Identity provider configuration (Okta, Azure)

AD

Before you can configure single sign-on details in Network, you must add and configure Network as an application on your identity provider's site. This page provides examples of how to do this with specific providers for guidance.

Specifically, you will require the following information from idP configuration for your Network security setup:

  • Issuer
  • idP certificate
  • idP login URL
  • SP-initiated request URL

Note: Network supports one identity provider for each Network instance; multiple providers pointing to the same Network instance is not supported.

Configuring the identify provider

Click one of the tabs below to see details on configuring SSO for your identity provider.

  • Okta
  • Microsoft Azure

Okta configuration

In Okta, an administrator sets up and configures a Network application as follows:

  1. Sign into Okta.
  2. Switch to the Classic UI from the Admin console.
  3. From the top navigation, click Applications.
  4. On the Add Applications page, click the Create New App button.
  5. In the dialog, select SAML 2.0.

  6. On the Create SAML Integration page, type an application name and optionally provide a logo.

  7. Click Next.
  8. On the SAML Settings page, provide the following:
    • Single sign on URL: the URL of your idP, for example, Okta.
    • Audience URI: the URL for your Network login page
  9. In the Attribute Statements section, create attribution statements to map required values to Network.

    Note: The uid attribute must be mapped for the integration to work.

After you finish initial configuration, your integration appears. Additional configuration is required to complete the setup.

Click the View Setup Instructions button to see additional information you'll need to configure in Network.

The subsequent page shows details for the following:

  • Identity provider single sign-on URL
  • Identity provider issuer
  • X.509 certificate
  • IDP metadata

Note all of these details for further configuration in Network.

Under X.509 Certificate, click the Download Certificate button. You will need to upload this certificate in Network.

Configure Network SAML and other single sign-on settings by following the steps in Configuring single sign-on in Network.

Microsoft Azure configuration

When you configure single sign-on in Microsoft Azure AD and Network, you will need to use information from each to complete the configuration.

In Network, take note of the following:

  • the Network DNS; for example, https://verteo.veevanetwork.com

In Microsoft Azure AD, take note of the following:

  • the User access URL in the application properties

  • the Logout URL in the application properties

  • the Azure AD Identifier in the application properties

  • the Reply URL from Manage > Single sign-on

Additionally, you will need to download the 64-byte certification for use in Network.

Configure single sign-on

In Microsoft® Azure® AD, an administrator sets up and configures a Network application as follows:

  1. Select Enterprise Application and click + New application.

  2. In the Add an application column, select Non-gallery application.

  3. In the Add your own application column, type a name for the new application and click the Add button.
  4. In the new application's properties, note the User access URL. You use the value in this field to configure the identify provider login URL in Network.

  5. Also take note of the Logout URL and the Azure AD Identifier. These values correspond to the Identify Provider Logout URL and Network Issuer when you configure mappings in Network.

  6. You do not use the value in the Login URL field.
  7. In the SAML Signing Certificate box, download the 64-byte certification.

  8. Use the downloaded certificate for the Identify Provider Certificate in Network.
  9. In the Manage section, click Single sign-on and provide the following:
  10. Identifier - the DNS name; for example, https://verteo.veevanetwork.com or https://sandbox3.veevanetwork.com.
  11. Reply URL - use the value for the Network SSO Login URL in Network.
  12. Finally, ensure that the correct attributes are passed to Network. These values appear in the User Attributes & Claims box.

    In Network, ensure that these mappings are configured as follows:

    • If autocreation is not enabled, the uid must be mapped.
    • If autocreation is enabled, map all attributes according to the following mappings in Network: