Vile Analyziz

SSO Setup Guide

Single sign-on (SSO) lets your team authenticate with your organization’s existing identity provider. Members sign in with their corporate credentials instead of managing a separate password, and administrators retain centralized control over access.

Requirements

  • Plan: Business or Enterprise. SSO is not available on Free or Pro plans.
  • Role: Admin or Owner. Only these roles can configure SSO settings.
  • Identity provider: Any provider that supports OpenID Connect (OIDC), including Okta, Azure AD, Google Workspace, OneLogin, Ping Identity, and others.

General Setup

All SSO configuration is done in Settings under Security. The general steps are:

  1. Create an application integration in your identity provider.
  2. Configure the redirect URI to https://portal.vileanalyziz.com/auth/callback
  3. Copy the Client ID and Issuer URL from your identity provider.
  4. Enter the display name, Client ID, and Issuer URL in Settings.
  5. Map identity provider groups to platform roles.
  6. Test authentication before enforcing SSO for all members.

The sections below provide detailed instructions for three popular identity providers. If you use a different provider, follow the general steps above and consult your provider’s OIDC documentation.

Provider Setup Guides

Follow these steps to configure SSO with Okta as your identity provider.

  1. Create an application in Okta. Sign in to the Okta Admin Console and navigate to Applications. Click “Create App Integration” and select “OIDC - OpenID Connect” as the sign-in method. Choose “Web Application” as the application type.
  2. Configure the sign-on method. On the General Settings page, enter a descriptive name (e.g., “Vile Analyziz”). Set the grant type to “Authorization Code.”
  3. Set the redirect URI. In the Sign-in redirect URIs field, enter: https://portal.vileanalyziz.com/auth/callback
  4. Copy Client ID and Issuer URL. After saving, Okta displays the Client ID on the application’s General tab. The Issuer URL is your Okta domain (e.g., https://your-org.okta.com).
  5. Enter credentials in Vile Analyziz. Go to Settings, then Security, then SSO. Enter a display name, paste the Client ID and Issuer URL, and save.
  6. Map Okta groups to platform roles. In the Group Mapping section, add entries that map your Okta groups to the corresponding platform roles (viewer, analyst, endpoint_admin, security_admin, admin). Ensure the group names match exactly.

To include group claims in the token, go to the Okta application’s Sign On tab and add a Groups claim filter. Set it to match your relevant groups by name or regex pattern.

Group-to-Role Mapping

After connecting your identity provider, map its groups to platform roles. When a user authenticates via SSO, the platform reads their group memberships from the identity provider’s token and assigns the corresponding role.

Identity Provider GroupPlatform Role
Example: security-viewersViewer
Example: security-analystsAnalyst
Example: endpoint-adminsEndpoint Admin
Example: security-adminsSecurity Admin
Example: platform-adminsAdmin

If a user belongs to multiple mapped groups, the highest-privilege role is assigned. Users who authenticate via SSO but do not match any group mapping are assigned the default role you configure (typically Viewer).

Enforcing SSO

Once SSO is tested and working, you can toggle “Enforce SSO” in Settings to require all members to authenticate through your identity provider. When enforced, password-based login is disabled for your organization.

Caution: Before enabling enforcement, verify that at least one Admin or Owner can successfully authenticate via SSO. If no administrator can sign in, you will need to contact support to regain access.

You can disable enforcement at any time from the same Settings page, which re-enables password login as a fallback.

Auto-Provisioning

When auto-provisioning is enabled, users who authenticate via SSO for the first time are automatically added to your organization with the role mapped from their identity provider group. No manual invitation is required.

Auto-provisioned users count toward your plan’s user limit. If the limit is reached, new users will not be provisioned until a seat is freed or the plan is upgraded. Administrators can review and manage auto-provisioned users from the Users page just like manually invited members.

Troubleshooting

Wrong Redirect URI

Authentication fails immediately with a redirect error. Verify the redirect URI in your identity provider exactly matches https://portal.vileanalyziz.com/auth/callback. Trailing slashes and protocol (HTTPS) matter.

Clock Skew

If tokens are rejected with timing errors, ensure your identity provider’s server clock is synchronized. Most providers handle this automatically, but on-premises deployments may need NTP configuration.

Missing Group Claims

If users authenticate but are not assigned the expected role, check that your identity provider is configured to include group claims in the token. Some providers require explicitly adding groups to the application’s token configuration.

Role Mapping Not Working

Verify that the group names in your mapping exactly match the group names sent by your identity provider. Group names are case-sensitive. Use the audit log to inspect the raw group claims received during authentication.

Go to SSO Settings

Was this helpful?