VictorOps Version Required: Full-Stack
What you need to know: To enable SSO for your organization, you will need to provide an updated metadata file and your IDP. If you are interested in setting up SSO, please contact VictorOps Support.
This article provides instructions for configuring Single Sign On between your Identity Provider (IDP) and VictorOps. It also provides information for your end users when logging into VictorOps for the first time using SSO.
Our standard SSO setup uses SAML 2.0 protocol. As long as your IDP can use SAML 2.0 protocol, it can be integrated with VictorOps with fairly minimal effort. The exact steps differ depending on which IDP you use, but the process typically involves exporting a .XML metadata file and sending it to our support team at firstname.lastname@example.org. Once you have sent the .xml file, a VictorOps support specialist will complete the setup on the back-end respond with confirmation.
If your IDP does not have SAML capability, please contact our support team to explore what alternative options may be available.
Instructions for Users
Throughout this article, the phrase OrgSlug refers to the slugified version of your organization’s name in VictorOps (This process changes your organization name to a URL friendly version with no spaces or punctuation, though it may contain dashes). Your OrgSlug can be found a the end of the URL when you are logged into the VictorOps portal via a web browser.
Contact your VictorOps administrator or reach out to email@example.com if you are having trouble finding your org slug.
A user’s login experience on the VictorOps platform will be slightly different after enabling Single Sign-On for your organization. If your organization has not explicitly disabled traditional authentication, users will be able to login as normal with their VictorOps credentials or login via SSO. If traditional authentication has been disabled, users will encounter an error message directing them to login via SSO if they attempt to login with their VictorOps credentials.
Web Client UI
The SSO login form can be found here: https://portal.victorops.com/auth/sso
This is a form asking the user to type their company ID. This is the slugified name of the company that you log into, and it can be provided by VictorOps Support if you don’t know it. Generally, this will be the company name converted to lowercase and all spaces replaced by cv hyphens.
Alternatively, you can create a link or bookmark to skip the typing and bypass the form by appending your company ID to the SSO URL, like this: https://portal.victorops.com/auth/sso/org-slug-here
Either of these routes will direct the user’s browser to your identity provider, where they will be required to authenticate and sent back to the VictorOps timeline.
The VictorOps client for your mobile device will also present a link on the login screen, offering the option to use your SSO credentials (Android >= 6.1.110 or iOS >= 126.96.36.199)
iOS SSO Login
This link will take you to a form prompting for your Organization Key. As described, this is the slugified name of the company that you log into.
After you enter your Company’s Org slug, you will be redirected to your IDP login page in a mobile browser. Once you sign in through the IDP you should be automatically logged into VictorOps.
Android SSO Login
This link will take you to a form prompting for your Organization Key. As described, this is the slugified name of the company that you log into. If you need help determining the slugified version of your organization name, please contact firstname.lastname@example.org.
After you enter your Company’s Org slug, you will be redirected to your IDP login page in a mobile browser. Once you sign in through the IDP you will be signed in through SSO.
If you experience any issues logging into SSO through your mobile app, please contact email@example.com.
First-Time SSO Login
If your organization is using SSO you will need to do a one-time linking process between your SSO provider and your VictorOps account. This will create a link between your external user ID and your VictorOps user ID. If you have not received a “Your invitation to VictorOps” email, please contact your VictorOps administrator and ask them to send you an invitation.
First, you will need to create a username and password, by clicking the activate account link within the “Your invitation to VictorOps” email.
If your username was selected for you, you will need to create a password using the set password activation link within the “Your invitation to VictorOps” email.
If you are automatically logged in to VictorOps after creating a username and password, please click on your username in the upper right-hand corner of the screen and then select Sign out.
Once you have activated your account (i.e. created a username/password, or created a password), please verify that you have logged out of VictorOps in every browser you are using, and your IDP. Then you will want to select or use your Enterprise SSO credentials.
Then you will need to enter the slugified version of your organization name. (To determine the slugified version of your organization name, please see the above section “OrgSlug” or contact firstname.lastname@example.org)
From this page you will be redirected to your IDP page, where you can sign in using your SSO credentials.
After you log in to your IDP, you will be asked to enter the VictorOps username/password. You will only need to enter your VictorOps username and password once, and then we will not ask for it again.
If you run into any issues with this setup, please contact email@example.com.
How to break your SSO Linkage
If you are receiving an error when trying to sign into VictorOps through SSO (such as “Uh oh – The VictorOps user you have linked to your external SSO ID is not part of <Your-Company>. Please contact your administrator”), you may need to break the linkage between your VictorOps username/password and your SSO provider.
To break the linkage, ensure you are signed in to your IDP and then paste the following link into the address bar of your browser: https://portal.victorops.com/do-defederation . If the link between your VictorOps credentials and your SSO provider is successfully broken, you will see the error, shown below.
To re-associate your VictorOps username/password with your SSO provider, you will need to walk through the “one-time” linking process again (please see steps in the “First-Time SSO Login” section).
If you have any questions or experience any issues, please contact firstname.lastname@example.org.
Please see below for corresponding steps needed to complete, or begin, the SSO configuration with VictorOps, and your IDP (Identity Provider).
From the Okta User Homepage, select Admin.
Selecting Admin will bring you to the Okta Dashboard. From the Okta Admin Dashboard, click Applications, and select Applications from the drop down.
Within Applications, select Add Application.
After clicking Add Application, begin typing VictorOps in the search bar. When VictorOps appears, select Add.
The Application label, or name, should auto-populate with the name VictorOps, but please feel free to re-name this label, if desired. The Browser plugin auto-submit should be auto-populated as well. Verify that this setting is checked, and click Next.
In the Default Relay State box drop in the following URL:
- Default Relay State: https://portal.victorops.com/auth/sso/OrgSlug
Your orgslug can be found within the URL of your VictorOps portal link. If you need help locating this slug, please see below.
Once the URL has been added, click on the Identity Provider metadata to download the metadata file, needed by VictorOps, to conduct the SSO configuration. Once you have downloaded the file click Next. (Don’t forget to email this file to email@example.com)
Once you have clicked Next, select the users that should have access to add the VictorOps app to their Okta homepage and sign in to VictorOps through SSO. Once all of the users have been selected, click Next.
Then click Done, on the next page.
Once the users have added the App they will be directed to a one time linking process to connect their VictorOps credentials to Okta, see below.
To conduct the one-time linking process outside of the Okta Homepage, please see the steps located in the “First-Time SSO Login” section above.
- For detailed instructions on setting up SSO with Bitium, please refer to this article.
- Access the Admin portal for Google Apps and navigate to Apps >> SAML Apps:
- Select “Set up my own custom app”:
- From the following screen, select Option 2 to download IDP metadata in XML format. Attach and send the downloaded .xml file to the VictorOps operations support team at firstname.lastname@example.org:
- Save the logo image file found HERE.
- Next, give the application a name (VictorOps) and upload the logo file.
- On the “Service Provider Details” step place the following in the ACS URL line:
- For the Entity ID place the following:
- For the Start URL place the following with the correct Org Slug at the end:
- Finally, skip the attribute mapping step and click FINISH
- Default relay state: https://portal.victorops.com/auth/sso/(orgslug)
ADFS (Active Directory Federation Services)
Once you have sent over your Metadata file, and the VictorOps support team has completed the Configuration, they will send you an updated metadata file needed to complete the configuration on your side.
In the ADFS Management console, navigate to Trust Relationships > Relying Party Trusts and click Add Relying Party Trust in the Actions pane
Click Start in the Add Relying Party Trust Wizard
Select the middle option, “Import data about the relying party trust from a file” and browse to the metadata.xml provided by VictorOps Support, and click Next
Provide a display name and any notes, and then click Next.
Choose the box next to “I do not want to configure multi-factor authentication settings for this relying party trust at this time”, and then click Next.
(Optional: Configure multi-factor authentication. This is not necessary for functionality, but may be required for your organization’s security compliance. This step can also be performed later if you need to verify the SAML integration with VictorOps is functioning before bringing the configuration up to compliance.)
Choose “Permit all users to access this relying party”, then click Next.
(Optional: Choose “Deny all users access to this relying party” and configure access rules as needed by your organization after completing this configuration.)
Review the configuration and click Next if it appears accurate. You will not be able to go back from the next screen and will have to manually update the configuration later, if there are any issues.
Make sure to check the box next to Open the Edit Claim Rules dialog, and click Close.
Click Add Rule
Select the claim rule template Send LDAP Attributes as Claims
Create a name for the rule and choose Active Directory as the Attribute store. Under the LDAP Attribute, choose E-Mail-Addresses and map it to the Outgoing Claim Type of Name ID, then click Finish.
Open the Relying Party Trust you just configured for VictorOps by right clicking the entry and choosing Properties. On the Identifers tab, add https://victorops.com as a Relying party identifier, then click Apply.
If you have any questions, or run into any issues, please contact email@example.com.
Azure Active Directory (SAML-based Sign-on)
- Identifier: https://victorops.com
- Reply URL: https://sso.victorops.com/sp/ACS.saml2
- Sign on URL: https://portal.victorops.com/auth/sso/OrgSlug
- Relay State: https://portal.victorops.com/auth/sso/OrgSlug