• Administrator overview
• Managing users and permissions
  • User roles and access permissions
  • Creating users
  • Editing users
  • Unlocking a user account
  • Resending a user activation link
  • Deleting or deactivating users
  • Using groups
  • Managing departments
  • Managing passwords and password policies
  • Setting account-wide access policies
  • Changing a resource owner
  • Using Single Sign-On (SSO)
    • Using Single Sign-on (SSO) with Azure Active Directory (AAD)
    • Configuring an ADFS claim rule for SSO
• Managing account-wide settings
  • Adding container registries
• Managing public IP addresses
• Managing WANs
  • Overview: VPNs
    • Creating a VPN
      • VPN configuration parameters
        • AWS VPC: VPN configuration example
        • Azure VPN: VPN configuration example
        • Cisco ASA: VPN configuration example
        • Cisco IOS: VPN configuration example
        • Juniper SRX: VPN configuration example
        • pfSense: VPN configuration example
        • strongSwan: VPN configuration example
  • Overview: Skytap on Azure ExpressRoute connections
    • Creating a Skytap on Azure ExpressRoute connection
    • Creating a customer-managed Skytap on Azure ExpressRoute connection
  • Testing the WAN
    • Troubleshooting VPN test failures
  • Connecting an environment network to a WAN
  • Configuring WAN access controls
  • Editing an existing WAN connection
  • Disable a WAN
• Managing Metered RAM and storage usage
  • How usage is calculated
  • Viewing current usage and enabling pay-as-you-go capacity
  • Reserved capacity for Skytap on Azure
  • Reserved capacity for Skytap on IBM Cloud
  • Setting usage limits
  • Setting up notifications
  • VM pinning
• Reporting overview
  • Viewing and exporting user information
  • Viewing and exporting group information
  • Generating department reports
  • Generating audit reports
    • Configuring the webhook service for audit data
  • Viewing usage data
    • Using labels for in-depth reporting
    • Creating usage label categories
    • Configuring the webhook service for usage data
  • Enabling other users to generate reports
• Security best practices
• Other best practices
• Sharing templates with users in other Skytap accounts
• Finding the source environment from a sharing portal URL
• Including your logo in the Skytap interface

Using Single Sign-on (SSO) with Skytap

Skytap supports federated authentication via SAML 2.0 single sign-on (SSO). When SSO is enabled for your account, users can automatically sign in to Skytap after being authenticated by an Identity Provider (IdP), such as Active Directory or LDAP.

SSO users can use the Skytap REST API using the API token.

This document describes how to enable SSO for your account, how to create SSO users, and the sign-in and authentication process.

You must be an account administrator to perform most of these actions.

Managing account-wide SSO settings

One-time setup: Enabling SSO for your customer account

To enable SSO for your Skytap account

1. Email support@skytap.com with the following information:

   Setting or file	Description
   Entity ID	The unique string used to identify your IdP to Skytap. Provided by your Identity Provider.
   Signing Certificate	The certificate that lets Skytap verify that information sent by your IdP is genuine and originated from your IdP.
   SAML Metadata	Your SSO configuration details. This can be uploaded as a file, or sent as a URL that links to a file.
   IdP Login URL	The URL that users are redirected to for authentication.
   IdP Logout URL	The URL users are directed to when they click Sign Out.
   IdP Error URL	The URL that users are redirected to if authentication fails after the IdP is identified by Skytap.
   Claim Rule	If you’re using Windows Active Directory, you must configure a claim rule with Microsoft Active Directory Federation Services (ADFS). This must map the user-principal-name to the NameID outgoing claim type. For instructions, see Configuring an ADFS claim rule for SSO.

2. Skytap Support enables SSO for your account and gives you an Entity ID, Authentication Certificate, and SAML metadata to enter in your IdP. Configure your IdP with these files so that Skytap is recognized as a service provider.
3. Work with Skytap Support to test and verify the SSO configuration. During this testing, we recommend that you:
   • Create and use a separate user account that is enabled for SSO, rather than enable SSO on your primary administrative account. This way, if the SSO test fails, you won’t be locked out of your administrative account.
   • Test the account sign in from a new incognito browser session to eliminate issues caused by browser cookies or the browser cache.

   Troubleshooting tip

   For help troubleshooting the negotiation between the Skytap SSO service provider and your identity provider:

   • Use a browser-based tool to trace the network requests associated with the SSO connection. For example, use a tool like SSO Tracer or SAML Tracer.
   • Check the logs from your Identity Provider for errors or other messages.
4. After SSO is properly configured, enable your Skytap user accounts to use SSO authentication rather than password-based authentication.
   • For instructions, see Enabling SSO on an existing user account.
   • For more information about signing into Skytap after SSO is enabled, see Signing into Skytap with SSO.

Editing SSO settings or disabling SSO for the customer account

To edit your account SSO settings

1. Click Manage > Security Policies.

   

2. Click the Sign-on policy tab.

   

   From this tab, administrators can:

   • Disable Single Sign-on for the entire account. This prevents SSO-enabled users from logging in, and it deactivates sharing portals that use single sign-on.
   • Edit the Login path, Logout redirect URL, and Error redirect URL set up during the initial account configuration. SeeEnabling SSO for your customer account above.
   • Download Skytap service provider metadata and signing certificates.

Managing SSO-enabled user accounts

Users who are enabled for SSO don’t have Skytap passwords.

Enabling SSO on an existing user account

To switch an existing user’s account from password-based authentication to SSO authentication

1. Navigate to the Edit User page for the user.

   

   If the Manage button is missing, you aren’t a Skytap administrator. Contact your primary administrator or another Skytap administrator if you need to modify your user role.

   The Users page displays.

2. Click (Expand options) next to the user you want to edit.

   

3. Select Edit user information from the drop-down menu.

   The Edit User page displays.

   

4. In the user details, check Enable Single Sign-on.

   

5. Verify that the user’s login name is a valid email address.
6. Click Save.
7. The user must validate the account change:
   1. Skytap sends a user activation email to the user. The user must click the activation button to activate the account.
   2. Skytap sends a second email to the user, with the Skytap sign in link for your account. The user clicks this link to initiate an SSO connection and sign in to Skytap with his or her SSO credentials. Users can bookmark this URL for future access. For more information, see Signing into Skytap with SSO.

Creating new SSO-enabled user accounts

To create an SSO-enabled user

Create a user, following the instructions at Creating user accounts. During the account configuration step, select Enable Single Sign-on, and verify that the user’s login name is a valid email address.

Disabling SSO on a user account

SSO can’t be disabled for Skytap on Microsoft Azure accounts.

To disable SSO for a user account

1. Navigate to the Edit User page for the user.

   

   If the Manage button is missing, you aren’t a Skytap administrator. Contact your primary administrator or another Skytap administrator if you need to modify your user role.

   The Users page displays.

2. Click (Expand options) next to the user you want to edit.

   

3. Select Edit user information from the drop-down menu.

   The Edit User page displays.

   

4. In the user details, uncheck Enable Single Sign-on.
5. Click Save.
6. The user must validate the account change. Skytap sends the user a new activation email. The user must click the activation button to activate the account. After this, the user can use the sign-in page at Skytap.

Signing into Skytap with SSO

After your account is enabled for SSO, Skytap generates a custom login path for your organization’s SSO-enabled users (for example: https://cloud.skytap.com/{sso}/{yourcompanyname}`). The first time SSO-enabled users sign in to Skytap, they must sign in using this custom path.

When a user signs in using the custom path, Skytap places a local cookie on the user’s machine that associates the user with the correct IdP. The next time the user logs in, he or she can use the standard login path at https://cloud.skytap.com/. Skytap uses the browser cookie to associate the user to the correct IdP and then validates the user’s credentials using that IdP.

If the user clears the browser cookies or uses a different browser, he or she must sign in using the custom login path (example: https://cloud.skytap.com/{sso}/{yourcompanyname}`).

Accessing sharing portals with SSO

After your account is enabled for SSO, sharing portals can be configured to be accessible via SSO sign in (in the Security section of the sharing portal configuration options).

• For a detailed description of the sharing portal configuration options, see Sharing portal options.
• For a general overview of sharing portals, see Sharing VMs and environments with sharing portals.