Once you have registered & verified your email domains you can setup Single Sign-On (SSO) using the OIDC / SAML 2.0 standards facilitating secure access to applications and services.
This ensures streamlined authentication processes while maintaining compatibility and consistency within your organization's identity management infrastructure.
Administrators can effortlessly manage user attributes such as email, given name, and surname claims. However, please note that custom claims are not currently supported.
Add MyDomain
On the Single Sign-On - MyDomain section, you need to specify your unique MyDomain with Visma. This is used to host your company's SAML endpoints and sign in page with Visma. For instance if your company name is Example, you might want to select example as your MyDomain. Then your MyDomain will become available at https://example.my.connect.visma.com.
MyDomain can only contain lowercase letters, numbers, dashes (-), but can't start or end with a dash. The maximum length is 40 characters.
Click Add and continue to use the desired MyDomain
Choose the type of SSO integration (SAML2 or OIDC)
On the Single Sign-On - Identity provider section, you can choose the type of SSO you wish to setup for your External Identity Provider. Available choices are Add OIDC Identity Provider or Add SAML2 Identity Provider.
Add SAML2 Identity Provider
If you click Add SAML2 Identity Provider, this list will open for you to choose between Azure AD, ADFS, Google Workspace, Others and follow the instructions for your specific provider.
List of SAML2 Identity Providers:
SSO (use this if you don’t have an identity provider from the above list items)
Add OIDC Identity Provider
If you click Add OIDC Identity Provider, this list will open for you to choose between Azure AD, ADFS, Okta, Others and follow the instructions for your specific provider.
List of OIDC Identity Providers:
SSO (use this if you don’t have an identity provider from the above list item)
Customize how the Single Sign-On (SSO) option is triggered and which display name to show
After following the instructions provided for each specific SSO setup, use the Advanced Configuration options to set:
Show this IdP as a Sign-In Option on the Sign-In Page:
ON: When users from verified domains enter their email on the sign-in screen, they will see and be able to use the Single Sign-On (SSO) option that you have set up. Additionally, they can also use this option through your own Identity Provider (IdP)-initiated sign-in or via a custom URL provided by the application itself.
OFF: When users enter their email on the sign-in screen, the SSO option will not be visible or available to them on the application's sign-in screen. However, they can still sign in using your IdP-initiated sign-in or through a custom URL provided by the application itself.
Sign-In Button Text: Enter the display name that you want to present to your users when they see this option on the sign-in screen.
Multiple Single Sign On options for same domain(s) and how to control them
You can add or verify multiple domains within the same Authentication Settings organizations (tenants), in which case the option to sign in with this SSO is applicable by default to all users from the verified domains across all applications.
Example of two SSO setups performed on different Authentication Settings organizations (tenants), both of which include the domain example.com:
You can manage which applications can use the Single Sign-On (SSO) feature in your organization's setup. There are two lists you can use to do this: Allowed Applications and Excluded Applications, within the Policies of the organization or tenant where the SSO is configured.