...
Set up six "Send Group Membership as a Claim" claims as in the screenshot, one for each of the Vivi roles listed below. A suggestion for the "outgoing claim values" for each role is provided. If required, multiple claims can be used to determine the access for a single role.
Vivi Role | Suggested claim value |
IT Admin | itadmins |
E-Learning Admin | elearning |
Emergency Authorised | emergency |
Presenter | presenters |
Signage Admin | signageadmin |
Student | students |
Finally, clicking the "View Rule Language..." button in the bottom left of each edit claim window shows the particular IDs used for each claim. You'll need to include these in the information below so that the Vivi servers can extract the claims.
...
- Select the "Organisation" link in Vivi Central.
- Select the "Authentication" link in the menu at the top of the screen.
- Click "Edit".
- Enter the settings outlined below and click "Save Changes".
SAML Settings
Setting | Description |
Authentication Type | SAML |
Require Inheritance Code | This can be used to restrict users to signing in to particular organisations. If this is disabled, then users can log into any managed organisation that exists within the same ADFS service. |
SAML Default Email Domain | A default email domain to use in case a user has no email address, e.g. "myschool.com.au", then emails will be "username@myschool.com.au". |
SAML SSO URL | Full URL to your ADFS identity provider single sign-on endpoint, e.g. "https://dc.example.com/adfs/ls/". |
SAML SLO URL | Full URL to your ADFS identity provider single logout endpoint. This can be left blank if this is the same as the single sign-on endpoint. |
SAML Token-Signing Certificate | Exported Token-Signing Certificate from your ADFS identify provider, in PEM format. |
SAML Name Attribute | Name used by your ADFS identity provider for the claim mapping a user's display name, for example: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name. |
SAML Email Attribute | Name used by your ADFS identity for the claim mapping a user's email address, for example: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress". |
SAML Group Attribute | SAML Group Attribute: Name used by your ADFS identity provider for the claim mapping a user's group membership, for example: "http://schemas.xmlsoap.org/claims/Group". |
SAML Inheritance Code Attribute | Name used by your ADFS identify provider for the claim mapping a user's inheritance code. Only needed if Require Inheritance Code is enabled. |
SAML Group Settings
The following SAML group settings are also required. These aren't the actual group names or DNs, they're special values returned by the relevant SAML claim.
Multiple groups can be separated with | (pipe). When multiple groups are specified, then a user may be a member of any to receive the relevant role.
Setting | Description |
SAML Presenter Group | Group of users who will be given the presenter role. Leave blank to include everyone (not recommended). |
SAML Student Group | Group of other users allowed to access Vivi. Leave blank to include everyone (not recommended). |
SAML Emergency Authorised Group | Group of users allowed to trigger emergencies. Leave blank to assign manually in Vivi Central. |
SAML IT Admin Group | Group of users provided with admin access to Vivi Central. Leave blank to assign manually in Vivi Central. If the group is set, existing IT Admins will lose their admin access since the Vivi Central role will no longer be relevant. |
SAML E-Learning Admin Group | Group of users allowed access to metrics. Leave blank to assign manually in Vivi Central. |
SAML should now be ready to test. Open the Vivi App (or restart if already open) and attempt to sign in with the username and password of an account in one of the appropriate groups.
...