In this article, we explain step by step how to set up Single Sign-On (SSO) in vPlan. SSO allows users to log in to multiple systems with a single set of credentials. Follow the steps below carefully to configure SSO.
The SSO connection is set up using SAML 2.0.
Preparing the SSO connection
Connecting domains
Ensure that the necessary domains are connected at least 24 hours in advance. It can take up to 24 hours for a domain to be recognized, as the DNS (Domain Name System) needs to be updated to make the correct references to the SSO provider. DNS servers worldwide must recognize and process these changes. If a domain is not configured, an SSO user will not be able to log in via the standard login portal with their SSO account for that domain. However, it is possible to log in to vPlan from the SSO provider (IDP-initiated Single Sign-On).Creating App Roles
Create the following app roles in the SSO provider (such as Azure AD or Okta), all in lowercase:administrator
planner
worker
guest
Setting Attributes & Claims
Correctly configure the attributes and claims in the SSO provider to ensure that the right information is passed to vPlan. This is important for role assignment and access rights. The fields "role," "name," and "email" must be provided within the SAML message, and they can be configured through the mapping mentioned below.Assinging users to the correct groups or roles
Ensure that users are assigned to the correct groups within the SSO provider in advance, based on their roles. Alternatively, you can manually assign the correct role to each user.
Configuring the SSO connection in vPlan
After completing the preparations, you can proceed with setting up the actual SSO connection.
Adding a new connection
In vPlan, go to Settings and then to the Security section. Click on the Single Sign-On tab to access the SSO settings, and add a new connection.
Fill in the required fields:
Name: Give the connection a name (the name doesn't matter much).
Sign-in URL: This is the URL of the SSO provider where users log in. Note that the name of this field may vary by provider.
Sign-out URL: This is the URL where users are redirected after logging out. Again, the name of this field may vary by provider.
Certificaat: Upload the certificate used for the secure connection.
Mapping: Ensure the correct mapping of attributes and claims is applied. This ensures proper user role assignment in vPlan. See the example mapping below:
Domeinen: Check the domains you want to activate within this SSO connection.
Adding the Redirect URL
After adding the connection, you must configure the Redirect URL within the SSO provider, which is generated by vPlan. This ensures that the SSO process is handled correctly.Activating the SSO connection
Enable the SSO connection to activate it. Users can now log in via SSO.
Converting an existing user to an SSO user
When an existing user is converted to an SSO user, their password and role will automatically be updated. The user will no longer be able to log in with their old password.
If the SSO connection is deactivated for a user, the old credentials (if available) will be restored.
Handling expired certificates
Within your SSO connection settings, you can see the added certificate and its expiration date. When a certificate is about to expire, we will send timely emails:
60 days before the certificate expires
30 days before the certificate expires
1 day before the certificate expires
When you want to add a new certificate, you must first remove the old certificate, after which a new one can be added.