Skip to main content
Planview Customer Success Center

How do I set up SSO for Viz?

Last Updated:   |  Applicable Viz Versions: All

Answer

Step 1: Provide required information for SAML connection

For SSO configuration, you will need to provide the following information about your Identity Provider (IdP):

SAML Configuration Information

  • Sign In URL
  • Sign Out URL
  • X509 Signing Certificate: SAMLP server public key encoded in PEM or CER format
  • User ID Attribute: The SAML attribute that maps to the user’s unique identifier in Auth0
  • Protocol Binding: HTTP Redirect or HTTP Post (usually HTTP Post)
  • Do you want the Auth request to be signed? If so, please make the following selections:
    • Sign Request Algorithm: RSA-SHA256 or RSA-SHA1
    • Sign Request Digest: SHA256 or SHA1
  • What attributes/claims in the authentication token coming back to auth0 can be used to map the following values:

    • First name 

    • Email

    • given_name

    • family_name

Additional SSO information

  • How do you want to authorize new SSO users to join your Viz organization?
    • Option 1 - Manual Administrator Activation: This is the default for non-SSO users. Users must be explicitly activated by an administrator who will be emailed each time someone is added to the organization.
    • Option 2 - Auto-activate all SSO users who join the organization: This option is useful if you control Viz access at your IdP and don’t want administrative email traffic.
  • Do you want user memberships to be auto-created for your organization? 
    • If you have multiple Viz organizations and want the SSO connection to serve more than one of them, you have the option to not auto-create user memberships for a selected organization. This could be useful if you only want a handful of users to have access to a testing org and would like users manually added.
  • Do you want to set up SSO for Active Directory to streamline user role management?
    • If you already have SSO in place, you can configure SSO for Active Directory to manage user roles exclusively in your Active Directory environment. Once configured, user roles will be communicated via SAML response attributes. This enables Viz to dynamically adjust the user interface and permissions based on the roles assigned to each user in Active Directory. Learn more.

Once the above information is provided, the Viz administrator will create the SAML connection configuration.

Step 2: SAML Authentication Test

When the SSO configuration is ready on Viz's side, customer care will walk you through your first authentication to verify that it works correctly.

Customer care can also share the metadata URL with you to help you set up the IdP on your side as needed.

Note: Planview currently supports SP- Initiated login.

Step 3: Enabling SAML

For this step, you'll need to schedule a meeting with customer care so SSO can be enabled on both sides.

During this meeting, customer care will enable the SSO connection. After the connection is enabled, you will need to authenticate via SSO.

To do this, follow the instructions outlined below:

  1. Sign out of your account and navigate to https://viz.tasktop.net/#/login/<orgid>
    1. Note: The /login path is just a pseudonym for the common /instances which will also work for authentication.
  2. If not logged in to your ldP, you will be redirected to your own login screen. Otherwise, you should be redirected to Viz’s legal consent page. Once you’ve agreed to the legal consent, you will be redirected to either:
    1. Viz Organization Screen 
      1. If you opted for the autoActivate option
      2. If you did not opt for the autoActivate option, but there was already a non SSO user with the same email address. In this case, the newly created SSO user inherits activation, roles, and preferences in this organization.
    2. Support Screen 
      1. If redirected to this screen, the user account is not yet activated and will need to be activated by the organization admin. 

Note: If there are errors in Viz, it likely indicates that the authentication token was improperly mapped to the Auth0 user. Please contact customer care for further assistance.

Step 4: SAML Rollout

If you have existing (non-SSO) users, you should clean them up to prevent duplicate users. The User Management screen in Viz will indicate which users are SSO users.

Note: You may want to keep one non-SSO user around for “break glass” type scenario in case the SSO connection is having issues. The non-SSO user can still authenticate by hitting a URL that does not contain the org ID (i.e., viz.tasktop.net).

Be sure to notify the users to use your organization-specific login page (i.e., https://viz.tasktop.net/#/login/<orgid>) for SSO-enabled login. That's it! SSO is now set up for Viz.

If you have any questions or need assistance, please reach out to customer care.