1. Home
  2. Getting Started
  3. Setting Up Single Sign On (SSO) in VictorOps

Setting Up Single Sign On (SSO) in VictorOps

Requirements

VictorOps Version Required: Full-Stack

What you need to know: To enable SSO for your organization, you will need to provide an updated metadata file and your IDP. If you are interested in setting up SSO, please contact VictorOps Support at victorops-support@splunk.com

 

This article provides instructions for configuring Single Sign On between your Identity Provider (IDP) and VictorOps.  It also provides information for your end users when logging into VictorOps for the first time using SSO.

Our standard SSO setup uses SAML 2.0 protocol.  As long as your IDP can use SAML 2.0 protocol, it can be integrated with VictorOps with fairly minimal effort.  The exact steps differ depending on which IDP you use, but the process typically involves exporting a .XML metadata file and sending it to our support team at victorops-support@splunk.com.  Once you have sent the .xml file, a VictorOps support specialist will complete the setup on the back-end respond with confirmation.

If your IDP does not have SAML capability, please contact VictorOps Support to explore what alternative options may be available.


Instructions for Users

Organization Slug

Throughout this article, the phrase Organization Slug refers to the slugified version of your organization’s name in VictorOps (This process changes your organization name to a lowercase URL friendly version with no spaces or punctuation, though it may contain dashes). Your Organization Slug can be found at the end of the URL when you are logged into the VictorOps portal via a web browser.

Contact your VictorOps administrator or reach out to VictorOps Support if you are having trouble finding your Organization Slug.

A user’s login experience on the VictorOps platform will be slightly different after enabling Single Sign-On for your organization.  If your organization has not explicitly disabled traditional authentication, users will be able to login as normal with their VictorOps credentials or login via SSO.  If traditional authentication has been disabled, users will encounter an error message directing them to login via SSO if they attempt to login with their VictorOps credentials.

Web Client UI

The SSO login form can be found here: https://portal.victorops.com/auth/sso

Alternatively, you can create a link or bookmark to skip the typing and bypass the form by appending your company ID to the SSO URL, like this: https://portal.victorops.com/auth/sso/org-slug-here

Either of these routes will direct the user’s browser to your identity provider, where they will be required to authenticate and sent back to the VictorOps timeline.


Mobile Applications

The VictorOps client for your mobile device will also present a link on the login screen, offering the option to use your SSO credentials (Android >= 6.1.110 or iOS >= 4.8.0.4)

iOS SSO Login

This link will take you to a form prompting for your Organization Slug. As described, this is the slugified name of the company that you log into.

After you enter your Company’s Organization Slug, you will be redirected to your IDP login page in a mobile browser. Once you sign in through the IDP you should be automatically logged into VictorOps.

Android SSO Login

A link on the login screen offering the option to use your SSO credentials will take you to a form prompting for your Organization Slug.

After you enter your Company’s Organization Slug, you will be redirected to your IDP login page in a mobile browser. Once you sign in through the IDP you will be signed in through SSO.


First-Time SSO Login

If your organization is using SSO you will need to do a one-time linking process between your SSO provider and your VictorOps account. This will create a link between your external user ID and your VictorOps user ID. If you have not received a “Your invitation to VictorOps” email, please contact your VictorOps administrator and ask them to send you an invitation.

First, you will need to create a username and password, by clicking the activate account link within the “Your invitation to VictorOps” email.

If your username was selected for you, you will need to create a password using the set password activation link within the “Your invitation to VictorOps” email.

If you are automatically logged in to VictorOps after creating a username and password, please click on your username in the upper right-hand corner of the screen and then select Sign out.

Once you have activated your account (i.e. created a username/password, or created a password), please verify that you have logged out of VictorOps in every browser you are using, and your IDP. Then you will want to select or use your Enterprise SSO credentials.

Then you will need to enter the slugified version of your organization name.

From this page you will be redirected to your IDP page, where you can sign in using your SSO credentials.

After you log in to your IDP, you will be asked to enter the VictorOps username/password. You will only need to enter your VictorOps username and password once, and then we will not ask for it again.


How to break your SSO Linkage

If you are receiving an error when trying to sign into VictorOps through SSO (such as “Uh oh – The VictorOps user you have linked to your external SSO ID is not part of <Your-Company>. Please contact your administrator”), you may need to break the linkage between your VictorOps username/password and your SSO provider.

To break the linkage, ensure you are signed in to your IDP and then paste the following link into the address bar of your browser: https://portal.victorops.com/do-defederation . If the link between your VictorOps credentials and your SSO provider is successfully broken, you will see the error, shown below.

VictorOps broken SSO linkage screen

To re-associate your VictorOps username/password with your SSO provider, you will need to walk through the “one-time” linking process again (please see steps in the “First-Time SSO Login” section).

If you have any questions or experience any issues, please contact support@victorops.com.


Administrator Setup

Please see below for corresponding steps needed to complete, or begin, the SSO configuration with VictorOps, and your IDP (Identity Provider).


Okta

From the Okta User Homepage, select Admin.

VictorOps Okta SSO setup step 1

Selecting Admin will bring you to the Okta Dashboard. From the Okta Admin Dashboard, click Applications, and select Applications from the drop down.

VictorOps Okta SSO setup step 2

Within Applications, select Add Application.

VictorOps Okta SSO setup step 3

After clicking Add Application, begin typing VictorOps in the search bar. When VictorOps appears, select Add.

VictorOps Okta SSO setup step 4

The Application label, or name, should auto-populate with the name VictorOps, but please feel free to re-name this label, if desired. The Browser plugin auto-submit should be auto-populated as well. Verify that this setting is checked, and click Next.

VictorOps Okta SSO setup step 5

In the Default Relay State box drop in the following URL:

  • Default Relay State: https://portal.victorops.com/auth/sso/org-slug-here

orgslug example

Once the URL has been added, click on the Identity Provider metadata to download the metadata file, needed by VictorOps, to conduct the SSO configuration. Once you have downloaded the file click Next. (Don’t forget to email this file to VictorOps Support.)

VictorOps Okta SSO setup step 6

Once you have clicked Next, select the users that should have access to add the VictorOps app to their Okta homepage and sign in to VictorOps through SSO. Once all of the users have been selected, click Next.

VictorOps Okta SSO setup step 7

Then click Done, on the next page.

VictorOps Okta SSO setup step 8

Once the users have added the App they will be directed to a one time linking process to connect their VictorOps credentials to Okta, see below.

VictorOps Okta SSO Login screen

To conduct the one-time linking process outside of the Okta Homepage, please see the steps located in the “First-Time SSO Login” section above.


Bitium

  • For detailed instructions on setting up SSO with Bitium, please refer to this article.

Google Apps

  • Access the Admin portal for Google Apps and navigate to Apps >> SAML Apps:

VictorOps SSO Google Apps Setup 1

  • Select “Set up my own custom app”:

VictorOps SSO Google Apps Setup 2

  • From the following screen, select Option 2 to download IDP metadata in XML format.  Attach and send the downloaded .xml file to VictorOps Support.

VictorOps SSO Google Apps Setup 4

  • Save the logo image file found HERE.
  • Next, give the application a name (VictorOps) and upload the logo file.

VictorOps SSO Google Apps Setup 5

  • On the “Service Provider Details” step place the following in the ACS URL line:
    • https://sso.victorops.com:443/sp/ACS.saml2
  • For the Entity ID place the following:
    • victorops.com
  • For the Start URL place the following with the correct Organization Slug at the end:
    • https://portal.victorops.com/auth/sso/org-slug-here

VictorOps SSO Google Apps Setup 6

  • Finally, skip the attribute mapping step and click FINISH

VictorOps SSO Google Apps Setup 7


OneLogin

  • Default relay state: https://portal.victorops.com/auth/sso/org-slug-here

ADFS (Active Directory Federation Services)

Once you have sent over your Metadata file, and the VictorOps Support team has completed the Configuration, they will send you an updated metadata file needed to complete the configuration on your side.

In the ADFS Management console, navigate to Trust Relationships > Relying Party Trusts and click Add Relying Party Trust in the Actions pane

ADFS SSO Setup 1

Click Start in the Add Relying Party Trust Wizard

ADFS SSO Setup 2

Select the middle option, “Import data about the relying party trust from a file” and browse to the metadata.xml provided by VictorOps Support, and click NextADFS SSO Setup 3

Provide a display name and any notes, and then click Next.

ADFS SSO Setup 4

Choose the box next to “I do not want to configure multi-factor authentication settings for this relying party trust at this time”, and then click Next.

ADFS SSO Setup 5

(Optional: Configure multi-factor authentication. This is not necessary for functionality, but may be required for your organization’s security compliance. This step can also be performed later if you need to verify the SAML integration with VictorOps is functioning before bringing the configuration up to compliance.)

Choose “Permit all users to access this relying party”, then click Next.

ADFS SSO Setup 6

(Optional: Choose “Deny all users access to this relying party” and configure access rules as needed by your organization after completing this configuration.)

Review the configuration and click Next if it appears accurate. You will not be able to go back from the next screen and will have to manually update the configuration later, if there are any issues.

ADFS SSO Setup 7

Make sure to check the box next to Open the Edit Claim Rules dialog, and click Close.

ADFS SSO Setup 8

Click Add Rule

ADFS SSO Setup 9

Select the claim rule template Send LDAP Attributes as Claims

ADFS SSO Setup 10

Create a name for the rule and choose Active Directory as the Attribute store. Under the LDAP Attribute, choose E-Mail-Addresses and map it to the Outgoing Claim Type of Name ID, then click Finish.

ADFS SSO Setup 11

Open the Relying Party Trust you just configured for VictorOps by right clicking the entry and choosing Properties. On the Identifers tab, add https://victorops.com as a Relying party identifier, then click Apply.

ADFS SSO Setup 12


Azure Active Directory (SAML-based Sign-on)

  • Identifier: https://victorops.com
  • Reply URL: https://sso.victorops.com/sp/ACS.saml2
  • Sign on URL: https://portal.victorops.com/auth/sso/org-slug-here
  • Relay State: https://portal.victorops.com/auth/sso/org-slug-here

Updated on September 25, 2019

Was this article helpful?

Related Articles