SSO Settings in InVision V7 V7

This article provides answers for InVision V7 only. If you're using InVision V6, read this article instead. Not sure which version you're using? Find out now.

InVision’s SSO Service Provider is SAML 2.0 compliant, and should work with any SAML 2.0 compliant SSO identity provider (IdP). After you have configured settings in your IdP, you will need to configure SSO settings in InVision V7.

Note that SSO in InVision V7 is only available for Enterprise plans, and to set up SSO, you must be an owner or admin on the Enterprise account.

If you’re using Okta, OneLogin, ADFS, or Microsoft Azure, see how to configure your IdP for use with InVision in this section.

IdP-Initiated SSO is not supported in InVision V7.

Before you start

Before configuring SSO in your InVision V7 account, you need to download InVision's SAML metadata from this URL: https://your_enterprise_subdomain.invisionapp.com/sso/metadata

After downloading your IdP's metadata file, you can configure your SSO settings.

You will generally need to manually copy and paste the required Service Provider (SP) metadata into your IdP system. Trying to automatically import and parse our SP metadata can lead to unexpected results and errors.

Access and configure your account SSO settings

We recommend that these steps are completed by your IT team or an IT Manager.

To access and configure your SSO settings:

1. Sign in to your InVision Enterprise here: your_enterprise_subdomain.invisionapp.com
2. In the lower-left corner, click the [Your Team Name] dropdown, and then click Settings.
3. Click Single sign-on.
4. Toggle on Require SSO for every member of [your enterprise team].
5. Using the appropriate information from your IdP's metadata file, complete the SSO settings page:
   • Name: Set any name you want for the configuration.
   • Sign-in URL: Use the Location URL defined in the SingleSignOnService element of your IdP metadata. The IdP endpoint must support the HTTP-Redirect binding (GET).
   • Sign-out URL: If your IdP app supports SLO, use the Location URL defined in the SingleLogoutService element of your IdP metadata. The IdP endpoint must support the HTTP-Redirect binding (GET).
   • SAML Certification: Copy the IdP Signing Certificate provided in the X509Certificate element of the IdP metadata file. Do not include any of the XML element tags in the data.
     

     Your IdP Signing Certificate may also be obtained in other file formats outside of the IdP metadata.

   • Name ID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

     The InVision Service Provider requires the Subject of the IdP Assertion to be the email address of the user.

   • HASH Algorithm: Select the desired Hash Algorithm for the InVision Service Provider to use for its outbound SAML Requests.
   • SSO Button Label: Set any text you’d like for the SSO button that appears when signing in.
6. Select one of the following options, if desired:
   
   • Allow users to sign in without SAML
   • Allow Just-in-Time provisioning
     
     It's highly recommended to enable the Allow users to sign in without SAML option when first configuring and testing your SSO settings. This will ensure that you and your users don't get locked out of the InVision account. Once you confirm that the SSO authentication method is working correctly, you can disable that option, if desired.
7. Select a default role for new users added to the team.
8. Click Update.

Customize your sign-in experience

Within the SSO settings, there are two options that let you customize the sign-in experience:

• Allow users to sign in without SAML
• Allow Just-in-Time provisioning

Allow users to sign in without SAML

If this setting is toggled on (), members of your team can choose to sign in via your IdP, or by using their email and password.

Enabling this setting can save time and hassle, as it allows users outside of your company—people who don’t have SSO accounts with your company, such as clients and contractors—to access your InVision team via any link (including document links) to your Enterprise account.

Allow Just-in-Time provisioning

If Just-in-Time provisioning is toggled on (), here's what to expect:

• Anyone who you have previously authorized—via your IdP app—can automatically join your InVision Enterprise team when signing in via SSO for the first time.
• You'll choose which default role will be assigned to people who join the team via Just-in-Time provisioning:
  • Guest: People with the guest role can create documents, but they can only access spaces and/or documents that other people have created if they're explicitly invited.
  • Member: People with the team member role can preview and join all open documents and spaces.

If you're using just-in-time auto-provisioning and your users' first and last names appear as "Unnamed User,” check out this article: How can I ensure account names are populated correctly for SAML auto-provisioned accounts in InVision V7?

If Just-in-Time provisioning is toggled off (), you'll add a custom message to let prospective new members know how to request access and join your team:

Configure your IdP for use with InVision

For information on setting up SSO with a specific IdP, check out one of these articles:

• InVision V7: SSO - Configuring Okta for use with InVision
• InVision V7: SSO - Configuring OneLogin to for Use with InVision
• InVision V7: SSO - Configuring ADFS for use with InVision
• InVision V7: SSO - Configuring Microsoft Azure for use with InVision