• Administrator overview
• Managing users and permissions
  • User roles and access permissions
  • Creating users
  • Editing users
  • Unlocking a user account
  • Resending a user activation link
  • Deleting or deactivating users
  • Using groups
  • Managing departments
  • Managing passwords and password policies
  • Setting account-wide access policies
  • Changing a resource owner
  • Using Single Sign-On (SSO)
    • Using Single Sign-on (SSO) with Azure Active Directory (AAD)
    • Configuring an ADFS claim rule for SSO
• Managing account-wide settings
  • Adding container registries
• Managing public IP addresses
• Managing WANs
  • Overview: VPNs
    • Creating a VPN
      • VPN configuration parameters
        • AWS VPC: VPN configuration example
        • Azure VPN: VPN configuration example
        • Cisco ASA: VPN configuration example
        • Cisco IOS: VPN configuration example
        • Juniper SRX: VPN configuration example
        • pfSense: VPN configuration example
        • strongSwan: VPN configuration example
  • Overview: Skytap on Azure ExpressRoute connections
    • Creating a Skytap on Azure ExpressRoute connection
    • Creating a customer-managed Skytap on Azure ExpressRoute connection
  • Testing the WAN
    • Troubleshooting VPN test failures
  • Connecting an environment network to a WAN
  • Configuring WAN access controls
  • Editing an existing WAN connection
  • Disable a WAN
• Managing Metered RAM and storage usage
  • How usage is calculated
  • Viewing current usage and enabling pay-as-you-go capacity
  • Reserved capacity for Skytap on Azure
  • Reserved capacity for Skytap on IBM Cloud
  • Setting usage limits
  • Setting up notifications
  • VM pinning
• Reporting overview
  • Viewing and exporting user information
  • Viewing and exporting group information
  • Generating department reports
  • Generating audit reports
    • Configuring the webhook service for audit data
  • Viewing usage data
    • Using labels for in-depth reporting
    • Creating usage label categories
    • Configuring the webhook service for usage data
  • Enabling other users to generate reports
• Security best practices
• Other best practices
• Sharing templates with users in other Skytap accounts
• Finding the source environment from a sharing portal URL
• Including your logo in the Skytap interface

Using Single Sign-on (SSO) with Azure Active Directory (AAD)

Skytap supports federated authentication via SAML 2.0 single sign-on (SSO). When SSO is enabled for your account, users can automatically sign in to Skytap after being authenticated by Azure Active Directory, which serves as the Identity Provider (IdP) for SSO.

This document describes how to enable SSO for your account, how to create SSO users, and the sign-in and authentication process.

You must be an account administrator to perform most of these actions.

Managing account-wide SSO settings

Enabling single sign-on (SSO) in Azure Active Directory (AAD)

Before you begin, we recommend that you create and use a separate user account that is enabled for SSO, rather than enable SSO on your primary administrative account. This way, if the SSO test fails, you won’t be locked out of your administrative account.

For detailed instructions about configuring Azure Active Directory to integrate with Skytap, see Tutorial: Azure Active Directory integration with Skytap.

During the AAD setup process, note the following settings:

Setting	Value
Identifier (Entity ID)	PingConnect
Unique User Identifier	user.mail

One-time setup: Enabling SSO for your Skytap customer account

To enable SSO for your Skytap account

1. Email support@skytap.com with the following information:

   Setting or file	Description
   Entity ID	The unique string used to identify AAD to Skytap. Provided by Azure.
   Signing Certificate	The certificate that lets Skytap verify that information sent by AAD is genuine and originated from AAD.
   SAML Metadata	The SSO configuration details. This can be uploaded as a file, or sent as a URL that links to a file.
   IdP Login URL	The URL that users are redirected to for authentication.
   IdP Logout URL	The URL users are directed to when they click Sign Out.
   IdP Error URL	The URL that users are redirected to if authentication fails after AAD is identified by Skytap

2. Skytap Support enables SSO for your account and gives you an Entity ID, Authentication Certificate, and SAML metadata to enter in AAD. Configure AAD with these files so that Skytap is recognized as a service provider.

3. Work with Skytap Support to test and verify the SSO configuration. During this testing, we recommend that you test the account sign in from a new incognito browser session to eliminate issues caused by browser cookies or the browser cache.

   Troubleshooting tip

   For help troubleshooting the negotiation between the Skytap SSO service provider and AAD:

   • Use a browser-based tool to trace the network requests associated with the SSO connection. For example, use a tool like SSO Tracer or SAML Tracer.
   • Check the logs from AAD for errors or other messages.

4. After SSO is properly configured, enable your Skytap user accounts to use SSO authentication rather than password-based authentication.

   • For instructions, see Enabling SSO on an existing user account.
   • For more information about signing into Skytap after SSO is enabled, see Signing into Skytap with SSO.

Editing SSO settings or disabling SSO for the customer account

To edit your account SSO settings

1. Click Manage > Security Policies.

   

2. Click the Sign-on policy tab.

   

   From this tab, administrators can:

   • Disable Single Sign-on for the entire account. This prevents SSO-enabled users from logging in, and it deactivates sharing portals that use single sign-on.
   • Edit the Login path, Logout redirect URL, and Error redirect URL set up during the initial account configuration. SeeEnabling SSO for your customer account above.
   • Download Skytap service provider metadata and signing certificates.

Managing SSO-enabled user accounts

Users who are enabled for SSO don’t have Skytap passwords.

Enabling SSO on an existing user account

To switch an existing user’s account from password-based authentication to SSO authentication

1. Navigate to the Edit User page for the user.

   

   If the Manage button is missing, you aren’t a Skytap administrator. Contact your primary administrator or another Skytap administrator if you need to modify your user role.

   The Users page displays.

2. Click (Expand options) next to the user you want to edit.

   

3. Select Edit user information from the drop-down menu.

   The Edit User page displays.

   

4. In the user details, check Enable Single Sign-on.

   

5. Verify that the user’s sign-in name is a valid email address.
6. Click Save.

7. The user must validate the account change:

   1. Skytap sends a user activation email to the user. The user must click the activation button to activate the account.
   2. Skytap sends a second email to the user, with the Skytap sign in link for your account. The user clicks this link to initiate an SSO connection and sign in to Skytap with his or her SSO credentials. Users can bookmark this URL for future access. For more information, see Signing into Skytap with SSO.

Creating new SSO-enabled user accounts

To create an SSO-enabled user

Create a user, following the instructions at Creating user accounts. During the account configuration step, select Enable Single Sign-on, and verify that the user’s login name is a valid email address.

Disabling SSO on a user account

To disable SSO for a user account

1. Click Manage > Users.

   

   If the Manage button is missing, you aren’t a Skytap administrator. Contact your primary administrator or another Skytap administrator if you need to modify your user role.

   The Users page displays.

2. Click (Expand options) next to the user you want to edit.

   

3. Select Edit user information from the drop-down menu.

   The Edit User page displays.

   

4. In the user details, uncheck Enable Single Sign-on.
5. Click Save.
6. The user must validate the account change. Skytap sends the user a new activation email. The user must click the activation button to activate the account. After this, the user can use the sign-in page at Skytap.

Signing into Skytap with SSO

After your account is enabled for SSO, Skytap generates a custom login path for your organization’s SSO-enabled users (for example: https://cloud.skytap.com/{sso}/{yourcompanyname}`). The first time an SSO-enabled user signs into Skytap, he or she must sign in using this custom path.

This URL can be bookmarked or placed on an internal company portal for future access. It can also be changed using the instructions for Editing your account SSO settings.

When a user signs in using the custom path, Skytap places a local cookie on the user’s machine that associates the user with AAD. The next time the user logs in, he or she can use the standard login path at https://cloud.skytap.com/{sso}/{yourcompanyname}`. Skytap uses the browser cookie to associate and validate the user to AAD.

If users clear the browser cookies or use different browsers, they must sign in using the custom login path (example: https://cloud.skytap.com/{sso}/{yourcompanyname}`).

When you log out of Skytap, your AAD session should also end. We recommend that you close all open browser windows to make sure that the AAD session fully closes.

Accessing sharing portals with SSO

After your account is enabled for SSO, sharing portals can be configured to be accessible via SSO sign in (in the Security section of the sharing portal configuration options).

• For a detailed description of the sharing portal configuration options, see Sharing portal options.
• For a general overview of sharing portals, see Sharing VMs and environments with sharing portals.