Skip to main content

Connecting to an SSO provider (SAML 2.0)

Enable your employees to securely and seamlessly sign in using Single Sign-On (SSO)

I
Written by IT_Admin Accounts
Updated today

This article applies to:

Admins

Vendr Intelligence and Procurement

Estimated time: Less than 30 mins

About this article

Enable your employees to sign in to Vendr using Single Sign-On (SSO). This article covers creating a SAML integration (i.e. Okta, Google, Microsoft, Jumpcloud, One Login) and connecting your SSO provider to Vendr.

How it works

When you use the SSO SAML integration employees will be prompted to log in to Vendr using single-sign-on instead of magic links. SAML provides a quick and secure method of passing user authentications and authorizations between your identity provider and Vendr.

Benefits

  • Increase security by centralizing user access to Vendr through your SSO provider

  • Provide a quick and seamless way for employees to log into Vendr – log in emails

Requirements

  • Vendr Admin

  • SSO Provider Super Admin

Note

Installing the SSO integration does not sync users to Vendr for assigning steps in workflows. To sync users to Vendr you'll also need to configure an Identity Provider or HRIS integration.

Before You Begin

If your users use multiple email domains, do not proceed with configuration and reach out to Vendr Support for assistance. Additional steps must be completed by Vendr Support in order to assist with mutli-domain configuration.

Overview

To allow employees to log in to Vendr using your SSO provider, you will:

Create SAML Application

  1. To kick this off, we'll begin in your SSO provider's admin area. First, create a New Application. Choose the Web for Platform, and SAML 2.0 for the Sign on method. Click Create to continue.

  2. Next enter "Vendr" as the App name, and please feel free to include our logo pre-sized. Click Next to proceed to SAML Settings.

  3. Adding key information provided by Vendr, and providing Vendr with your metadata and cert file.

    1. In a new window, navigate to Vendr's SSO Settings page.

    2. Select the relevant SSO provider or choose Custom, and you'll be provided with key pieces of information: the Assertion consumer services (ACS) URL, Entity ID, and Metadata URL.

    3. Copy and paste each of those two values into their respective fields back in your SSO tab.

    4. You can leave all the other inputs as is, and click Next to continue.

      1. It may ask you if you are publishing a new app.

      2. Click Finish to proceed.

  4. The last step is to get the Metadata.xml content from your new application.

  5. Click View Setup Instructions and scroll to the bottom of the page.

    1. You should see an "Optional" section, that includes a text area that contains an XML document.

    2. Download the document

  6. Return to your browser tab with Vendr SSO Settings, open the XML document, and copy/paste the text from inside the document into the Identity Provider XML field in Vendr's SSO Setup page.

  7. Click Submit to complete the setup.

Okta-specific Setup: When using Okta, note that the Single Sign-On URL corresponds to the Assertion Consumer Service (ACS) URL in Vendr, and the Audience URI is the same as the Entity ID. Ensure these values are copied exactly from Vendr's settings to avoid authentication errors.

Enable SSO in Vendr

Important!

Before you begin, we recommended that you test the configuration using a different browser or browser in Incognito or Privacy Mode, or work with another user to test the configuration. Please ensure that they can log in to both your Identity Provider and the Vendr application before proceeding. The user must be fully logged out of the Vendr application in order to test, otherwise this can produce false positives due to existing login sessions (https://app.vendr.com/logout). If there is a configuration issue, and the administrator configuring SAML is logged out, users will not be able to login again without contacting Vendr Support to disable SSO on your behalf.

  1. Navigate back to Vendr's SSO set up page

  2. Paste your Single sign-on URL and Entity ID from your SAML application into the appropriate fields if required

  3. Upload the downloaded metadata file from the previous step to Metadata XML field

  4. Click Submit

  5. Verify that the SSO domain matches your organization's domain (e.g., [company.com](https://company.com))

  6. Perform a test login to ensure the configuration works as intended

Attribute Mapping

Depending on your IdP configuration, the default attribute mapping may need to be updated. However, if your user login identities in your IdP do not match the user’s email address which is tied to their identity in Vendr, you will want to ensure that "User ID mapping" is associated with a field containing the user's primary email address in Vendr. Use this field to specify which field to associate during sign-in.

For example, with Okta as IdP you should map "Application username" to "Email", and with Microsoft Entra you should map "Unique User Identifier" to "user.mail". This value, also referred to as the NameID in the SAML specification, is automatically mapped as the “id” attribute.

Note: Changing the default attribute mapping within the Vendr application can cause sign-in issues and should be done with extreme caution.

Okta Mapping Examples

The following maps the Application username value to the user’s Email address.

Vendr Attribute

IdP Attribute Value

Okta IdP Mapping

User ID

id

user.email

User Email

mail

user.email

User First Name

firstName

user.firstName

User Last Name

lastName

user.lastName

Entra ID Mapping Examples

The following maps the Unique User Identifier value to the user’s Email address.

Vendr Attribute

IdP Attribute Value

Entra IdP Mapping

User ID

https://schemas.microsoft.com/identity/claims/objectidentifier

user.mail

User Email

https://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

user.mail

User First Name

https://schemas.xmlsoap.org/ws/2005/05/identity/givenname

user.givenname

User Last Name

https://schemas.xmlsoap.org/ws/2005/05/identity/surname

user.surname

Having trouble? Review these key points:

  • Obtain exact connection details like the Assertion Consumer Service URL and Entity ID from Vendr's SSO setup page.

  • Ensure consistency with your organization's domain (e.g., [company.com](https://company.com)).

  • Test the setup thoroughly to confirm proper functionality. We recommend signing in using a different browser or a browser, fully logged out, or in Incognito or Privacy Mode.

  • Ensure the User ID mapping field matches the email addresses used in you Vendr account.

Did this answer your question?