This article is intended for license administrators. It describes how to configure SAML authentication for Revizto users.

• Concepts 
• Configuring SAML authentication in Microsoft Azure
• Troubleshooting

When you configure SAML authentication for a license member, they get an email with authentication instructions. For more information, see the following article:

• Signing in using single sign-on authentication

Concepts

This section describes the generic concepts of configuring SAML authentication. If your identity provider is Microsoft Azure, read Configuring SAML authentication in Microsoft Azure instead.

License administrators can configure SAML authentication for Revizto license members. Some parts of this procedure are performed at the identity provider side. For detailed instructions, consult your identity provider documentation.

If you encounter any difficulties, submit a support request.

To configure SAML authentication:

1. In the identity provider, create a service provider entity for the Revizto application.

2. In the identity provider settings, find the following parameters:

   • Identity provider entity ID.

   • Login URL (the URL where Revizto users will sign in).

   • Logout response URL (the URL where Revizto users will sign out).

   • Public X.509 certificate (the public key for validating identity provider requests and responses).

3. Sign in to ws.revizto.com and add a SAML authentication method to your license.

   You will be prompted to enter the parameters that you obtained in step 2.

   You will also be prompted to enter the service provider entity ID. It must be unique across all Revizto licenses. Use one of the following options:

   • If your identity provider generated a service provider entity ID, enter it in the authentication method settings.

   • If your identity provider did not generate a service provider entity ID, do the following:

     1. Generate the service provider entity ID as follows:

        https://api.<region>.revizto.com/entity/<license id>.

        You can find your license ID in your browser address box when you are browsing Revizto Workspace.

        Example: https://api.virginia.revizto.com/entity/11111

     2. Enter the service provider entity ID in the authentication method settings.

     3. Go back to the identity provider and enter the entity ID in the service provider entity settings.

   To learn how to add an authentication method to your license,For detailed instructions, see Adding authentication methods.

4. In Revizto Workspace, in the list of authentication methods, click next to the new method. This opens a window with several URLs:

   • Login reply URL, Metadata URL, and Logout URL. Your identity provider might require these parameters.

   • Entity ID. Users that choose to sign in without entering the Revizto password will need the entity ID to sign in. For more information, see Signing in using a single sign-on method.

5. In the identity provider, open the properties of the service provider entity ID that you created in step 1 and enter the parameters that you obtained in step 4 (your identity provider might not require all of them).

This completes the configuration of the authentication method. To learn how to assign it to Revizto users, see the following articles:

• Configuring authentication parameters for new license members
• Configuring authentication parameters for existing license members

Configuring SAML authentication in Microsoft Azure

This section provides an example of configuring Microsoft Azure authentication.

The example is provided "as is." The parts of the procedure that are performed at Microsoft Azure portal can change without prior notice.

To configure Microsoft Azure authentication:

1. Go to portal.azure.com.

2. Go to the list of Azure services and open Azure Active Directory.

3. In the left pane, under Manage, click App registrations.

   

4. At the top, click New registration.

   

5. In the Name field, enter Revizto.

   

6. At the bottom, click Register.

7. Under Essentials, click Add an application ID URI.

   

8. Next to Application ID URI, click Set.

   

9. Keep the default application ID URI and click Save.

   

10. Sign in to ws.revizto.com and add a SAML authentication method to your license.

    For detailed instructions, see Adding authentication methods.

    The following table describes how to fill SAML-specific fields.

    Field	Value
    Service provider Entity ID	The application ID URI that you generated in the previous step.
    Identity provider Entity ID (Issuer)	On Microsoft Azure portal, open the App registrations page. At the top, click Endpoints. In the list of endpoint URLs, copy the value of the Federation metadata document field to the browser address line. This opens an XML file. In the XML file, find the <EntityDescriptor> tag and copy its EntityID attribute.
    Login URL	On Microsoft Azure portal, open the App registrations page. At the top, click Endpoints. In the list of endpoint URLs, copy the value of the SAML-P sign-on endpoint field.
    Logout response URL	On Microsoft Azure portal, open the App registrations page. At the top, click Endpoints. In the list of endpoint URLs, copy the value of the SAML-P sign-out endpoint field.
    Public X.509 certificate	On Microsoft Azure portal, open the App registrations page. At the top, click Endpoints. In the list of endpoint URLs, copy the value of the Federation metadata document field to the browser address field. This opens an XML file. In the XML file, copy the value of the EntityDescriptor / Signature / KeyInfo / X509Data / X509Certificate tag. Ensure that you copy the value exactly from this tag. The XML file contains several X.509 certificates but only this one will work. When prompted to provide an X.509 certificate, you can paste it from a clipboard or upload it as a text file.

    Once you create an authentication method, you will see a window with several URLs.

    • Login reply URL, Metadata URL, and Logout URL. You will need some of them later to complete configuring the identity provider connection.

    • Entity ID. Users that choose to sign in without entering the Revizto password will need the entity ID to sign in. For more information, see Signing in using single sign-on authentication.

    If you close this window, you can open it by clicking next to the authentication method.

11. Return to Microsoft Azure Active Directory page and then, in the left pane, under Manage, click Authentication.

    

12. Click Add platform and select Web.

13. Enter the redirect URI  (use the login reply URL that was displayed at Revizto Workspace at the end of step 10) and the logout URL, and then click Configure.

    This completes the configuration of SAML authentication. To learn how to assign it to Revizto users, see the following articles:

    • Configuring authentication parameters for new license members
    • Configuring authentication parameters for existing license members

Troubleshooting

Q: Revizto users with SAML authentication cannot sign in to Revizto Workspace and to the Revizto application. When they attempt to sign in to Revizto Workspace, they get the following error: "Signature validation failed. SAML Response rejected".

A: This can have the following reasons:

• The X.509 certificate specified in the authentication method settings is incorrect. When you configure the authentication method, ensure that you copy the X.509 certificate from the following node: EntityDescriptor / Signature / KeyInfo / X509Data / X509Certificate.
• The X.509 certificate specified in the authentication method settings has expired. Get a new certificate and add it to the authentication method settings.