SSO and the Verizon Connect Platform

Understanding How to Integrate SAML SSO with the Verizon Connect Enterprise Platform


This document summarizes the Single Sign-On process when connecting to the Verizon Connect platform via an external Identity Provider ('IdP'). It also describes the configuration settings and conditions required to generate an authentication token and log into the Verizon Connect platform with SAML SSO using bearer assertions for OAuth 2.0.


About SAML SSO

Single Sign-On (SSO) allows network users to access multiple related, but independent, software systems without requiring them to log into each separately. Using SSO, your organization sees following benefits:

  • Your organization retains complete control over the authentication of accounts. Any security or password policies you have in place will also be applied to your Verizon Connect accounts.
  • Once users have logged into your network, they do not need to log in a second time to access their Verizon Connect account. They simply click a link on one of your web pages and immediately access their Verizon Connect accounts.
  • Because users have only a single login and password, there is much less likelihood that they will forget their credentials.

Verizon Connect provides support for SSO using SAML v2.0 (Security Assertion Markup Language – version 2.0). SAML is an XML-based protocol that uses security tokens containing 'assertions' to pass information about users.


Understanding How the SAML SSO Process Works

SSO diagram

Step 1 - A user logs into your company website or intranet

Because it is your website or application that authenticates the user’s identity, SSO calls this application the Identity Provider or 'IdP'.

Step 2 - The user navigates to the Verizon Connect website from your site

Once authenticated by your internal Identity Provider, the user then clicks a link or button on your IdP site which directs them to the Verizon Connect platform.

Step 3 - Your company IdP service generates a SAML v2.0 bearer assertion

Your IdP generates a SAML v2.0 "bearer" assertion. This is an XML packet that conforms to the SAML schema and contains information about the user's identity. The assertion contains the following elements:

  • <saml:Issuer>, which uniquely identifies your organization.
  • <ds:Signature>, which contains an integrity-preserving digital signature (signing key).
  • <saml:Subject>, which identifies the user who is attempting to log in.
  • <saml:NameID>, a child of the element, which holds the name of the user.
  • <saml:Conditions>, which gives conditions under which the assertion is to be considered valid (what the user has been authenticated for).
  • <saml:AuthnStatement>, which describes the authentication performed by the IdP.
  • <saml:AttributeStatement>, which provides any additional properties of the user.

NOTE: For details, see the Sample SAML Response generated by the IdP.

Step 4 - Your IdP sends an HTML form to Verizon Connect Fleet (SSO service provider)

The IdP sends an HTML page containing a form, which in turn contains a hidden field with the bearer assertion. This form is submitted to Verizon Connect Fleet which, in SSO terms, is called the Service Provider (SP) because it consumes the authentication assertion in order to provide a service.

Step 5 - The Verizon Connect Fleet service logs the user into the Fleet platform

After receiving the IdP form, Verizon Connect completes the following actions:

  • It redirects the assertion to the Fleet SAML Authentication Service, which verifies the bearer assertion.
  • The <saml:Subject> element is then used to identify the user and create a fleet authentication token if a matching and active account exists.
  • The user is logged into the Verizon Connect Fleet platform.
  • Finally, the user is redirected to the Fleet application.

Configuring SAML SSO in the Verizon Connect Platform

You need the following to configure and use SAML SSO with the Verizon Connect platform:

  • A SAML 2.0 identity provider that has been configured to connect with the Verizon Connect SAML SSO service provider. For details on configuring the IdP, contact your Identity Service administrator. If you are using a third-party service provider, like Okta or ADFS, see the service documentation for IdP configuration. Self-signed certificates are also accepted.
  • A signed certificate from a trusted CA (certificate authority), or a self-signed certificate, that the IdP uses to sign the SAML assertions sent to Verizon Connect.
  • An IdP Issuer URL, which is the unique address for the SAML Identity Provider (IdP) that handles user sign-in requests for your organization. This value matches the element from your SAML assertions.
  • An active Verizon Connect Fleet account with administrator-level permissions.

The following instructions describe the SAML configuration process for setting up individual subusers when logged into the Verizon Connect Fleet UI. If you have many users to set up, contact your Verizon Connect account representative to learn about the configuration options available.

NOTE: SSO support is option-controlled and only available if your account subscription includes it. Contact your Verizon Connect representative for more information.


Setting Up SAML Connectivity For Verizon Connect Fleet

  • Sign in to Verizon Connect Fleet with an administrator account at one of these URLs:(https://login.platform.telogis.com/) or (https://login.platform.telogis.eu/).
  • Provide Verizon Connect with your X.509 signing certificate and related information:

    • Open the External Authentication Settings dialog by clicking on your account name in the upper right corner of the platform screen and then selecting Single Sign On.
    • Type the name of the SSO into the SSO name field. The value you enter should match the element of the assertion that the IdP sends to the Verizon Connect platform.
    • Click the Upload Certificate button, and then navigate to your certificate to upload it. Note that certificates that are not either self-signed, or signed by a trusted CA, will be rejected. Once you have uploaded the certificate, the display updates to indicate the verification status of the certificate, and common name of your certificate.
    • Select one of the two platform sign-in options available. SSO only allows access to the platform only via SSO authentication, while SSO and Verizon Connect allows access to the platform using either SSO, or the standard platform sign-in screen where manually-entered credentials are supplied.
    • Click the Save button.
  • Set up an IdP username for each of your subusers:

    • From the Subusers screen in Verizon Connect Fleet, individually click the name of each subuser that will use the SSO system. The Edit User dialog box opens.
    • On the Details tab of the Edit User dialog box, add a value to the IdP Username field. These name values should match the values included in the <saml:NameID> element of your IdP assertion.
  • To post your SAML assertions, first check the domain extension in your Fleet URL. If the domain extension is “.com” post the SAML assertions here: https://integration.telogis.com/SamlLogin/AssertionConsumerService.aspx. If the domain extension is “.eu” post the SAML assertions here: https://integration.telogis.eu/SamlLogin/AssertionConsumerService.aspx.

Verizon Connect uses the <saml:Issuer> element of the assertion to identify your account, and the <saml:NameID> element of the assertion to identify the individual to be logged in.


Sample SAML Response Generated by IdP

The following example shows a sample SAML v2.0 response (bearer assertion). The values enclosed in brackets, for example {randomGUID} and {currentTime}, represent the values generated by the IdP.

<samlp:Response ID="{randomGUID}" Version="2.0" IssueInstant="{currentTime}" Destination="{AssertionUrl}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

        <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">{issuer}</saml:Issuer>

        <samlp:Status>

                <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

        </samlp:Status>

        <saml:Assertion Version="2.0" ID="{randomGUID2}" IssueInstant="{currentTime}" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

                <saml:Issuer>{issuer}</saml:Issuer>

                <saml:Subject>

                        <saml:NameID>{nameId}</saml:NameID>

                        <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

                                <saml:SubjectConfirmationData Recipient="{RecipientUrl}" />

                        </saml:SubjectConfirmation>

                </saml:Subject>

                <saml:AuthnStatement AuthnInstant="{currentTime}">

                        <saml:AuthnContext>

                            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>

                        </saml:AuthnContext>

                </saml:AuthnStatement>

        </saml:Assertion>

</samlp:Response>


When you configure the IdP to use the Verizon Connect SSO SAML service, use one of the following URLs for the AssertionUrl and RecipientUrl values: If the domain extension in your Fleet URL is “.com” use this URL: https://integration.telogis.com/SamlLogin/AssertionConsumerService.aspx. If the domain extension in your Fleet URL is “.eu” use this URL: https://integration.telogis.eu/SamlLogin/AssertionConsumerService.aspx.