Single Sign-On FAQ
Here you’ll find answers to some frequently asked questions about single-sign on and Vault.
SSO in Vault FAQ
If SSO is enabled in a vault, do all users need to use it?
Whether a user accesses Vault using login credentials or using SSO depends on the Security Policy set for the user. You may configure a vault so that some users use SSO and others do not. This ability is useful if you grant user accounts to people outside your organization (for example, ad agencies or auditors). With SAML, you may also add an Identity Provider button to your login page, providing users with login options.
Vault has a restriction to prevent users who sign in with IdP-initiated SSO from providing eSignatures. See details below.
What happens to audit trail tracking for logins?
Anytime a user navigates to your Vault and is automatically logged in via SSO, the activity triggers a new user login item in the audit trail.
Can a user profile use both SAML and OAuth 2.0 /OpenID Connect?
Yes. The security policy associated to a user can have up to one SAML and one OAuth 2.0 / OpenID Connect profile.
How difficult is it to implement SAML with Vault?
If your company already has SAML 2.0 in place with other cloud applications, it should not be difficult. If you have no prior experience with SAML and cloud applications, it will take time to establish the general infrastructure and gain familiarity with SAML and IdP configuration.
Can SAML be used to integrate Vault & Veeva CRM?
Yes. You can configure the Veeva CRM org to be a SAML IdP, or use an external IdP with both Veeva CRM & Vault as SPs. Alternately, you can use Delegated Authentication.
Can SAML be used with the Vault API?
Yes. For more information, see the Vault Developer Portal.
What types of authentication does SAML support?
We recommend that you use forms-based authentication. When using Kerberos or NTLM authentication, some browsers and clients may forward cached authentication sessions rather than prompting users for re-authentication during eSignature tasks.
What type of TLS integration does SAML support?
We support both TLS 1.1 and TLS 1.2.
How do session timeouts interact between the IdP and Vault?
When using SSO, we recommend that you configure the same session duration for your vault and your identity provider. If the vault’s session duration is longer, Vault only considers its active session and does not automatically log users out when the IdP session expires. If the vault’s session duration is shorter, Vault may log the user out, but the browser will typically redirect back to the IdP and the IdP will either start a new Vault session or prompt the user to login again.
How does eSignature work with SAML?
Our eSignature approach prompts the user to re-enter their username and password. eSignature is only available with SSO using the SP-initiated SAML model. When SSO users try to complete an eSignature task, Vault loads the identity provider’s login page and asks users to re-authenticate there. There are no additional steps in Vault to complete the task.
Some browsers prevent users from completing eSignatures with their SAML Identity Providers through an iFrame. You can avoid this issue by enabling third-party cookies and adding *.veevavault.com domain to a list of trusted domains. Alternatively, you can configure the eSignature flow to complete through a pop-up by selecting the Authenticate SAML eSignatures in a pop-up window rather than an iFrame checkbox.
OAuth2.0 / OpenID Connect FAQ
What kind of infrastructure is required to implement OAuth2 / OIDC with Vault?
Vault supports OpenID Connect with PingFederate Authorization Servers only. Vault can consume the access tokens to issue Vault Session IDs. It is further recommended that your client and AS supports and implements PKCE.
Can OAuth2 / OIDC Connect be used to log in to Vault UI?
No. OAuth / OIDC is available for API level authentication only at this time. For more information, see the Vault Developer Portal.
Does my Vault Session ID expire when the access token expires?
Once a Vault Session ID is issued, it follows the Vault session duration configuration and not the token expiration specified by the AS. This means the AS access token may expire before the Vault Session ID. When Vault Session ID expires, you must request new one using your AS access token.