To help create and manage users in your Visitor Management account, you can integrate with your Single Sign On Identity Provider (IdP) which routes the sign-in process through your employees' SSO credentials.
​
If you wish to add users without using a Single Sign On Identity Provider, click HERE to learn how.
​
To view our Campus Video lesson, click HERE.
​
​

The SSO/SAML 2.0 settings can be found within the preferences page in the Visitor Management admin website. Click the gear icon in the top right corner of your account, then click Preferences. You will then see the Register Domains and SAML configuration section near the top of the page.

​

As a security measure, verifying your domain allows us to confirm that you own the domain that you're trying to register. The verification process requires you to enter the TXT token provided by Guest into your DNS:

1. Under the Register Domains section, Click NEW DOMAIN.
2. Add your domain and click Create. Do not add the @ symbol before your domain. This will be considered invalid.
2. Click the VERIFY DOMAIN button next to your Domain URL.
3. Copy the token string as a TXT entry within your DNS settings.
4. Back in Sign In Enterprise, click Verify. The status will change to 'Verified' when successful.
5. Click Save.

​
​
​

​
​

This article explains the steps required for both Okta and ADFS 3.0 but we have worked with many SAML 2.0 IdPs, including ADFS 2.0, Microsoft Azure, and OneLogin. The process is similar for most identity providers.
​
Open the SAML help window for links to documentation discussing how to do this with a few popular identity providers. If your IdP is not listed, documentation is typically available online.

From the SAML configuration section, you are able to grab the Callback URL (required) and audience Restriction (optional) that can be entered into their corresponding fields within your Identity provider.

To access this, click on the '?' icon to the top-right of the SAML Configuration settings.

NOTE: Examples of these fields within Okta and ADFS can be found in THIS section below.
​
​
​

​

You will also need to input fields found within your identity provider into Visitor Management account. As well, additional user settings can be configured to determine access rights and auto-provisioning rules:

1. Toggle on 'Enable SAML 2.0' from the SAML configuration section.
2. Click '+Add New Identity Provider'. You may add more than one.
​
​

​
3. The Name field can be anything you want. You will select this when you choose SAML configuration in the Configure Domain window. See this section below for more details: Assigning your SAML configuration to your Domain
​
4. Enter the Certificate, Login URL, and Issuer data that is provided within your Identity Provider. An example can be found for Okta in THIS section.

Include Admin Users: Enabling this will force existing users to go through SSO in order to access your Visitor Management account.
​
Provision Users using Identity Provider: This will allow your SAML users to log into your Visitor Management account, even if they don't already have an existing Visitor Management user. By default, these users will be assigned the INVITES permission bundle. However, you can set this to any other custom permission bundle.
​
​
​

​
You can save these settings in the 'Attribute Mapping' section outlined in the steps below.

Additionally, you are able to map name attributes and assign specific permission bundles to users according to the user roles they're assigned to in your Identity Provider. These settings can be found in section 2 of the SAML configuration window, after you've entered your Identity Provider Details.
​

The Map attributes from Identity Provider setting allows you to pull your users' first and last names from their SAML/SSO profile into their user profile in Visitor management.
​
Click + Add New Attribute Mapping, then select First Name. Add the naming convention of the First Name field in your Identity provider. Repeat the process for Last Name, again following your IdP's naming conventions.

​

The permission bundle mapping feature allows you to choose which permission bundle(s) are assigned to SSO-provisioned users in your Visitor Management account. If you configured a Default Permission Bundle on the previous page, this feature will overwrite your default permission bundle unless a specific user group is not found or if the configuration (outlined below) fails:

1. Toggle on Manage user permissions using Identity Provider.

5. Enter an attribute name that is assigned to users in your SSO provider. These are typically custom category names that helps your IT/HR team organize groups of employees (eg. Company Department, Office Location, etc.). In the screenshot below, we are using Department.

6. Click + Add Mapping to Permission Bundle. You can add as many mappings as you'd like to encompass the different permission bundles that will be assigned to different groups.

7. On the left, choose a permission bundle from your account. On the right, enter the group name in your SSO provider that defines your specific groups. For example, if my overall attribute name in my SSO provider is Department, my different Group Names may be Reception, HR, Marketing, Security, etc. In the screenshot below, we are assigning Security and Reception employees to our Default Reception/Security Permission Bundle. We are also assigning our Marketing employees the Marketing Bundle.

​

​
​

Once your SAML configuration is complete, you can then finalize the SSO/SAML setup by assigning it to a verified domain.

To do so, go back to the Register Domains section an click the gear icon to the right of a verified domain. Then, under Step 2 - USE SAML configuration, select the configuration you wish to use.

Finally, click SAVE. Your SSO/SAML integration is now complete.

The sections below show example configurations for Okta and ADFS 3.0.
​
​

Follow these steps to add Traction Guest as an Application.
​
​

​
​
​

​

When integrating with Active Directory Federation Services, there are 3 main steps:

The follow screenshots walk through these steps.
​Step 1: Creating the Relying Party Trust
​
1.1

1.2

1.3

1.4

1.5

1.6

1.7

​

1.8

The identifier does need to be exactly "https://us.tractionguest.com/saml/metadata".
If your account is NOT in the US database, you will need to tweak the metadata URL.
Canadian accounts use: https://ca.tractionguest.com/saml/metadata
European accounts use: https://uk.tractionguest.com/saml/metadata
If you are in a private instance, reach out to support and we will be able to provide the URL for your account.
​
1.9

1.10

​
​Step 2: Add Claim Rules
​
2.1

2.2

2.3

2.4

2.5

2.6

2.7

​
​Step 3: Export the Certificate
​
3.1

3.2

3.3

3.4

​
​
​Step 4: Fill in fields within Traction Guest Preferences page
​
Once you are done setting up in ADFS, go to the Preferences Page in your admin console. You will need to enter your Login URL, Issuer, and certificate.
​
Your Login URL must follow this format: https://[ADFS_Domain]/adfs/ls/IdpInitiatedSignon.aspx?loginToRp=https://us.tractionguest.com/saml/metadata
​
Your Issuer must follow this format: http://[ADFS_Domain]/adfs/services/trust
​
Replace [ADFS_Domain] with your domain.
​
Then copy and paste the certificate from Step 3
​
​

​
​How to solve for Service Provider Initiated Login Issues
For certain accounts, logging in through the Service Provider Initiated Login will not work through the method described above. That is, SSO will not work when attempting to sign-in from the Traction Guest sign-in website (https://account.tractionguest.com/#/Login).
​
This set of instructions will allow you to solve for those blocks.
​
1. Copy this certificate from our public metadata (including the '---Begin Certificate---' and '---End Certificate---' lines) and save it in a txt file:
​
-----BEGIN CERTIFICATE-----
MIIDGjCCAgICCQCv1ALk7bHrbDANBgkqhkiG9w0BAQsFADBPMQswCQYDVQQGEwJD
QTELMAkGA1UECAwCQkMxFzAVBgNVBAoMDlRyYWN0aW9uIEd1ZXN0MRowGAYDVQQD
DBF0cmFjdGlvbmd1ZXN0LmNvbTAeFw0yMDA4MjIwOTE3MTZaFw0zMDA4MjAwOTE3
MTZaME8xCzAJBgNVBAYTAkNBMQswCQYDVQQIDAJCQzEXMBUGA1UECgwOVHJhY3Rp
b24gR3Vlc3QxGjAYBgNVBAMMEXRyYWN0aW9uZ3Vlc3QuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8FdxdiKGK0ZBu6tjAn5VyC2dUgzUGubV+q/O
X67/H/Wt3oCQkfBbZ1uhxqvf49KFWchrxq+Lp8BoLqbN1kAWHfyH5HrmDao2iT00
ur+W/EevYvsUOyzlL50DKwvpNd9A27ji+6zrpa/olU1GNxa2mwZA5gjIWsQta4Fh
EGSVSotGjq3qQqppiOvlzWAF9FmR3UNz349CZnpqP6iCaXUOkZGcDpBI5fL+xBEo
VqgSZoN++r2LohNv8tuNvCuxfE1cOWfEeyauS4y1wbjItt0ecZOiq4KkhMjn97fU
q9OOQR+OlLbDImkP0sIhyEpoA9+qS/+BIeMweyiSY/if1Hua3wIDAQABMA0GCSqG
SIb3DQEBCwUAA4IBAQAyvZrY8Ce2hpJ2vKG5DJ/30pfvYNB92vjH7yVAaT+WBAjL
9e1HJ+tOkCqXXdcUEOzoI/4esUfmv12E5cW+m5TiG7whlpHzhXJiKwPJpSyJ6uNC
f2xI7fKF4yxLyHT8OZ9E//C6PFV0+oAgASQfqns2liME7WQwVA6cOzMCjvsZBnUw
0uag1/tKaILyMpxIOFGaoisvYkhKmYC6GWuAfm8aYXxVIhp+rD/kyX9Ne8bpm+Lx
GqTMFVG026TN+xoTy52w9BJUOVI8hq6AwkHzR1ghj/E62G2KrSO/UdJ6GzP2MgvF
zwNqV2/JWB5QBOqG7iG2633VLvjIqkxE3GbV2llw
-----END CERTIFICATE-----
​
2. Go back to ADFS. In the Relying Party Trust for Traction Guest, click on the 'Signature' tab then click 'Add...'
​
​

3. Find and upload your certificate text file. Make sure you are searching for 'All Files'.
​

​
4. Navigate to the 'Advanced' tab and change the secure hash algorithm to SHA-1. Then click apply.
​
​

​
You will now now be able to sign in through the Traction Guest login page.