System Settings : Manage Security Settings : Configure Single Sign On (SSO) with User Provisioning Enabled
  
Configure Single Sign On (SSO) with User Provisioning Enabled
Rev also provides Single Sign On (SSO) with user provisioning so that user accounts may be created upon log-in without the need for an LDAP connector deployment.
In this case, SSO is configured exactly as described in the Configure Single Sign On (SSO) topic with additional Identity Server provider fields to map to Rev fields for user account creation, which are described below.
 
Note: User provisioning must be enabled on the root account by VBrick Support Services before this feature is enabled and before you may configure SSO with user provisioning.
 
*To configure SSO with user provisioning in Rev:
1. Navigate to Admin > System Settings > Security.
2. Select Enable Single Sign On checkbox under Single Sign On section.
3. Make sure that User Provisioning has been selected. If not, contact VBrick Support Services.
4. Complete the fields below as necessary.
 
Field Name
Required
Description
Enable Single Sign On
Yes
Select to enable SSO in Rev.
User Provisioning
Yes
Will be enabled by VBrick. Not user configured.
SAML Identity Location
 
Choose either the NameIdentifier Element or Attribute Element depending upon which element in the SAML Authentication Response will have the username.
Note that if you select Attribute Element (default), you must provide the Identify Attribute Element Name or Rev will not authenticate.
Identity Attribute Element Name
Yes
If Attribute Element is selected as the SAML Identity Location, this field must be completed or SSO will not work.
The Identity Attribute Element Name is the field in the SAML Authentication Response (XML) that will contain the username.
For example, in the code below, name is specified as SFDC_USERNAME. This is what would be pasted in Identify Attribute Element Name field in Rev, as seen in the image above.
 
<saml:AttributeStatement>
<saml:Attribute FriendlyName="fooAttrib" Name="SFDC_USERNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
user101@salesforce.com
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
First Name Attribute Element Name
 
The first name of the user account.
Last Name Attribute Element Name
Yes
The last name of the user account. Similar to Identity Attribute Element Name above, this is a required field and must be completed in order to authenticate correctly.
Email Attribute Element Name
Yes
The email of the user account. Similar to Identity Attribute Element Name above, this is a required field and must be completed in order to authenticate correctly. Correct email format must also be used and the field must be unique.
Title Attribute Element Name
 
The title of the user account.
Phone Attribute Element Name
 
The phone number of the user account.
Identity Provider Metadata
Yes
Paste your Identity Provider server’s metadata XML code in this field. You will need to obtain the Identity Provider metadata (XML) from your Identity Provider server.
Signature Algorithm
Yes
Options to be used for signing. Select either SHA1withRSA or SHA256withRSA.
Sign SAML Request
 
Only enabled when the URL of the redirect exceeds 2048 characters which may occasionally cause issues with Internet Explorer or IIS/ADFS. Be aware that checking and un-checking this box will require the service provider metadata be re-downloaded to get the latest version again once saved. Contact VBrick Support Services for assistance with this option.
Download Service Provider MetaData
 
This is the Rev Service Provider XML metadata that is provided to the Identity Provider server. It should be downloaded and used with the IDP server similar to how the IDP’s metadata XML is pasted in the Identity Provider Metadata field above.
Regenerate Cert
 
This will regenerate the Service Provider’s certificate and metadata. If you decide to do this, keep in mind you will need to download the Service Provider MetaData again for re-insertion into the IDP server.
 
Keep in mind:
If SSO is enabled without user provisioning, user accounts need to be created in Rev manually or through an LDAP connector. See: Configure Single Sign On (SSO).
If an admin creates a user account manually and SSO with user provisioning is enabled, the user created is set to “Unlicensed” until log in and then set to “Active”. No user or email confirmation is required. If no licenses are available for the Rev account, the user will be displayed a message to contact the Account Admin and will not be logged in.
When SSO is enabled, an SSO login page is created for authentication that is different from the native Rev login page. For example:
Rev Native Login Page: http://<RevURL>/#/login
SSO Login Page: http://<RevURL>/SSO/login
 
*See Also:
Add or Edit a User Account
Upload and Edit User Accounts and Groups Using a CSV File
Configure Single Sign On (SSO)