Configuring Single Sign-On to log on to MVISION

Single Sign-On (SSO) allows you to securely authenticate multiple applications using one set of logon credentials. After configuring SSO for MVISION identity provider (IdP), you can log on your existing enterprise IdP, then access your MVISION account directly without a second logon.

To configure SSO for your MVISION account:

  1. Configure the IdP application.
  2. Input your Security Assertion Markup Language (SAML) configuration information in MVISION.
  3. Update your IdP configuration with the information from MVISION.

The configuration you create using these steps is saved separately within the McAfee MVISION system.

Configuring the IdP application

Configure a new IdP application in your SSO solution to get the IdP URL, issuer URL, and X.509 certificate.

For instructions on how to configure your IdP application, see your identity provider's documentation.

Note: You might need to use placeholder information for the ACS URL and the Audience URI when you configure your third-party IdP. Enter the details later when you Update your IdP application SAML settings with the information from MVISION.

Input your SAML configuration information in MVISION

Configure the settings in the Identity Provider page to enable SSO using your IdP application.

  1. Enter the information in the Identity Provider section.
    • Issuer — Enter the Identity Provider Issuer from your IdP.
    • Certificate — Download the certificate from your IdP, then click Choose File to upload the certificate to MVISION.
    • Login URL — Enter the Identity Provider SSO URL from your IdP.
    • Signature Algorithm — Make sure that your IdP application is configured with signature algorithm — SHA-256.
    • Request Binding — Make sure that the request binding matches with your IdP application.
  2. From the User List, select the users that you want to exempt from SSO.
  3. After successfully saving the configuration, you can view the information in the Service Provider (MVISION) section.
    • Audience — Edit your IdP application's SAML settings to update the Audience URI.
    • Assertion Consumer Service URL — Edit your IdP application's SAML settings to include the SSO URL.
    • Certificate — Download the certificate. Some IdPs require the MVISION service provider certificate.
    • SAML Metadata — Download the SAML metadata. It contains other configuration which your IdP might require.
  4. Click Save Changes.

Update your IdP application SAML settings with the information from MVISION

After saving the IdP configuration in your MVISION account, go to your IdP application and edit the SAML settings with the information from MVISION.

  1. Audience URI — Enter the Audience link from MVISION.
  2. Single Sign On URL — Enter the Assertion Consumer Service URL from MVISION.
  3. Configure the application to send these user attributes to the IdP provider.
    • First NamefirstName (Possible schema of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/firstname or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname)
    • Last NamelastName (Possible schema of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/lastname or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname)
    • Emailemail (Possible schema of http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
    Note: The possible schemas provided here is for reference only. These schemas can vary depending on the IdP provider.
  4. Click the newly configured application to test the logon.
    Note: Set your Name Identifier to email address. We only accept email address as the primary identifier for users.
Note: You must add users to your account and assign roles to allow them to access MVISION ePO using SSO.

Troubleshooting SSO

The error message — Misconfigured identity provider. Check your configuration and try again appears during logon if any of these conditions is true.

  • IdP SSO or MVISION IdP is not configured properly.
  • The user logon using SSO has not been added to the MVISION tenancy.

Contact McAfee Support if you encounter this error.