Domains

Domain Verification

To support Single Sign-On (SSO), and editing of users within your domain, your organization must verify that it owns the domain associated with your users' email accounts. You can do this via a DNS TXT entry or CNAME entry.

When a user attempts to log in with an email address that has not been verified by their organization, the authentication will be rejected and the user’s credentials will not be sent to the authentication proxy for verification.

Multiple Domains

If your organization owns multiple domains, you can add and verify all of them within the organization context where you have access to the Authentication Settings setup.

When a domain is first registered and verified within the Authentication Settings organization (also known as a tenant), the policy settings from this context apply to all users from that domain across all applications. This setup is referred to as an Authoritative Domain.

To apply different policy rules or authentication options to certain domains, you need to register and verify them in different Authentication Settings organizations (tenants). The application for which you perform the setup can provide access to a second tenant applicable to your organization, even if you do not actually use two organizations for the application logic. The need for the second tenant is solely for setting up the Authentication Settings policies and Single Sign-On with different rules.

To apply specific Single Sign-On (SSO) and policy rules to certain applications, use the Policy for Applications to create a list of Excluded Applications or Allowed Applications. This setup allows you to configure SSO and policies using another organization (tenant) specifically for the desired applications.

How to Verify a Domain

1. On the Domains tab click the Add domain button and type in the domain name that users from organization will use to log in.
   Example: if your email address is username@example.com, type example.com within the dialog that opens and click Next.

   

2. A next step appears showing the domain name you have just added, along with additional information about the DNS TXT record that needs to be created. If you choose to verify through HTTPS, then go to step 5.

   

3. Sign into your DNS provider and create a DNS TXT record for the domain you have just added (e.g. example.com) with the value and configuration specified in Authentication Settings.
   See below list of instructions on how to create DNS records in popular domain registrars:

• GoDaddy

• AWS Route53

• Azure

• CloudFlare

• Google Cloud

• Google Domains

4. Once your DNS record has been created, Wait 5 minutes (TTL is set to 300s) until the DNS changes propagate. Then return to Visma Authentication Settings and click the Verify button within the wizard you have previously started. If the validation fails at first, wait another 1-2 minutes for the changes to fully propagate. If the verification still doesn't work after this, then you might have misconfigured something in the domain registrar. Delete the setup you have just made in your domain registrar and start again from step 2.

   Once the record has been verified, the Status column will change to Verified for that domain.

   

5. If you choose to verify your domain through HTTPS, download the verification file from Visma Authentication Settings, then upload/deploy it to the root folder of your domain's website. Return to Visma Authentication Settings and click the Verify button within the wizard you have previously started.

   

6. Repeat steps 1 through 5 for all domains that need to be verified.

7. You may delete the DNS TXT record or static html file after Visma verifies your domain. Don't remove anything before your domain status shows up as Verified.