How to get setup

SAML integrations are configured at a platform level and once set up, they will be available to all properties in Activate. If there are changes to an existing integration configuration (entity ID, service URL, attributes), this will require creating a new configuration for the integration. SAML integrations can be created via request or through the Activate UI for users with admin access.

VTS requires the following from the SAML Provider:

Entity ID
1. Unique identifier for the SAML Service Provider
SAML endpoint
1. Also referred to as the ACS URL or Service URL
Custom attributes (optional)
1. A custom attribute can either be:
  1. Inside the SAML assertion: these are sent as part of the signed SAML payload and will be in the response as an attribute
  2. Outside of the assertion as a POST parameter on the request to the SP
2. The values for these attributes cannot be dynamic and cannot include information about the individual user or their tenancy
3. The standard payload will always include user email, this does not need to be configured

Request SAML Integration Setup

To add a new SAML provider, you can send the request to get setup to [email protected] - using the template below - with your VTS account rep and customer main contact CC'ed.

Subject: New SAML partner setup request

Hi,

I would like to setup a SAML integration for a new service provider.

Email address for NDA to be sent: ex. [email protected] {alternatively you can email your NDA to [email protected] - please include customer info and context}

Customer information:

Customer Name: ex. 480 Main

Location URL: ex. https://activate.vts.com/l/tab/480-main-st/home {please ensure location name is in URL}

SAML Configuration information:

Entity ID

SAML Endpoint:

ex. www.service-provider.com/vts

Custom fields/attributes required

ex. building_id, latitude, longitude

Specify the value for each attribute as well

Please specify if this is required in the SAML assertion

Thank You

VTS will provide:

Response time can vary but usually within 5 business days

IdP Entity ID
IdP Signing Certificate (X.509)
If requested: SAML Metadata

Adding a SAML Integration through Activate

For users with Admin access, they can directly add a SAML integration in the Activate interface if they have the the required information stated above. If you do not have Admin access and need to configure an integration yourself, please request Admin access by emailing [email protected]

The user must switch to the Admin view to access integrations.

Adding an integration with an existing service provider

If a service provider was already onboarded into the system you can simply create a new channel integration on Activate’s admin interface. Select “SAML: Lane as Identity Provider” option.

The Service URL will be provided by the SAML service provider for a given channel. If custom attributes are already configured with the integration, you will see a list of static attributes that can be filled if you wish to share with the service provider.

Adding an integration with a new existing service provider

To onboard a new provider, it is recommended to use the request template as you must have Activate’s X.509 public certificate plus Activate’s entity id so the provider can validate incoming requests. Some third-party services might also ask for SAML metadata which must be requested from VTS.

If service provider wants some additional data to be send along with the request (tags, location, etc) the user must specify if they want it to be encoded as a part of SAML assertion or just sent in the POST request (less secure).

Additional technical notes:

VTS will be using signed responses.
VTS will not be using signed or encrypted assertions.
VTS will not need to enforce Single Use Assertions.
VTS will be using the Identity Provider Initiated SAML authentication flow.
The custom field capabilities are limited to static information (i.e. we do not yet support
including dynamic information such as user name or user location).