Virgo supports Single Sign On (SSO) using SAML 2.0. Virgo holds the role of Service Provider and has been used with Identity Providers including ADFS, Azure AD, Google, and Okta, among others.
SSO can be used for the main Virgo application and/or the Virgo Employee Portal application. These are separate services with different audiences in mind; each one requires a separate SSO configuration.
SSO setup involves the exchange of metadata between the Identity Provider and the Service Provider. This can be challenging because each side requires information from the other side before setup is complete. These instructions assume that the Virgo configuration is both the first and last step in order to minimize the impact on customer IT resources.
Log in to Virgo with administrator privileges.
Click on the Admin link and then click on the Identity Providers tab.
Create a New identity provider. Use “TBD” for the fields SSO URL, Entity ID, and IdP Certificate. See the Identity Provider Record Fields table below for additional details.
Download the metadata file by clicking on the Virgo SSO Metadata link.
Provide the metadata file to the administrator of the IdP.
IdP setup needs to be completed and necessary users (those who are named users in Virgo) need to be granted access in the configuration. Once completed, the IdP administrator will send the necessary metadata.
Once you have received the IdP metadata (certificates are sometimes provided separately for convenience), complete the setup of the identity provider record. Enter the correct values for SSO URL, Entity ID, and IdP Certificate. Verify the configuration of the remaining fields.
Test the SSO setup by opening a fresh web browser (or private/incognito browser window) to the Virgo SSO ACS URL.
Identity Provider (IdP) – The system that produces SAML assertions and authenticates users. The IdP is provided by the customer.
Service Provider (SP) – The system that receives and accepts SAML assertions. This is Virgo or the Virgo Employee Portal.
Virgo – The primary Virgo interface for named users who add and edit data. Users are typically limited to a small group who need to manage the data or access legal research.
Virgo Employee Portal (Employee Portal) – The read-only Virgo interface used by most employees in an organization. Typically, all users need access but these users do not need their own Virgo user login.
Click Identity Providers
Configure the IdP settings; some of these settings are dependent on metadata from the IdP.
Links for initiating SSO and downloading metadata.
Employee Portal SSO Configuration
Employee Portal SSO setup follows the same process as above; however, there are some key differences:
Select a user for Employee Portal User Mapping in order to grant access to users without a named user in Virgo. For details on adding a portal user, see Employee Portal Service Account Setup.
You generally will not want to show this option on the login page.
The IdP administrator will typically grant access to this connection for all users in the organization, not just Virgo named users.
For metadata and testing, be sure to use the links under the Employee Portal SSO heading.
Identity Provider Record Fields
The following fields are available for identity provider records in Virgo:
Name or description of the identity provider that will make sense to the users
ADFS, Azure AD, Corporate Login, etc.
Protocol for this connection
SAML 2.0 is the default and only available value at this time.
Single sign on URL (EntityDescriptor / IDPSSODescriptor / SingleSignOnService[@Location])
Unique identifier of the SAML IdP. (EntityDescriptor[@entityID])
IdP’s public signing certificate used to validate SAML assertions (EntityDescriptor / IDPSSODescriptor / KeyDescriptor[@use=signing] / KeyInfo / X509Data / X509Certificate)
PEM encoded certificate which should start with —–BEGIN PRIVATE KEY—– on its own line and end with —–END PRIVATE KEY—– on its own line.
Authentication Request Binding
Protocol binding for the SSO request (EntityDescriptor / IDPSSODescriptor / SingleSignOnService[@Binding])
Authentication assurance level or criteria being requested
unspecified (except, for ADFS, it is best to select “Disabled” – see notes below)
Name identifier format to request from the IdP
Virgo Identifer Field
Virgo field that should be used to compare to the name identifier provided by the IdP
Algorithm used for signing requests
Employee Portal User Mapping
Employee Portal user that should be used when the portal is accessed by an authenticated IdP user who doesn’t have a Virgo login
A user with the Portal User security role
Show on Login Page
Display a tile for this IdP on Virgo’s Single Sign On login page
Deactivate an IdP without deleting
Virgo does not support just-in-time user provisioning. You need to create user accounts for all named users who will access Virgo. You do NOT need to create a user account for anybody who will be using the Employee Portal anonymously.
Your configuration determines how match your Virgo user accounts with your IdP accounts. The default option is to match against the Virgo account username. Other options include Email address and Federation ID. The email address is typically the same as the username in Virgo but it doesn’t have to be. Federation ID can be any string that is unique across the users in your account.
Additional Login Options
The following Login Policy options are applicable to SSO:
Session Inactivity Timeout – Set this value, in minutes, to the session timeout of your IdP to minimize the number of timeouts.
Authentication Domain Name – A unique string to identify your Virgo instance for the purpose of providing SSO login options. This value is used in the Login URL generated by this page. This URL will provide users with tiles to initiate SSO login, as well as provide the option for standard login.
Disable Standard Login (Require SSO) – By default, users are permitted to use the standard login or SSO. To prevent the use of standard login, set this value to either Non-Administrators or All Users. If you opt for All Users, please be certain that your SSO configuration is working correctly before enabling this restriction.
The SSO login page, using the Login URL specified above, will provide all identity providers set to be visible on the login page:
Use with ADFS
If your IdP is ADFS, make sure that your identity provider configuration in Virgo has set the Authentication Context field to Disabled. Other values may still result in a successful login, but you may be prompted to re-enter your credentials even if you have already authenticated against Active Directory.