- 25 May 2023
- 4 Minutes to read
- DarkLight
SSO settings in InVision V7
- Updated on 25 May 2023
- 4 Minutes to read
- DarkLight
InVision’s single sign-on (SSO) Service Provider is SAML 2.0 compliant, and should work with any SAML 2.0 compliant SSO identity provider (IdP). After you have configured settings in your IdP you need to configure SSO settings in InVision V7.
Note that SSO in InVision V7 is only available for Enterprise plans, and to set up SSO, you must be an owner or admin on the Enterprise account.
If you’re using Okta, OneLogin, ADFS, or Microsoft Azure, see how to configure yourIdP for use with InVision in this section.
Before you start
Before configuring SSO in your InVision V7 account, you need to download InVision's SAML metadata from this URL: https://your_enterprise_subdomain
.invisionapp.com/sso/metadata
After downloading your IdP's metadata file, you can configure your SSO settings.
Access and configure your account SSO settings
We recommend that these steps are completed by your IT team or an IT manager.
To access and configure your SSO settings:
- Sign in to your InVision Enterprise here:
your_enterprise_subdomain
.invisionapp.com - In the lower-left corner, select the team tray > Settings.
- Select Single sign-on.
- Turn on Require SSO for every member of [your enterprise team].
- Verify Receive notifications about InVision SAML certificate rotation is turned on. You should only turn off notifications if you're certain your IdP does not require manual rotation of InVision's service provider SAML certificate.
- Using the appropriate information from your IdP's metadata file, complete the SSO settings page:
- Name: Set any name you want for the configuration.
- Sign-in URL: Use the
Location
URL defined in theSingleSignOnService
element of your IdP metadata. The IdP endpoint must support theHTTP-Redirect
binding (GET). - Sign-out URL: If your IdP app supports SLO, use the
Location
URL defined in theSingleLogoutService
element of your IdP metadata. The IdP endpoint must support theHTTP-Redirect
binding (GET). - SAML Certification: Copy the IdP Signing Certificate provided in the
X509Certificate
element of the IdP metadata file. Do not include any of the XML element tags in the data.Your IdP Signing Certificate may also be obtained in other file formats outside of the IdP metadata.
- Name ID Format:
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
The InVision Service Provider requires the Subject of the IdP Assertion to be the email address of the user.
- HASH Algorithm: Select the desired Hash Algorithm for the InVision Service Provider to use for its outbound SAML Requests.
- SSO Button Label: Set any text you’d like for the SSO button that appears when signing in.
- Select one of the following options, if desired:
- Allow users to sign in without SAML
- Allow Just-in-Time provisioning
It's highly recommended to enable the Allow users to sign in without SAML option when first configuring and testing your SSO settings. This will ensure that you and your users don't get locked out of the InVision account. Once you confirm that the SSO authentication method is working correctly, you can disable that option, if desired.
- Select a default role for new users added to the team.
- Select Update.
Customize your sign-in experience
Within the SSO settings, there are two options that let you customize the sign-in experience:
Allow users to sign in without SAML
If Allow users to sign in without SAML is on (), members of your team can choose to sign in via your IdP, or by using their email and password.
Turning on this setting can save time and hassle, as it allows users outside of your company—people who don’t have SSO accounts with your company, such as clients and contractors—to access your InVision team via any link (including document links) to your Enterprise account.
Allow Just-in-Time provisioning
If Just-in-Time provisioning is on (), here's what to expect:
- Anyone who you have previously authorized—via your IdP app—can automatically join your InVision Enterprise team when signing in via SSO for the first time.
- You'll choose which default role will be assigned to people who join the team via Just-in-Time provisioning:
- Guest: People with the guest role can create documents, but they can only access spaces and/or documents that other people have created if they're explicitly invited.
- Member: People with the team member role can preview and join all open documents and spaces.
If Just-in-Time provisioning is toggled off (), you'll add a custom message to let prospective new members know how to request access and join your team:

Configure your IdP for use with InVision
For information on setting up SSO with a specific IdP, check out one of these articles:
- InVision V7: SSO - Configuring Okta for use with InVision
- InVision V7: SSO - Configuring OneLogin to for Use with InVision
- InVision V7: SSO - Configuring ADFS for use with InVision
- InVision V7: SSO - Configuring Microsoft Azure for use with InVision