We’re in the process of making some changes to our SSO implementation in InVision Cloud V7 and have temporarily disabled the option to setup or change SSO while those changes are underway. If you need to urgently change your SSO settings and you’re using Cloud V7, please contact InVision Support for assistance.
To properly configure ADFS with InVision, be sure to follow all the steps outlined below.
Configuring ADFS in InVision Cloud V7
Before implementing SSO for your Enterprise, we recommend first ensuring that the Enable password expiration option is toggled off. With SSO enabled, password expiration via InVision (rather than your SSO provider) may prevent some of your members from accessing your Enterprise account if they forget their native InVision password.
First, you'll need to configure ADFS in your InVision Cloud V7 account. Save your IdP's metadata, and then take these steps:
Sign in to your InVision Cloud V7 Enterprise account.
At the top of the page, click Team.
Click Settings tab, and then click Single sign-on.
Toggle on Require SSO for every member of [your enterprise team].
Fill out the fields using the appropriate information from your IdP's metadata file.
Setting up the hash algorithm
In ADFS, visit your Advanced tab for the InVision application, then select SHA-256 from the Secure hash algorithm menu. Click OK.
Downloading InVision metadata
Download InVision's SAML metadata from https://your_enterprise_subdomain.invisionapp.com/login-api/api/v1/sso/saml/metadata
You’ll need this when creating a new Relying Party Trust in ADFS.
Creating a new Relying Party Trust
First, you’ll need to open the ADFS 2.0 MMC snap-in and a new “Relying Party Trust” that you can configure to work with InVision. That will walk you through the following steps:
In the Select Data Source step, import the XML metadata you downloaded from https://your_enterprise_subdomain.invisionapp.com/login-api/api/v1/sso/saml/metadata
Give the trust a Display Name like “InVision” and click Next.
Select the Permit all users to access this relying party option and click Next.
Check the Open the Edit Claim Rules Dialog... and click the Close button.
Adding a claim rule to send the email address of your user
In the Edit Claim Rules window that appears, do the following:
Click Add Rule to begin creating a new Claim Rule.
Select Send LDAP Attributes as Claims as the rule template.
Title the rule "Send UPN as Email" (you should tweak this title if you use a different attribute in step 5 below).
Select Active Directory as your Attribute Store.
Set User-Principal-Name (or whatever LDAP attribute contains the primary email address for your users) as the LDAP attribute.
Add E-mail Address as the Outgoing Claim Type.
Click OK to create the rule.
Adding a Transform Claim Rule
After you've added a new rule to send the email address as a claim, we need to transform it into the proper NameID format. To do that, we add a Transform Claim rule:
Click Add Rule again to add a new rule and select "Transform an Incoming Claim" as the rule template.
Enter "Transform Email to Name ID" for the "Claim rule name."
Select E-Mail Address as the "Incoming claim type."
Select Name ID for the "Outgoing claim type."
Select Email for the "Outgoing name ID format."
Make sure Pass through all claim values is selected (it should be selected by default).
Click OK to save your rule.
Verify that this new rule is below the initial rule you created and click OK again to close the rule editor.