SSO settings in InVision V7
  • 25 May 2023
  • 4 Minutes to read
  • Dark

SSO settings in InVision V7

  • Dark

Article Summary

This article provides answers for InVision V7 only. If you're using InVision V6, read this article instead. Not sure which version you're using? Find out now.

InVision’s single sign-on (SSO) Service Provider is SAML 2.0 compliant, and should work with any SAML 2.0 compliant SSO identity provider (IdP). After you have configured settings in your IdP you need to configure SSO settings in InVision V7.

Note that SSO in InVision V7 is only available for Enterprise plans, and to set up SSO, you must be an owner or admin on the Enterprise account.

If you’re using Okta, OneLogin, ADFS, or Microsoft Azure, see how to configure yourIdP for use with InVision in this section.

Before you start

Before configuring SSO in your InVision V7 account, you need to download InVision's SAML metadata from this URL:

After downloading your IdP's metadata file, you can configure your SSO settings.

WarningYou will generally need to manually copy and paste the required service provider metadata into your IdP system. Trying to automatically import and parse our service provider metadata can lead to unexpected results and errors.

Access and configure your account SSO settings

We recommend that these steps are completed by your IT team or an IT manager.

To access and configure your SSO settings:

  1. Sign in to your InVision Enterprise here:
  2. In the lower-left corner, select the team tray > Settings.
  3. Select Single sign-on.
  4. Turn on Require SSO for every member of [your enterprise team].
  5. Verify Receive notifications about InVision SAML certificate rotation is turned on. You should only turn off notifications if you're certain your IdP does not require manual rotation of InVision's service provider SAML certificate.
  6. Using the appropriate information from your IdP's metadata file, complete the SSO settings page:
    • Name: Set any name you want for the configuration.
    • Sign-in URL: Use the Location URL defined in the SingleSignOnService element of your IdP metadata. The IdP endpoint must support the HTTP-Redirect binding (GET).
    • Sign-out URL: If your IdP app supports SLO, use the Location URL defined in the SingleLogoutService element of your IdP metadata. The IdP endpoint must support the HTTP-Redirect binding (GET).
    • SAML Certification: Copy the IdP Signing Certificate provided in the X509Certificate element of the IdP metadata file. Do not include any of the XML element tags in the data.

      Your IdP Signing Certificate may also be obtained in other file formats outside of the IdP metadata.

    • Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

      The InVision Service Provider requires the Subject of the IdP Assertion to be the email address of the user.

    • HASH Algorithm: Select the desired Hash Algorithm for the InVision Service Provider to use for its outbound SAML Requests.
    • SSO Button Label: Set any text you’d like for the SSO button that appears when signing in.
  7. Select one of the following options, if desired:
    • Allow users to sign in without SAML
    • Allow Just-in-Time provisioning
      It's highly recommended to enable the Allow users to sign in without SAML option when first configuring and testing your SSO settings. This will ensure that you and your users don't get locked out of the InVision account. Once you confirm that the SSO authentication method is working correctly, you can disable that option, if desired.
  8. Select a default role for new users added to the team.
  9. Select Update.

Customize your sign-in experience

Within the SSO settings, there are two options that let you customize the sign-in experience:

Allow users to sign in without SAML

If Allow users to sign in without SAML is on (), members of your team can choose to sign in via your IdP, or by using their email and password.

Turning on this setting can save time and hassle, as it allows users outside of your company—people who don’t have SSO accounts with your company, such as clients and contractors—to access your InVision team via any link (including document links) to your Enterprise account.

Allow Just-in-Time provisioning

If Just-in-Time provisioning is on (), here's what to expect:

  • Anyone who you have previously authorized—via your IdP app—can automatically join your InVision Enterprise team when signing in via SSO for the first time.
  • You'll choose which default role will be assigned to people who join the team via Just-in-Time provisioning:
    • Guest: People with the guest role can create documents, but they can only access spaces and/or documents that other people have created if they're explicitly invited.
    • Member: People with the team member role can preview and join all open documents and spaces.
NoteIf you're using just-in-time auto-provisioning and your users' first and last names appear as "Unnamed User,” read: How can I ensure account names are populated correctly for SAML auto-provisioned accounts in InVision V7?

If Just-in-Time provisioning is toggled off (invision-cloud-v7-team-setting-toggle-off.png), you'll add a custom message to let prospective new members know how to request access and join your team:


Configure your IdP for use with InVision

For information on setting up SSO with a specific IdP, check out one of these articles:

Was this article helpful?