Configuring single sign-on authentication Follow
Single sign-on (SSO) authentication improves security, simplifies the login process, and makes managing user credentials easier. Using SSO authentication in all corporate resources, including Revizto projects, is advised. SSO configuration is performed by gathering the appropriate URLs from your identity provider and then adding an authentication method through Revizto Workspace.
- Required permissions
- Accessing authentication methods
- Configuring authentication methods
- Automatically assigning authentication methods
- Creating a Revizto service provider entity ID
- Troubleshooting
Required permissions
Configuring SSO authentication requires admin access to your existing identity provider (Microsoft EntraID Azure, Okta, JumpCloud, etc.) and Revizto license administrator access.
You can view your license role from the License Info page in Revizto workspace under Tools. See Roles in the license for more information.
Search online for “add a new SAML app to <your identity provider> sso” to find instructions and requirements for adding integrations to your SSO provider.
Accessing authentication methods
Revizto uses the Revizto login authentication service by default, but SSO authentication methods are configurable through Revizto Workspace. To edit existing authentication settings see Editing authentication methods.
To access authentication methods:
- Sign in to ws.revizto.com.
- If you are a member of several licenses, ensure that the correct license is selected.
- Go to Tools, then select User Management under License Management Tools. If you do not see License Management Tools, see Required permissions.
- Click Authentication Methods on the toolbar, and you will see all authentication methods that have been configured.
- Click Add authentication method to create a new authentication method.
Configuring authentication methods
After Accessing authentication methods you can configure either the Revizto login service, Google Workspace, or a SAML authentication service like Azure, Okta, or Jumpcloud. Both Google and SAML authentication are SSO options, and you can have multiple authentication methods for different user groups. Revizto will use your identity provider's settings for session timeouts, so you can maintain login standards across all your tools.
Google Workspace authentication:
- On the Create authentication method page, name your authentication method. We suggest using a descriptive name if multiple authentication methods are in use.
- In the Authentication service dropdown, select Google. This requires users to have their business email address registered with Google Workspace.
- Configure the settings, under Other settings, if needed. See Automatically assigning authentication methods for more information.
- Click Save.
Standard SAML authentication:
SAML authentication requires creating a Revizto integration for your SSO provider and then connecting that integration back to Revizto. Revizto uses the Service provider entity ID and Federation metadata URL to authenticate logins with your identity provider.
- Login to your SSO identity provider and add Revizto as a new app or integration.
As there are many different SSO identity providers, please refer to your identity provider’s documentation for adding apps or integrations. - Locate the Service provider entity ID, also referred to as an application ID, and Federation metadata URL from your identity provider.
If a Service provider entity ID is not generated by your identity provider, see Creating a Revizto service provider entity ID. - On a new tab or browser window, navigate to the Create authentication method page in Revizto Workspace by following Accessing authentication methods.
- Name your authentication method. We suggest using a descriptive name if multiple authentication methods are in use.
- In the Authentication service dropdown, select SAML. Then select Standard.
- Enter the information you found in step 2 in the Service provider entity ID and Federation metadata URL textboxes.
- Configure the settings, under Other settings, if needed. See Automatically assigning authentication methods for more information.
- Click Save.
Custom SAML authentication:
The custom SAML workflow is for use with SSO services that either do not expose a Federation metadata URL, or do not share login and logout response URLs automatically. Most SSO identity providers should use the standard SAML setup.
- Login to your SSO identity provider and add Revizto as a new app or integration.
As there are many different SSO identity providers, search online for “add a new SAML app to <your identity provider> sso” to get accurate instructions on adding integrations to your SSO provider. - Locate the following from your identity provider:
- Service provider entity ID, also referred to as an application ID. If one is not generated by your identity provider, see Creating a Revizto service provider entity ID.
- Identity provider entity ID
- Login URL
- Logout response URL
- Federation metadata URL (This becomes optional if the other fields are completed)
- Public X.509 certificate, this is the public key for validating identity provider requests and responses and is saved as an XML file. Copy and paste the X.509 certificate from the following node: EntityDescriptor / Signature / KeyInfo / X509Data / X509Certificate.
- On the Create authentication method page in Revizto Workspace, name your authentication method. We suggest using a descriptive name if multiple authentication methods are in use.
- In the Authentication service dropdown, select SAML.
- Under Server settings, click Custom.
- Enter the information found from step 2 in the appropriate fields.
- Configure the settings, under Other settings, if needed. See Automatically assigning authentication methods for more information.
- Click Save.
If your identity provider requires Revizto URLs for authentication, click Info next to your authentication method. This opens a window with several URLs:
- Login response URL, Metadata URL, and Logout response URL. Your identity provider might require these parameters.
- Service provider entity ID. Users that choose to sign in without entering the Revizto password will need the entity ID to sign in. For more information, see Signing in using a single sign-on method.
Automatically assigning authentication methods
You can configure automatic assignment of authentication methods when creating or editing an authentication method. The advantage of automatic assignment is each license member gets the correct authentication method no matter who adds them to the license. This also reduces the time required to register a license member.
- Associated domains
When users that belong to the listed email domains are added to the license, they are assigned this authentication method. - Default method
Users that are not automatically assigned an authentication method are assigned this method.
We recommend configuring the following rules for automatic assignment of authentication methods:
- Add your company’s email domain to the list of associated domains for a single sign-on authentication method of your choice. All new license members from your company’s domain will be assigned this authentication method.
- Make "Revizto login" the default authentication method. All new license members that do not belong to your company’s domain will be assigned this authentication method.
To learn how to manually assign your new authentication method to Revizto users, see the following articles:
- Assigning authentication methods to new license members
- Assigning authentication methods to existing license members
Creating a Revizto service provider entity ID
To generate a unique service provider entity ID you can use the following pattern:
https://api.<region>.revizto.com/entity/<license id>.
The license regions are as follows:
- Australia (ANZ): https://api.sydney.revizto.com
- Canada: https://api.canada.revizto.com
- China: https://api.shanghai.revizto.com
- Europe (Ireland): https://api.ireland.revizto.com
- Japan: https://api.tokyo.revizto.com
- Kingdom of Saudi Arabia (KSA): https://api.ksa.revizto.com
- North America (USA): https://api.virginia.revizto.com
- South America (Brazil): https://api.saopaulo.revizto.com
- Southeast Asia (Singapore): https://api.singapore.revizto.com
- Switzerland: https://api.zurich.revizto.com
- United Arab Emirates (UAE): https://api.dubai.revizto.com
- United Kingdom: https://api.london.revizto.com
The license ID is the unique five-digit number in the URL when logged into the license. Verify that you are logged into the correct license when copying this number.
Troubleshooting
Q: When attempting to sign in to Revizto Workspace, you get the following error: "Authentication error. Please contact our technical support".
A: For standard SAML authentication:
- The federation metadata URL is incorrect.
For custom SAML authentication:
- The X.509 certificate specified in the authentication method settings is incorrect. When you configure the authentication method, ensure that you copy the X.509 certificate from the following node: EntityDescriptor / Signature / KeyInfo / X509Data / X509Certificate.
- The X.509 certificate specified in the authentication method settings has expired. Get a new certificate and add it to the authentication method settings.