Configure SAML 2.0 single sign-on

Vera supports single sign-on (SSO) through SAML 2.0. When you configure SAML, your users sign in with your existing identity provider (IdP), such as Microsoft Entra ID or Okta, instead of separate Vera credentials.

Site Administrators manage SSO settings in the Web Portal under Site Administration > Single Sign-On. The settings are split across two pages:

  • Identity Providers: register, edit, and test one or more SAML IdPs for your tenant.

  • Service Provider: define how Vera identifies itself to your IdP and signs outgoing SAML requests.

Only SAML 2.0 is supported. Other SSO protocols aren't available.

Before you start

Before you configure SAML SSO, make sure the following are in place:

  • SSO requires HTTPS. SAML doesn't work over HTTP.

  • You have Site Administrator access to Vera.

  • You've gathered your IdP metadata: Entity ID, Single Sign-On URL, Single Logout URL (optional), and any separate signatures endpoint values.

  • You have one or more PEM-encoded X.509 public certificates (.pem, .crt, or .cer) from the IdP.

Incorrect SAML values can lock users out of Vera. Set at least one Site Administrator to Vera (local) authentication before you change SAML settings. This keeps you signed in if SSO stops working.

Go to the SSO settings

Use the following paths to reach each SAML page:

Page

Path

Identity Providers

Site Administration > Single Sign-On > Identity Providers

Add or edit an IdP

Site Administration > Single Sign-On > Identity Providers > [IdP name]

Service Provider

Site Administration > Single Sign-On > Service Provider

Manage identity providers

The Identity Providers page lists every SAML IdP registered for your Vera tenant. Each row shows the IdP's display name, Entity ID, Login URL, and Signatures Entity ID (if configured).

Add a SAML identity provider

To register a new IdP, follow these steps:

  1. Go to Site Administration > Single Sign-On > Identity Providers.

  2. Select Add SAML Identity Provider.

  3. Fill in the fields in the IdP Provider Details form. For details on each field, check out the IdP field reference.

  4. Under Certificates, upload one or more PEM-encoded X.509 public certificates.

  5. Select Save.

After you save the IdP, test the configuration before you enable SSO for your users.

Edit an identity provider

To update an existing IdP:

  1. On the Identity Providers page, select the IdP you want to edit.

  2. Update the fields in the IdP Provider Details form. You can also add or remove certificates.

  3. Select Save.

Delete an identity provider

On the Identity Providers page, select the delete icon on the row for the IdP you want to remove.

Deleting an IdP is permanent. Users who authenticate through that IdP can't sign in until you register it again.

IdP field reference

The IdP Provider Details form uses the following fields:

Field

Required

Description

Display Name

Optional

The label shown on the Vera login page (for example, Login via Azure). If blank, the button shows the Entity ID.

Entity Id

Required

The Entity ID from your IdP metadata, typically a URL (for example, https://sts.windows.net/<tenant-id>/).

Type

Read-only

Always set to SAML. You can't change this value.

Login URL

Required

The single sign-on URL from the IdP. Vera redirects users here to sign in.

Logout URL

Optional

The single logout URL from the IdP. If blank, users can sign out of Vera but their IdP session stays active.

Signatures Entity Id

Optional

A separate Entity ID for the signatures endpoint. Use this field only when the signatures endpoint uses a different Entity ID from the login endpoint, for example with Okta.

Signatures URL

Optional

The single sign-on URL for the signatures endpoint. Use this field when e-signature authentication goes through a different URL than standard login.

Authentication Contexts

Required

A comma-separated list of authentication context class references sent to the IdP. Defaults to urn:oasis:names:tc:SAML:2.0:ac:classes:Password. Vera doesn't validate the value, so enter the exact string your IdP expects.

Certificates

Required

One or more PEM-encoded X.509 public certificates (.pem, .crt, or .cer). Vera uses them to establish SAML trust with the IdP. You must upload at least one.

Test SSO

Run the SSO tests after you save an IdP and before you enable it for users. Each test opens the IdP sign-in page in a new browser window and compares the SAML response against the selected user and IdP.

Test with a user account that's linked to the IdP you're testing. Vera (local) accounts aren't associated with an IdP and won't produce a valid SAML response.

Test login SSO

To test login-based SSO:

  1. On the IdP details page, select Test login SSO.

  2. In the User field, select a user account linked to this IdP, then select Start test.

  3. Sign in at the IdP. Vera returns to the IdP details page and shows the result.

Test signature SSO

To test signature-based SSO:

  1. On the IdP details page, select Test signature SSO.

  2. In the User field, select a user account linked to this IdP, then select Start test.

  3. Sign in at the IdP. Vera returns to the IdP details page and shows the result.

Configure a Signatures URL on the IdP before you run this test. If the field is blank, the test uses the Login URL.

Review test results

Vera shows a banner at the top of the IdP details page with the test outcome:

  • A green success banner confirms that the SAML response matched the selected user and IdP.

  • A red failure banner explains why the response didn't match. Review your IdP fields, certificates, and the user's Identity Provider Username, then test again.

Configure the service provider

The Service Provider page defines how Vera identifies itself to your IdP and signs outgoing SAML requests. Each tenant has one service provider that applies to every registered IdP.

Incorrect service provider values disable SAML for every user on this tenant. Keep a Vera (local) Site Administrator account available as a fallback before you change these fields.

To update the service provider:

  1. Go to Site Administration > Single Sign-On > Service Provider.

  2. Update the Login Entity Id and Signatures Entity Id. These values must match what you register in your IdP.

  3. Enter a new Client Secret only if you're rotating the secret. Leave the field blank to keep the current value.

  4. Upload a new Private Key or Public Certificate in PEM format if you're rotating them.

  5. Select Save.

Service provider field reference

The Service Provider page uses the following fields:

Field

Required

Description

Login Entity Id

Required

The Entity ID that Vera uses to identify itself to the IdP for login-based SSO. Must match the service provider configuration in your IdP (for example, TricentisVera).

Signatures Entity Id

Required

The Entity ID that Vera uses for signature-based SSO. Can differ from Login Entity Id depending on your IdP (for example, TricentisVeraSignatures).

Client Secret

Optional

A secret value that authenticates the Vera SAML client. Leave blank to keep the current secret. Enter a new value only when you're rotating it.

Private Key

Optional

A PEM-encoded private key (-----BEGIN PRIVATE KEY-----) that Vera uses to sign outgoing SAML requests. The field shows the current file name when a key is already uploaded.

Public Certificate

Optional

A PEM-encoded public certificate (-----BEGIN CERTIFICATE-----) shared with the IdP so it can verify Vera's signed requests. The field shows the current file name when a certificate is already uploaded.

What's next

Import users for the IdP so they can sign in with SSO. Use the IdP's Entity ID as the IdP name in your import file.