Envizi supports single sign-on (SSO) using SAML 2.0.
If your organization is entitled to the Envizi’s SSO add-on, your implementation consultant will set up the SSO for you in Envizi. Your IT department needs to be involved in the activity as SP metadata will be provided to them for input into your organization’s identity provider and they will then need to provide IDP metadata to be uploaded into Envizi in order to complete the setup.
When the SSO setup process is complete and is enabled for you, all users by default will have the Logon Method set to “SSO”. You can change this setting for a specific user who needs to login as a “non SSO” user (i.e they need to enter a username and password to login) buy selecting “Set as Non-SSO” from the Actions (right-click) in the Contact Login grids.
You can see the Logon Method assigned to each user in the Contacts & Logins grid. The value will be either be “SSO” or “Non SSO”.
Frequently asked questions about SSO
Does the Envizi platform support SAML 2.0?
Yes, this is the only method used by Envizi since 2023.
If you already have SSO with Envizi using a method other than SAML 2.0, then that is still supported for your particular implementation.
Does the Envizi platform support WebAuthN or OpenID?
Does Envizi’s SAML 2.0 SSO solution support Metadata exchange?
Do we need to setup users in Envizi if they are logging in via SSO
If just-in-time provisioning is not configured, users will need to be set up in Envizi with the same username that they use to authenticate with their identity provider. The format of the username must be based on email address convention. When the SSO setup is switched ON then those users by default will be set as SSO users. If just-in-time provisioning is configured, users will not need to be set up in Envizi by your system administrator.
Are there multiple user access levels and roles in Envizi?
There are multiple user access levels and roles defined in the Envizi application. These are configured manually or by using implementation consultants using a setup template.
What happens if a user’s email address changes?
In most cases, email address is used as username in SSO. When an email address is changed it will be treated as a new user.
How do system administrators react in both timing and action to a user being terminated on the customer side?
If a user is terminated from your organization and therefore removed from your identity provider, they will not be able to login to Envizi as they will not be authenticated through your identity provider.
If a user is not terminated from your organization but you no longer wish them to login to Envizi, your system administrator needs to either delete the user or disable the user from Envizi manually (for the latter option, you will need to check with IBM that your organization has been configured in Envizi to prevent disabled SSO users in Envizi from logging in).
Does Envizi support regular username & password logins after SSO is enabled?
Yes, after SSO is enabled for your organization your system administrator can manage whether a user is SSO or Non SSO (as per above).
Does Envizi support just-in-time provisioning?
Just-in-time provisioning can be enabled as part of your SSO setup based on the instruction above. The only user access levels and roles supported through just-in-time provisioning are organization level system administration, general and view only users.
Does IBM provide an Envizi provisioning Test/Dev environment?
Does Envizi support SCIM provisioning?
No, SCIM is not supported at this time. Only Just-in-time provisioning is supported.
What certificates are required for the SAML authentication?
Identity providers must issue/include X509 certificate for signing. Encryption certificates are optional in the assertion.
Does Envizi support users from more than one identity provider authenticating via SSO to a single organization in Envizi?
Yes, you would set up a SSO entry for each identity provider. The SP metadata needs to be generated for each SSO setup and provided to each identity provider. An IDP metadata file would then need to be provided and uploaded for each SSO setup. Each SSO setup will also require the domain to be specified so that based on the domain of the user’s login, the login will be directed to authenticate with the appropriate identity provider.
Do we need or get a custom URL as part of the SSO setup
No, this was the case in the past however custom URLs are no longer offered or required as part of Envizi’s SAML 2.0 SSO solution.