Configure VIP Login
Complete these procedures to configure VIP Login in VIP Manager.
- Complete the following steps to configure VIP Login in VIP Manager:
- Log into VIP Manager.
- SelectPoliciesin the navigation bar at the top of the page.
- Select theVIP Logintab, and clickEdit.

- To configure VIP Login to use VIP as the Identity Provider, enter the following information in theOrganization Service Provider Settingssection. Complete this section if you enable VIP Login.You can configure up to five Service Provider configurations. VIP Login associates the appropriate configuration to the Service Provider based on the EntityID that you send in your SAML authentication request.Optionally, you can upload the metadata file that you export from your Single-Sign-On application software. The metadata file must contain the following information. Upload it by clickingBrowse.FieldValueFriendly NameUnique identifier for the Service Provider configuration. Use a friendly name that helps your VIP administrators know to which service provider this configuration applies.EntityIDThe unique identifier of your service provider. This identifier is typically in the form of a URI.Assertion Consumer Service URLThe URL of the Assertion Consumer Service endpoint for your service provider. VIP Login sends the SAML response to this endpoint.AudienceThe URI that defines the audience for the SAML response. If this information is left blank, VIP Login uses the Assertion Consumer Service URL.Verification CertificateThe verification certificate that signs the SAML messages which you send as a service provider to the VIP Login Service (which acts as the identity provider).VIP Login uses this certificate to verify the authenticity of these SAML messages.ClickBrowseto upload the verification certificate.
- If you configure VIP Login to obtain out-of-band credential information from your local directory or datastore to issue temporary passwords, you must enable IdP underOrganization Identity Provider (IdP) Settings. Then, enter the following information in theOrganization Identity Provider (IdP) Settingssection. This section is required only if VIP Login should obtain out-of-band credential information from your local directory or datastore. If you do not configure this section, VIP Login issues temporary passwords to the out-of-band credentials registered by your users.Optionally, you can upload the metadata file that you export from your Single-Sign-On application software. The metadata file must contain the following information. Upload it by clickingBrowse.FieldValueEntityIDThe unique identifier of your identity provider. This identifier is typically in the form of a URI.Single Sign-on Service URLThe URL for the Single Sign-on (SSO) Service endpoint for your identity service provider. VIP Login sends the SAML request to this endpoint.Verification CertificateThe verification certificate that signs the SAML messages which you send as an identity provider to the VIP Login Service (which acts as the service provider).VIP Login uses this certificate to verify the authenticity of these SAML messages.ClickBrowseto upload the verification certificate.
- Save your changes.
- By default, VIP Login sends temporary passcodes to the email address that is configured for the user. If you want to send temporary passcodes to SMS or Voice credentials, you must enable these credential types in VIP Manager:
- Select theComponentstab on the VIP ManagerVIP Policy Configurationpage, and clickEdit.
- SelectYesto enable temporary security codes under the VIP Self Service Portal section. Then, select the credential types to which VIP Login sends temporary security codes.Optionally, configure the following settings:
- SelectRequire second-factor authentication for first-time accessto require the user to enter a security code as second-factor authentication when logging in for the first time. Then, select the credential types that the user can use to provide second-factor authentication.
- SelectDisable inline credential registrationto prohibit end users from registering a new credential when signing in to a site. If you have enabledRequire second-factor authentication for first-time accessand you enable this option, your users are not able to register a new credential. They must contact their administrator to register their credentials.
- Designate a default country code for your users who request temporary security codes using SMS messages or Voice calls from the VIP Self Service Portal. Phone numbers that begin with either this code number or a "+" are not modified.

- If you integrate IA with VIP Login, enable it in VIP Manager:
- Select theVIP Intelligent Authenticationtab on the VIP ManagerVIP Policy Configurationpage, and clickEdit.
- SelectYesnext toEnable VIP Intelligent Authentication.
- Configure your IA settings. For detailed information about configuring IA settings, refer to the online Help.

- Second-factor flows only: If you integrate authentication levels with your SAML client, define them in VIP Manager:
- SelectAuthentication Levelin the secondary navigation bar at the top of the page.
- For each authentication level you define, enter the following information in theAuthentication Levelpage. Click the plus icon to define more authentication levels, up to a maximum of 10.FieldValueAuth LevelUse this field to rank your authentication levels, from the lowest security (1) to the highest security (10).DescriptionEnter a name that identifies this authentication level, up to 150 characters.Authentication MethodSelect each authentication method that users may use when authenticating to resources assigned this authentication level.
- ClickSave.

- Enable notification of additional credential registrations (optional). VIP can send an email to your users when additional credentials are registered to them in My VIP. The users must already be registered and have email addresses associated with them (VIP does not send an email during initial user registration).To enable the new credential registration email:
- Contact your Symantec account representative to enable the feature.
- Configure VIP to send the user email attribute as an out-of-band communication:
- For VIP Enterprise Gateway: Edit the user store to include the Email attribute as a search criteria. See Modifying the user search criteria configured for a user store in the VIP Enterprise Gateway online Help for procedures.
- For SAML: Configure your IdP to include the email attribute as an out-of-band attribute in the signed SAML assertion to VIP Login. The attribute should be in the format:<saml:Attribute Name="EMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat: basic"> <saml:AttributeValue xsi:type="xs:string">[email protected] </saml:AttributeValue> </saml:Attribute>
Once configured, VIP sends a new credential registration email if an additional credential is registered to any existing user for which an email address is available.
Once you have configured VIP Login, continue with the following steps: