Enabling Single Sign-on in VWO

Overview

Single Sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of sign-in credentials. SSO is a common procedure in enterprises, making it easier for them to manage a centralized list of their users. This practice makes it easy for them to restrict users' access to all connected applications by disabling their accounts once in the central database.

Advantages of Using SSO

• Eliminates credential reauthentication and helpdesk requests, thus improving productivity.
• Streamlines local and remote applications and desktop workflow.
• Minimizes phishing.

Enable SSO in Your VWO Account

Enabling SSO in your VWO account is a one-time task.

Prerequisites

• To enable SSO for your account, you must use a SAML 2.0-based identity provider (such as Google, Azure AD, OneLogin, Okta, or Auth0).
• An active VWO Enterprise account.
• Ensure you have the correct permissions. Only VWO users with Owner and Admin permissions from the main workspace can configure and enable SSO. Users with other roles (like Browse or Publish) and users in sub-workspaces cannot access these settings. For more information, see Understanding VWO Account Hierarchy.

Procedure

1. Sign in to your VWO account.
2. Click Settings on the top right, and go to Accounts > Security.
3. Scroll down to the Single Sign-On section and click Configure & activate SSO.
   
4. VWO supports single sign-on (SSO) only via the SAML 2.0 protocol. Configure the following details to set up SAML-based single sign-on (SSO) for your account using your Identity provider (IdP).
   1. Upload the SAML certificate, a digital file issued by your Identity Provider (IdP). This certificate verifies the authenticity of the information exchanged between your IdP and VWO and ensures that it has not been altered. Without the correct SAML certificate, VWO cannot verify that the login request is legitimate.
      
      Note: VWO accepts the following certificate formats: .pem, .csr, .cer, .cert. Ensure that your uploaded file matches one of these formats to avoid configuration errors. For more information on how to get the certificate, see Configuring Single Sign-on for VWO.
   2. Configure the SSO entry point. It is a unique URL provided by your Identity Provider (IdP) and is the trusted endpoint that VWO uses to receive and process the successful login message.
      
      Note: VWO does not generate this URL. You must obtain it from your Identity Provider's application settings. When you configure VWO as a new application within your IdP's admin console, the platform will generate this specific URL for you. Ensure you copy and paste this URL from your IdP's settings exactly as it's provided, as any errors can cause the SSO test and activation to fail.
5. Click Test the SSO configuration to validate the connection between your IdP and VWO. This step is mandatory. You cannot proceed with the setup until you perform this action.
   
6. A new tab opens, directing you to your Identity Provider (IdP) login page. If you are already authenticated, you will be automatically signed in and redirected to your VWO account. Otherwise, enter your credentials to proceed. For example, the image below shows Okta's login screen. Based on your organization’s IdP, you will be redirected to the respective login page. Enter your login credentials to sign in.
   If the configuration is correct, you are redirected back to VWO. A message appears on the screen confirming the SSO configuration test was successful.
   If the test fails, an error message appears. In this case, check your certificate and entry point details and ensure you have uploaded the correct details.
   
   Note: The Activate SSO button remains disabled until the test is successful.
7. From the Workspace Access section, decide which workspaces should use the SSO setup. By default, it is automatically enabled for the main workspace and cannot be disabled there. You can choose:
   • Enable all workspaces to enable it for all current and future workspaces, or
   • Select workspaces to enable it for only select workspaces. Click Add more workspaces to choose which sub-workspaces can use SSO.
8. Click Activate SSO. Upon successful activation, a toast notification appears with the message: SSO configuration has been enabled successfully.

Once SSO is enabled for an account, all users in that account will be required to log in using SSO. The traditional email-and-password-login method will be disabled for them.

However, when adding a new user after SSO is enabled for an account, the admin has an option to disable SSO for that specific user. If the admin chooses this option, the user can log in using their email and password instead of SSO.

Edit Your Account's SSO Configuration

You can update your SSO settings at any time, however, you cannot edit them directly while SSO is active. To make any changes, you must first disable the current configuration.

Follow the steps below to update your SSO settings:

1. Disable SSO: Log in to your VWO account. Go to Settings > Account > Single Sign-On > View Details. Click Disable SSO. Confirm the action on the confirmation pop-up. This will revert your account to the standard login process.
   
   Note: Only VWO users with Owner and Admin permissions from the main workspace can disable SSO.
2. Edit Details: Click Configure & activate SSO. Follow the steps listed under the Enabling SSO in your VWO Account section of this article. You can now upload a new certificate and/or enter a new SSO entry point.
3. Retest Configuration: Click Test SSO configuration to ensure the new details are correct.
   
   Note: Testing the configuration is mandatory. Every time you configure or update the SSO settings, you must test the configuration before activating it.
4. Reactivate SSO: Once the test is successful, click Activate SSO to re-enable single sign-on for your account with the updated details.

Sign In to Your VWO Account Using SSO

Once you have enabled SSO for your VWO account, users can sign in using the SSO option.

Procedure for Users to Sign In Using SSO

1. Go to the sign-in page, and click Sign in using SSO.
   You will be redirected to the SSO page.
   
2. In the Email address field, enter your email address and click Sign In.

You will be redirected to your identity provider to authenticate, or if you are already authenticated, you’ll be signed in to your VWO account. 

FAQs

• What happens to the current session when single sign-on is enabled/disabled for an account? Will the users be signed out of their accounts?
  Users will not be signed out of the current session. However, from the next login attempt, users will be prompted to log in through SSO.
  
  
• If an admin/owner enables SSO, will users still be allowed to sign in using their email and password?
  No, all users will have to use the Sign-in using SSO option. They cannot use a password to sign in. However, this behavior depends on the SSO configuration applied to individual users. Admins and Owners can choose to disable SSO for specific new users, in which case those users can continue to log in with their email and password.
  
  
• If SSO is disabled, how will the users access the account? Can they start using their old email address and password?
  Yes, users can access their accounts using their existing email address and password. If a user has never set a password, they can use the Forgot Password link to create one. Once set, they can sign in with their email address and the new password.
  
  
• Will the users be allowed to change the password after SSO is enabled?
  No, users cannot change the password after SSO is enabled as they will not need passwords to sign in to VWO.
  
  
• What should I do if my identity provider goes down?
  Raise a support ticket with VWO Support to have disable SSO for your account. Once disabled, all users can create a password through the link shared in the email sent to them or by using the Forgot Password option to sign in to VWO.
  
  For business continuity, we recommend creating one additional admin user with SSO disabled. This account should be secured with a strong password and stored safely. It ensures you can still access VWO and manage SSO settings if your IdP becomes temporarily unavailable.
  
  
• Can I enable SSO only for a few users in my account?
  No, it is not possible to have both SSO and non-SSO users. After SSO is enabled for your account, all users must sign in through SSO. However, when adding new users after SSO is enabled, Admins and Owners can disable SSO for those specific users if required.
  
  
• My company has enabled SSO, but I cannot sign in using SSO from my email id?
  We recommend that you check if your email is added as a user in the VWO account. If you are able to confirm that and still cannot sign in, contact VWO Support.
  
  
• My company uses a custom Single sign-on solution. Is VWO compatible with that?
  VWO is compatible with any SAML 2.0-based authentication solution. Contact VWO support , and they will help you configure it.
  
  
• What are the entry and logout URLs for VWO?
  Entry URL: https://app.vwo.com/login/ssocallback
  Logout URL: https://app.vwo.com/logout/sso

Need more help?

For further assistance or more information, contact VWO Support.