. Open a version 2.6+ client (or restart if already open) and attempt to sign in with the username and password of an account in one of the appropriate groups. Don t hesitate to contact our Support team should you experience any difficulties.

SAML with WIA (Windows Integrated Authentication) Organisations which use WIA will require a couple of extra steps to get Vivi working for all users. If your organisation is Windows only, there should be no further configuration required however if you need to support other devices, such as Mac, ios and Android you will need to modify your SAML instance. Steps Required: 1. Edit the global settings in your SAML Management Console (Fig 1.) 2. In the Global Authentication Policy pop-up tick Forms Authentication in the Intranet pane. (Fig 2.) 3. In the Vivi Admin Panel, under your Authentication settings set the Force SAML option to True (Fig 3.) When you have completed the above steps, the system will use Forms Authentication as a fallback if WIA is not available for example when connecting an ipad. Fig.1 Edit Global Settings

Fig.2 Check Forms Authentication under Intranet Fig.3 Set the SAML Force Method to Forms in Admin Portal Note: The setting appears in the SAML properties on your organisation page.