# SSO authentication
In support of your business flows, eWizard is flexibly integrated with the number of external systems. One of the external systems is Veeva Vault. eWizard supports Veeva Vault flows in terms of item creation, modular content, approval, and end usage. Access to Veeva Vault from eWizard is available for authenticated users.
On your demand, eWizard can be configured to allow SSO authentication to access Veeva Vault-connected options within the platform.
Logically, SSO authorization to Veeva Vault consists of two parts: web and API; where the web part is implemented with the SAML protocol, and the API is based on the OpenID Connect.
# SAML
SAML requires explicit trust between a website and a customer Identity Provider (IdP). It is not necessary to provide and store information from users as upon the explicit trust principle, all information about any user is available ipso facto. The SAML provider usually must be coded in advance and requires the website federation with only selected identity providers.
In Veeva Vault, SAML is responsible for the SSO authentication web interface.
# OpenID
OpenID, an identity layer on top of the OAuth 2.0 protocol. In Veeva Vault, OpenID is responsible for granting API access to Veeva Vault resources. Since eWizard accesses Veeva Vault via API, it is necessary to set up the OpenID profile for a security policy that is assigned to a user. So that OpenID allows you to verify the identity of end users based on the authentication performed by the authorization server, as well as obtaining basic profile information about end users.
# SSO authentication setup
To set up SSO authentication, an administrator must do the following:
Set up the SAML profile (for web interface).
Set up the OpenID profile (for REST API access).
Create a security policy using these two profiles.
Assign the created security policy to a user.
Both SAML and OpenID profiles can be set up to different Identity Providers. For example, ADFS 4.0 can be used to set up SAML, and Azure AD – for OpenID and vice versa.
From our side, we recommend using the same Identity Provider for both OpenID profile and access to eWizard. In this case, the procedure of authentication/authorization to Veeva Vault goes under the hood; however, it is still secure.
# Setting up the OpenID profile
To set up OpenID for the REST API access, follow these instructions (opens new window).
Please consider the list of identity providers supported by Veeva Vault:
| IdP | Vault (Supported) SAML | VFM Supported OAuth/OIDC | Veeva Snap Supported OAuth/OIDC |
|---|---|---|---|
| ADFS 2.0,3.0 | X | ||
| ADFS 4.0 | X | X | X |
| PingFederate – 8.x, 9.x | X | Y | X |
| Okta | X | 19R1 | X |
| Exostar | X | ||
| Siteminder | Y | ||
| PingOne | Y | ||
| OneLogin | Y | Y | |
| Centrify | Y | ||
| Liferay | Y | ||
| VMware Identity Manager | Y | ||
| Azure AD | Y | X | |
| Oracle IDM | |||
| Auth0 | Y | ||
| IdentityNow | Y |
Y = Used by Veeva customers but not officially tested by Veeva.
In this case, the flow is as follows:
A user logs in to eWizard. To publish items to Veeva Vault or to use Veeva Vault assets, they need to access Veeva Vault. Access to Veeva Vault requires authentication/authorization, that is set up using the customer's IdP. The user passes the identity check, receives the Veeva Vault session ID token, and is allowed to access Veeva Vault resources.
images/sso-auth.png)
# eWizard as an IdP
eWizard can function as an Identity Provider as well. In this case, access to Veeva Vault requires the same authentication as to eWizard, since the identity checks are similar and require the same information. As users have already authenticated to eWizard, this procedure goes under the hood. As a result, the session ID token is granted to them almost immediately after they've requested access.
Although the procedure is simplified, it is safe and secure, as the security is ensured by the OpenID protocol.