Single Sign-On (SSO)
SSO Configuration
🕮VALT is compatible with SAML 2.0.
✎To access SSO on your system, you may need to reach out to our support team. IVS Support
Scheduling an SSO Configuration
⚠Before configuring SSO in VALT, please make sure you've completed our SSO Check List.
You can also schedule a SSO Discovery at our booking site under Schedule a Support Session. During that call, we will discuss the prerequisites for configuring your VALT server to utilize SSO Authentication.
SSO Authentication
SSO accounts are automatically created when a user logs in for the first time. The user can be placed in the proper group automatically upon login by mapping SSO attributes to a user group within VALT.
- VALT's SSO uses Just-In-Time (JIT) Provisioning.
- Users are reevaluated and assigned to groups each time they log in, based on a group membership attribute being passed.
- If a user does NOT have a user mapping associated with their account, the user gets moved to "Users without Group" and has restricted access.
- If a user's user mapping changes, they will be moved to the correct group upon their next SSO sign-in.
- Correct mapping is based on the SSO mapping created in VALT and the attribute/pair value being passed from the IdP.
Required Information from IdP
Unique User Identifier - This attribute will be used as the username
Groups - This attribute will be used to define which group the user is assigned to within VALT. In addition to the name of the Group attribute, VALT will need the value associated with each group that will be logging into VALT
Display Name - If the Unique User identifier does not correspond with the person's name, this attribute will set an easy-to-identify display name for the user
Optional Items
VALT is also able to map custom attributes to some of the following fields for a user. Below are the user account fields that can be assigned through SSO.
- PIN
- This specifies the code used for authentication into BEAM.
- Without one set, no pin is needed to enter BEAM.
- Card Number
- This specifies the card number associated with a user.
- Only applies to customers with VALT Card Reader.
- The users email can also be pulled into the system.
- If the VALT application is not connected to mail server, this field is not used for anything.
Additional Settings
Shibboleth needs the following settings configured to function with VALT.
- signAssertions:
- true
- signResponses:
- true
- encryptNameIDs:
- true
- encryptAssertions:
- false
⤺ Back to VALT SSO Main Page