SAML Single Sign On

Learn about having your users automatically logged into the iVvy system based on when an external or organisational log-in is completed. This will prevent users to have to enter multiple usernames and passwords.

The SAML Single sign on features allows a user to make singular session login on their SAML server, which will also authenticate the users iVvy login without having to type in additional usernames and passwords.

Configure SAML Single Sign on for iVvy


  1. Navigate to Global  Settings > Security > Account Security and select "SAML SSO" as the "Authentication Method".

  2. Select Allow Signup if you want to allow new users to sign in to your iVvy account. If this is set to No, users must be first added to your iVvy account before they can be authenticated by your IDP.

    If you allow signup, you must select a Default Group Policy to assign to new users that sign in to your iVvy account.

    This will configure your account as a "Service Provider" (SP) that can communicate with an "Identity Provider" (IDP) to authenticate users.

    The examples below demonstrate how Google Apps can be used as the IDP, however the settings described can be applied to any IDP that implements SAML version.

  3. From your Identity Provider, download the IDP metadata that contains the details you will need to enter on the security settings page of your account. In Google Apps, this looks like the following:

    Download the metadata from Option 2. This will be an XML document. 

  4. Navigate to Global Settings  > Security > SAML Identity Providers.
    Click "Add" and enter your Identity Provider settings.

    Display Name The name of this IDP that is shown within the iVvy interface. 

    Entity ID

    This is the entity id provided by the IDP. In Google, this is the "entityID" attribute of the <md:EntityDescriptor> element.

    Want AuthnRequestsSigned

    Select Yes to sign the requests between iVvy (SP) and the IDP. It is strongly recommended to select Yes for better security, however this depends on your IDP.

    Single Sign On Service Endpoint (HTTP-REDIRECT) This is the http endpoint provided by the IDP to authenticate users. In Google, this is the "Location" attribute of the <md:SingleSignOnService> element with a "Binding" attribute of "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    X509 Certificate This is the certificate generated by your IDP. In Google, this is the <ds:X509Certificate> element.
    NameId Format Set this format if your IDP has specific requirements, otherwise leave the default value selected.
    Admin Email The email address that will be notified about this identity provider (e.g. when close to expiring).
    Unique Identifier This is where you map the attributes provided by your IDP to attributes of users in iVvy (SP).

    Multiple attributes can be mapped. All mapped attributes will be used by iVvy (SP) to uniquely identify the user authenticated by the IDP.

    The mapping of attributes (Unique Identifier above) must be able to uniquely identify users in iVVy. There is no specific mapping that can be entered here - it depends on the attributes provided by your IDP. The SAML key (i.e. IDP attribute) entered in the text area is case sensitive. The dropdown list has the following iVvy user attributes:


    The email address of the iVvy user


    The unique username of the iVvy user

    First Name

    The first name of the iVvy user

    Last Name The last name of the iVvy user
    Custom The custom unique identifier of the iVvy user. Note: The unique identifier of the iVvy user is only visible when a Custom attribute is used in the SAML mapping.


  5. Select the newly created Identity Provider and click Metadata (Service Provider) > Download.

    Download the SP metadata file (an xml document) and enter the appropriate settings in your IDP.

    In Google, this looks like the following:

    ACS Url

    This is the "Location" attribute of the <md:AssertionConsumerService> element.

    Entity ID

    This is the "entityID" attribute of the <md:EntityDescriptor> element.

    Note that "Signed Response" is ticked, which corresponds to selecting Yes for "Want AuthnRequestsSigned" in step 4 above.

    Note that in the Google example, "Name ID Format" is "unspecified". This could be different for your IDP and corresponds to the "NameId Format" setting in step 3 above.

iVvy should now be ready to act as the SP (service provider) and authenticate user sessions with your IDP (identity provider).

If you do not allow new users to sign up (Setting "Allow Signup: No" during step 2), you will now need to go to the Users section of your iVvy account and proceed to setup users who need access to your account.

Find out more about Creating a User.

If you do allow users to sign up (Setting "Allow Signup: Yes" during step 2), then you can go to the login page of your iVvy account which should begin the SAML authentication process with your IDP. After successfully authenticating with your IDP, you will be presented with the following form in iVvy to complete the creation of your user profile in iVvy.