InVision supports single sign-on (SSO) via a SAML certificate. In accordance with security best practices, InVision's SAML certificate expires every two years. Customers must update their identity provider with InVision's new SAML certificate before expiry to continue using SSO.
If customers do not switch to InVision's new SAML certificate before expiry, users won't be able to use SSO to sign in to InVision.
SAML certificate rotation is typically done by your organization's identity provider (IdP) administrator, which may be your system administrator, security administrator, or IT department.
InVision supports the following identity providers: Okta, OneLogin, and Azure. If you're using one of these supported providers, continue to Rotate with a supported identity provider.
If you use a custom identity provider, skip to Rotate with a custom identity provider.
Rotate with a supported identity provider
InVision supports the following identity providers: Okta, OneLogin, and Azure.
If you’re accessing InVision from the app gallery of Okta, OneLogin, or Azure, no manual certificate update should be required.
Rotate with a custom identity provider
If your organization has a custom identity provider (IdP), you must manually rotate to InVision's new SAML certificate.
When accessing your organization's SAML metadata, it will display information for two certificates: InVision's current expiring certificate and InVision's new certificate.
Ensure you import the information for InVision's new certificate, which is the second one listed.
- Go to https://
your-team-subdomain
.invisionapp.com/sso/metadata. - Locate the second listed SAML certificate.
- In the
X509Certificate
element, copy the element text. - Add the copied text to your IdP.
Maintain access with a backup sign in method
If your organization's security standards allow for non-SSO sign in, and to ensure uninterrupted access to InVision, we recommend turning on sign in with email and password. If your organization does not rotate its certificate in time, users will still be able to sign in to InVision.
You must be an admin or owner on your team to turn on this setting.
- Sign in to your organization.
- In the lower-left corner, select [Your Team Name] > Settings.
- Select Single sign-on.
- Scroll to the bottom of the screen and locate the setting Allow users to sign in without SAML.
- Turn on this setting.
- Select Update.
Members of your organization can now sign in with either SSO or their email and password. Once your organization rotates its SAML certificate, turn off this setting to only allow sign in with SSO.
Additional information about SSO
For more information about SSO settings, read SSO settings in InVision V7.