Okta

How to Configure SAML 2.0 for Veeva

Go to the Single Sign-On Settings page in Veeva

  1. Log in to Veeva with the same administrator username and password-token used for User Management settings.

  2. Click on Setup

  3. Click Security Controls to open the sub-menu
    veeva-setup.png

  4. Click Single Sign-On Settings

On the Single Sign-On Settings page

  1. Click the Edit button to display a form similar to the page shown on the right →

  2. Check SAML Enabled and a form will display

  3. Set the SAML Version to 2.0

  4. If you have Multiple End-points enabled, the configuration page may ask you to setup a Name and API Name. Set these values according to your preference.

  5. Download your Okta Identity Provider Certificate so you can upload it in the Identity Provider Certificate field

    Sign in to the Okta Admin app to have this variable generated for you

  6. Copy and paste the following key into Issuer:

    Sign into the Okta Admin dashboard to generate this value.

  7. (Optional) Copy and paste the following URL into Identity Provider Login URL:

    Sign into the Okta Admin dashboard to generate this value.

    This URL will authenticate your users when they attempt to log in directly to Veeva or click on a deep link in Veeva and are not currently authenticated.

  8. (Optional) Copy and paste the following URL into Identity Provider Logout URL:

    Sign into the Okta Admin dashboard to generate this value.

    This URL sends your users to their Okta home page when they log out of Veeva.

  9. Set the SAML User ID Type to Assertion contains User's Veeva username

  10. Set the SAML User ID Location to User ID is in the NameIdentifier element of the Subject statement

  11. For Entity ID,
  1. For Service Provider Initiated Request Binding, select HTTP POST (Depending on the Salesforce environment you are in, you may or may not be asked for this value)
  2. Click Save
  3. Look for the Salesforce Login URL which will appear after clicking Save
    Screen_Shot_2014-03-21_at_9.46.22_AM.png
  4. In Okta, go to the General tab of the app Configuration page shown below, and enter the Salesforce Login URL in the Login URL field. 
    Screen_Shot_2014-03-21_at_10.05.15_AM.png
  5. If you are using a custom domain, then enter that value in the Custom Domain field in Okta, otherwise leave it blank.
  6. Click Save
  7. Done!

How to Configure Delegated Authentication in Veeva

Please note: Delegated authentication is an optional integration that can be used in addition to SAML 2.0.

Contact Veeva to enable delegated authentication

  1. Contact your Veeva Systems Account representative and ask them to enable delegated authentication for your organization. You can also do this by opening a case in the Veeva systems customer service application

    Once Veeva systems enables delegated authentication you can proceed with the steps below.

Enter your Delegated Gateway URL

  1. Go to the Single Sign-On Settings page located in the Setup > Security Controls section of Veeva. Click the Edit button to display a form similar to the page shown on the right →

  2. Copy and paste the URL below into the Delegated Gateway URL field:

    Sign in to the Okta Admin app to have this variable generated for you

  3. Click Save

Tryout delegated authentication single sign-on with a cloned user profile

  1. We recommend creating a test user profile so you can experiment with this feature on a single user. If you feel comfortable with this feature then you can skip to the next section.

  2. Go to the Profiles page located in the Setup > Manage Users section of Veeva

  3. Open a User Profile you would like to experiment with

  4. Click the Clone button to make a copy of this profile. Using a cloned profile allows you to avoid impacting any other users who have the original profile.

  5. Give the cloned profile a name

  6. Click Save

Enable delegated authentication single sign-on for a user profile

IMPORTANT: Enabling single sign-on for a user profile will affect every user who is assigned that user profile. If you want to experiment with a single user first, we reccomend creating a cloned profile (see above) to test with.

  1. Go to the Profiles page located in the Setup > Manage Users section of Veeva

  2. Click Edit on the user profile and scroll down to the General User Permissions section

  3. Check the Is Single Sign-On Enabled checkbox

  4. Click Save

Enable delegated authentication single sign-on for a Veeva user

  1. IMPORTANT: Do not enable delegated authentication for the Veeva user used by Okta to connect to the Veeva User Management APIs. The API user is specified in the User Management settings page within Okta.

  2. Go to the Users page located in the Setup > Manage Users section of Veeva

  3. Click Edit for a user you want to enable single sign-on for

  4. Select a Profile that has delegated authentication single sign-on enabled (use the cloned profile if you are experimenting)

  5. Click Save

Assign your single sign-on enabled Veeva user to an Okta user

  1. In Okta, go to the People list and click a person's name to open their profile

  2. Click Assign Application

  3. Select Veeva from the list and enter a Veeva username that has delegated authentication enabled

  4. Click Save

Test it out!

  1. CLICK HERE to go to the Veeva login page

  2. Enter the Veeva username you used in the previous section

  3. Enter the Okta password for the Okta user assigned the Veeva username above

  4. Click Login

  5. Assuming you logged in successfully, you can use these credentials for Veeva client application integrations like the Microsoft Outlook plugin and other APIs.

Done!

  1. Your users are ready to single sign-on to Veeva!

    You can assign Veeva access to users from their user profile within Okta.