You can gate your experiences to a subset of authenticated users by integrating via Single Sign-On, which is very useful for any internally facing experiences such as:
- Internal assessments
- Calculators, quoting and other sales tools
- Employee education
Requirements
Before you can integrate with Single Sign-On, you’ll need:
- A public facing login page on Dot.vu (configured with a global Account Addon and Single Sign-On Addon)
- One or more SSO gated pages on Dot.vu (configured with a global Account Addon and Single Sign-On Addon)
- A subdomain for the experience and respective TLS certificate
- A SAML 2.0 WebSSO protocol compatible Identity Provider (IdP) – e.g. Microsoft’s ADFS
Configuration Example
When all the requirements above are met, all that is left to do is setup the configuration on the Identity Provider Service (IdP) side and then on the Service Provider side (in our case, your interactive experience on Dot.vu).
The following steps exemplify integration with Microsoft’s ADFS, but other similar services are also supported, provided they support SAML 2.0 WebSSO.
Add a Relying Party Trust
Add a relying party trust, with the following steps and properties:
- Data Source: manually
- Profile: AD FS profile
- Enable support for the SAML 2.0 WebSSO protocol
- Identifiers
- Relying party identifier (FQDN): <experience-subdomain.yourdomain.com>
- SAML Assertion Consumer Endpoint
- Binding: POST
- Trusted URL: <experience-subdomain.yourdomain.com>
- SAML Logout Endpoint
- Binding: Redirect
- Trusted URL: <experience-subdomain.yourdomain.com>
- Response URL: you will need to contact Dot.vu support to obtain this URL, as it will be specific to your interactive experience configuration.
- Advanced
- Secure hash algorithm: SHA-256
- Signature
- the TLS certificate for <experience-subdomain.yourdomain.com>
Add Claim Rules
Once the Relying Party Trust has been created, add the following Claim Rules under ‘Issuance Transform Rules’:
| Order | Rule Name | Issued Claims |
| 1 | Email LDAP Query | E-Mail Address |
| 2 | Transform email address as NameID | Name ID |
Single Sign-On Addon Configuration
Finally, the Single Sign-On Addon must be configured with the following information:
- IdP identifier (e.g. yourdomain.com/adfs/services/trust)
- Login URL (e.g. yourdomain.com/adfs/ls/IdpInitiatedSignon.aspx)
- Logout URL (e.g. yourdomain.com/adfs/ls/IdpInitiatedSignon.aspx)
- IdP Certificate (the public certificate for your ADFS’ FQDN)
- SP Certificate (the public certificate for <experience-subdomain.yourdomain.com>)
- SP Private Key (the private key for <experience-subdomain.yourdomain.com>)
- Login Page (usually <experience-subdomain.yourdomain.com> or <experience-subdomain.yourdomain.com/login>)
- On login redirect to… (the page to land on after successful login)
Maintenance
There are two main concerns you shall have regarding maintenance of the integration:
- Each time the SP or IdP TLS certificates are renewed, you must contact Dot.vu support with significant anticipation (e.g. 1 month), so that we can coordinate the updates.
- Inform Dot.vu whenever there is a change on the IdP side that may hinder the integration, to coordinate operations.