Microsoft Entra ID/Azure Single Sign-on (SSO) setup instructions for the Symantec VIP Manager, MyVIP, & VIP SSP Portals
search cancel

Microsoft Entra ID/Azure Single Sign-on (SSO) setup instructions for the Symantec VIP Manager, MyVIP, & VIP SSP Portals

book

Article ID: 151006

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

Steps to configure Microsoft Entra ID (formerly known as Azure) SSO for Symantec MyVIP, VIP SSP, and VIP Manager portal access.

Resolution

Table of Contents

Configure Azure AD SSO Integration to the MyVIP Portal

  1. Log in to the Azure Portal as a Global Administrator
  2. Click on 'Azure Active Directory'
  3. Click on 'Enterprise applications'
  4. Click on 'New application'
  5. Click on 'Create your own application'
  6. Select 'Integrate any other application you don't find in the gallery (Non-gallery)'
  7. Add the name “MyVIP” (or similar) as the app name, then click 'Create'. The Application view will be displayed

Setup SAML configurations for the “MyVIP” Enterprise Application

  1. In the application view, on the left panel, Click on 'Single Sign-on'
  2. Select SAML as the Single Sign-on Method
  3. In a separate tab or browser window, download the metadata file from https://login.vip.symantec.com/viplogin/saml/metadata
  4. On the “Setup Single Sign-On with SAML” page, select 'Upload metadata file', then click 'Add'. The Basic SAML Configuration section should populate. 
  5. Enter Relay State Value as https://login.vip.symantec.com/viplogin/home?successUrl=<organizations’s success url>?cancelUrl=< organizations’s cancel url >?errorUrl=< organizations’s error url>

Adding User Attributes to the SAML Configuration

  1. Click 'Edit' in the 'Attributes and Claims' Section.
  2. Delete all the 'Additional claims'. Leave the predefined 'Unique User Identifier (Name ID)'.
  3. Add an additional claim with 'Claim name' “EMAIL” mapped to user.userprincipalname.
  4. Add an additional claim with 'Claim name' “PHONE” mapped to user.telephonenumber.

Certificate Upload, Download, and Azure AD/Microsoft Entra ID Identifier

  1. Download a .P12 certificate from your VIP Manager portal. (Important: If an SSO app to VIP Manager or VIP SSP is already configured, download the identical .P12 certificate used in those settings.) 
  2. Locate SAML Certificates under Set up Single Sign-On with SAML and click edit
  3. Select Import Certificate, locate the new .P12 certificate, then click Add
  4. Click the 3 dots ... next to the new certificate and select Make certificate active.
  5. Set the Signing Option to Sign SAML Assertion and the Signing Algorithm to SHA-256
  6. Click Save to commit the changes and exit the SAML Signing Certificate screen. 
  7. (skip steps 7 and 8 if an SSO app for VIP Manager or VIP SSP access has already been configured.) Download the Certificate (Base64) certificate from the Token Signing Certificate section.
  8. Copy the Microsoft Entra ID Identifier from Set Up {My VIP application} section and save it in a text editor

Users and Groups

  1. Click on Users and Groups in the left pane and assign Users/Groups to access this MyVIP application.

Upload the Azure AD/Microsoft Entra ID Identifier and certificate to VIP Manager
Complete the following steps in VIP Manager to add Azure AD Identifier ID and Azure AD certificate: 

  1. In VIP Manager, click the Account tab.
  2. Under the Account tab, select Single Sign-on.
  3. Click Edit next to IdP Service Settings.
  4. Enter the Azure AD Identifier URL saved in the text editor as the Entity ID
  5. Click Browse and select the Base64 signing certificate downloaded earlier from the SAML certificates box(not the .p12 from VIP Manager).
  6. Click Submit.

Test MyVIP SSO access

  • In the Azure MyVIP application, click Properties.
  • The User Access URL can be used to access this application. To avoid cookie conflicts, test using a fresh browser session.

Configure Azure AD/Microsoft Entra ID SSO Integration to the VIP Manager Portal

  1. Log in to the Azure Portal as a Global Administrator
  2. Click on 'Azure Active Directory'
  3. Click on 'Enterprise applications'
  4. Click on 'New application'
  5. Click on 'Create your own application'
  6. Select 'Integrate any other application you don't find in the gallery (Non-gallery)'
  7. Add the name “VIP Manager” (or similar) as the app name, then click 'Create'. The Application view will be displayed

Setup SAML configurations for the "VIP Manager” Enterprise Application

  1. In the application view, on the left panel, Click on Single Sign-on
  2. Select SAML as the Single Sign-on Method
  3. In a separate tab or browser window, download the metadata file from https://manager.vip.symantec.com/vipmgr/saml/metadata
  4. On the “Setup Single Sign-On with SAML” page, select 'Upload metadata file', then click 'Add'. The Basic SAML Configuration section should populate. 
  5. On the Setup Single Sign-On with SAM page, Edit the Basic SAML Configuration.
  6. Set Identifier (Entity ID) to https://manager.vip.symantec.com/vipmgr.
  7. Set Reply URL (Assertion Consumer Service URL) to https://manager.vip.symantec.com/vipmgr/saml/SSO with Index set to 0.
  8. Save the settings and X from the settings. 

Adding User Attributes to the SAML Configuration

  1. On the Setup Single Sign-On with SAM page, click Edit in the Attributes and Claims Section.
  2. Click the predefined 'Unique User Identifier (Name ID)', then change the Source Attribute to user.mail (this attribute is sent to VIP Manager as the login ID).
  3. (optional for Out Of Band) Add an additional claim with 'Claim name' “EMAIL” mapped to user.userprincipalname.
  4. (optional for Out Of Band) Add an additional claim with 'Claim name' “MOBILE PHONE” mapped to user.mobilephone.
  5. (optional for Out Of Band) Add an additional claim with 'Claim name' “PHONE” mapped to user.telephonenumber.

Certificate Upload, Download, and Azure AD Identifier

  1. Download a .P12 certificate from your VIP Manager portal. (Important: If an SSO app to My VIP or VIP SSP is already configured, download the identical .P12 certificate used in those settings.) 
  2. Locate SAML Certificates under Set up Single Sign-On with SAML and click edit
  3. Select Import Certificate, locate the new .P12 certificate, then click Add
  4. Click the 3 dots ... next to the new certificate and select Make certificate active.
  5. Set the Signing Option to Sign SAML Assertion and the Signing Algorithm to SHA-256
  6. Click Save to commit the changes and exit the SAML Signing Certificate screen. 
  7. (skip steps 7 and 8 if an SSO app for MyVIP or VIP SSP access has already been configured.) Download the Certificate (Base64) certificate from the Token Signing Certificate section.
  8. Copy the Microsoft Entra ID Identifier from Set Up {VIP Manager application} section and save it in a text editor

Users and Groups

  1. Click on Users and Groups in the left pane and assign Users/Groups to access this MyVIP application.

Upload the Azure AD/Microsoft Entra ID Identifier and certificate to VIP Manager
Complete the following steps in VIP Manager to add Azure AD/Microsoft Entra ID Identifier ID and Azure AD certificate. Skip this section if an SSO app for MyVIP access has already been configured: 

  1. In VIP Manager, click the Account tab.
  2. Under the Account tab, select Single Sign-on.
  3. Click Edit next to IdP Service Settings.
  4. Enter the Azure AD Identifier URL saved in the text editor as the Entity ID
  5. Click Browse and select the Base64 signing certificate downloaded earlier (not the .p12 from VIP Manager).
  6. Click Submit.

Test VIP Manager SSO access

  • In the Azure VIP Manager application, click Properties.
  • The User Access URL can be used to access this application. To avoid cookie conflicts, test using a fresh browser session.
  • The VIP Admin account should already exist in the VIP manager for the successful SSO login.

Configure Azure AD/Microsoft Entra ID SSO Integration to the VIP SSP (self-service portal)

Note: Organizations are encouraged to use My VIP for self-service. The VIP SSP is supported but no longer updated. 

  1. Log in to the Azure Portal as a Global Administrator
  2. Click on 'Azure Active Directory'
  3. Click on 'Enterprise applications'
  4. Click on 'New application'
  5. Click on 'Create your own application'
  6. Select 'Integrate any other application you don't find in the gallery (Non-gallery)'
  7. Add the name “VIP Self-Service Portal” (or similar) as the app name, then click 'Create'. The Application view will be displayed

Setup SAML configurations for the “VIP SSP” Enterprise Application

  1. In the application view, on the left panel, Click on 'Single Sign-on'
  2. Select SAML as the Single Sign-on Method
  3. In a separate tab or browser window, download the metadata file from https://ssp.vip.symantec.com/vipssp/saml/metadata
  4. On the “Setup Single Sign-On with SAML” page, select 'Upload metadata file', then click 'Add'. The Basic SAML Configuration section should populate. 
  5. Enter Relay State Value as https://ssp.vip.symantec.com/vipssp/home.v?successUrl=<organizations’s success url>?cancelUrl=< organizations’s cancel url >?errorUrl=< organizations’s error url>


Adding User Attributes to the SAML Configuration

  1. Click Edit in the Attributes and Claims Section.
  2. Under Required Claim, click on Unique User Identifier (Name ID) claim to edit. 
  3. Change Name Identifier Format to Unspecified.
  4. Save the changes.
  5. Note: Out-of-Band (OOB) is not supported with VIP SSP SSO through Azure. If SSO is a requirement, implement My VIP SSO through Azure. 

Certificate Upload, Download, and Azure AD Identifier

  1. Download a .P12 certificate from your VIP Manager portal. (Important: If an SSO app to My VIP or VIP Manager is already configured, download the identical .P12 certificate used in those settings.) 
  2. Locate SAML Certificates under Set up Single Sign-On with SAML and click edit
  3. Select Import Certificate, locate the new .P12 certificate, then click Add
  4. Click the 3 dots ... next to the new certificate and select Make certificate active.
  5. Set the Signing Option to Sign SAML Assertion and the Signing Algorithm to SHA-256
  6. Click Save to commit the changes and exit the SAML Signing Certificate screen. 
  7. (skip steps 7 and 8 if an SSO app for MyVIP or VIP Manager access has already been configured.) Download the Certificate (Base64) certificate from Token Signing Certificate section.
  8. Copy the Microsoft Entra ID Identifier from Set Up {VIP SSP application} section and save it in a text editor

Users and Groups

  1. Click on Users and Groups in the left pane and assign Users/Groups to access this application.

Upload the Azure AD Identifier and certificate to VIP Manager

  1. Log into VIP Manager and click the Account tab.
  2. Select Single Sign-on.
  3. Click Edit next to IdP Service Settings.
  4. Enter the Azure AD Identifier URL saved in the text editor as the Entity ID
  5. Click Browse and select the Base64 signing certificate downloaded earlier from the SAML certificates box (not the .p12 from VIP Manager).
  6. Click Submit.

Test VIP SSP SSO access

  • In the Azure MyVIP application, click Properties.
  • The User Access URL can be used to access this application. To avoid cookie conflicts, test using a fresh browser session.
Powered by Wolken Software