How do I configure Auvik single sign-on with my identity provider?

Auvik allows you to use your identity provider (IdP) for authentication into the Auvik application. By using your IdP for authentication,  your users can log into Auvik with their corporate credentials—they don’t have to remember another set of credentials and you can manage access to Auvik from a central location.

A different set of authentication methods are supported at each site, and different single sign-on (SSO) configurations are supported in each site. The authentication method for a site applies to users who belong to the site. The authentication level determines which site a user belongs to and controls which authentication method they can use.

Note: SAML Single Sign-On is not enabled in the Auvik trial.

Auvik supports SAML 2.0 for SSO. There are 4 steps involved:

1. Configuring SAML in Auvik and your IdP
2. Testing the configuration for a single user
3. Granting your users access to Auvik in your IdP
4. Enabling SSO and migrating your users to SSO in Auvik

Configuring SAML in Auvik

To start, Auvik requires the following information from your IdP to configure SSO. Refer to your IdP’s instructions on how to set up a SAML application.

• IdP Signature Certificate - This is the certificate used by the SAML tokens that are sent to Auvik. It may also be referred to as SAML Signing Certificate, X.509 Certificate, Encryption Certificate, or Identity Provider Public Certificate. The certificate should be in the base64-encoded PEM format. Note: This is the minimum necessary to start configuring SSO in Auvik.
• IdP Issuer URI - This is the case-sensitive identifier for your identity provider. It may also be referred to as IdP Entity ID, Identifier, Entity ID, Identity Provider Issuer URI, or Issuer URL.
• IdP Single Sign-On URL - This is the URL Auvik will redirect your users to for authentication. It may also be referred to as IdP URL, Login URL, Identity Provider Single Sign-On URL, or SAML 2.0 Endpoint.

If your IdP requires the Audience URI, ACS URL or RelayState from Auvik before it can generate a certificate, provide temporary values for now. You can replace those values later on. Note that if the final Audience URI, ACS URL or RelayState from Auvik is required, Auvik will provide the final values as soon as the certificate is uploaded. Refer to your IdP’s instructions on how to setup and edit a SAML application.

Edit access to the user management permission is required to configure SSO in Auvik. To configure SSO in Auvik:

1. Go to the desired site dashboard.
2. Click Settings in the Auvik navigation menu.
3. Click the Authentication tab.
4. Click Browse on the IdP Signature Certificate field to upload your certificate. Auvik requires the certificate to be in the base64-encoded PEM format. After uploading the certificate, the Audience URI, ACS URL, and RelayState are populated to let you complete the configuration in your IdP if you need to finish that first.
5. Copy the Audience URI, ACS URL, and RelayState.
6. Enter the IdP Issuer URI and IdP Single Sign-On URL.
7. Click Save.

Note: If you have configured SAML at the wrong site, delete the SAML configuration and restart at the desired site.

Completing the SAML application configuration in your IdP

Once the above information has been provided to Auvik, you will be provided with the following to complete the configuration in your IdP.

• Audience URI - This is the identifier for Auvik. It may also be referred to as SP Entity ID, Identifier, Entity ID, or Audience.
• ACS URL - This is the Auvik URL that your IdP will send SAML responses to. It may also be referred to as Assertion Consumer Service URL or Reply URL.
• RelayState - This specifies where users are redirected to after successful authentication. It may also be referred to as Default RelayState or Relay State.

Refer to your IdP’s instructions on how to setup a SAML application.

Adding required user attributes

Auvik requires four user attributes to be passed in the SAML token when a user successfully authenticates with your IdP:

• NameID - This is the primary identifier for your user. It may also be referred to as Name Identifier, SAML Subject NameID, or Application Username. This must be set to the current email address that your users use to log in to Auvik.
• The NameID format should be set to email: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
• firstName - The first name or given name of your user.
• lastName - The last name, surname, or family name of your user.
• email - The email address of your user.

Refer to your IdP’s instructions on how to add user attributes for a SAML application.

Testing your SAML configuration

Once SAML configuration is complete in Auvik and your IdP, we’ll test the configuration in Auvik. SSO will be temporarily enabled for the test user in Auvik. 

Testing your SAML configuration in Auvik is only available for SAML configurations that aren’t in use.

1. In your IdP, grant your test user access to the Auvik SAML application. Refer to your IdP’s instructions on how to grant a user access to a SAML application.
2. In Auvik, go to the desired site dashboard.
3. Click Settings in the Auvik navigation menu.
4. Click the Authentication tab.
5. Click Test SSO.
6. Select the test user.
7. In an incognito browser window, log into Auvik with your test user through your configured identity provider. You must complete the test in 30 minutes. If you don’t respond in 30 minutes, we’ll restore the previous settings.
8. In Auvik, click on whether the test user was able to log in.

Granting your users access to Auvik in your IdP

Users whose accounts have been migrated to SSO can only log in through your identity provider. Please make sure all users that you want to use SSO in Auvik are in your identity provider and are configured to have access to Auvik.

Enabling SSO and migrating your users to SSO in Auvik

Select the authentication method you want users on this site to use:

1. Go to the desired site dashboard.
2. Click Settings in the Auvik navigation menu.
3. Click the Authentication tab.
4. Select the desired Authentication Method:
• Password, Google account, and Microsoft account
• Single sign-on for selected users
• Single sign-on for all users
5. Click Save.

Users whose accounts have been migrated to SSO can only log in through your identity provider. Please make sure all users that you want to use SSO in Auvik are in your identity provider and are configured to have access to Auvik. Currently, Auvik SSO does not support just-in-time provisioning. You must invite the user to Auvik.

If Single sign-on for selected users is selected, this will start the user migration wizard to let you select the users that you want to migrate to SSO. There are three options:

1. All users that belong to this site
2. All users that belong to an email domain
3. Select individual users

After selecting users to migrate, you’ll be asked to confirm your selection and then to start the migration. You can migrate more users to SSO at a later time by editing the user, or clicking the Migrate Users button in the Authentication Method pane. You can also specify that a user must use SSO when you invite them.

If Single sign-on for all users is selected, this will start the user migration wizard to confirm the users that will be migrated to SSO and start the migration. Any users that were not migrated will lose authorization to the site. Selecting this option prevents you from inviting new users that already have an Auvik account—for example, consultants—because they’ll be using a conflicting authentication method. In this scenario, select Single sign-on for selected users.

If your browser tab or window is closed while the migration is in progress, you can view the progress from the authentication Method pane.

1. Go to the desired site dashboard.
2. Click on Settings in the Auvik navigation menu.
3. Click on the Authentication tab.
4. Under Authentication Method, click the See Status link.