Trimble ID / Viewpoint ID SSO
How does authentication work in your cloud? Can we use Single Sign On (SSO) with our local AD or Okta? Does the cloud support MFA?
How does authentication work in your cloud? Can we use Single Sign On (SSO) with our local AD or Okta? Does the cloud support MFA?
Author: Eric Vasbinder
Authentication of users into systems hosted in our cloud, such as Vista, Spectrum, ProContractor, JobPac, Team Project Manager, HR Portal, and more, is a critical, but often undervalued area of information systems. Single-Sign-On, or SSO, is an item that our customers have been asking about with increasing frequency. It is often difficult for users to manage multiple sets of credentials, and with each new IT system, adding a new set of usernames and passwords for each user can be burdensome. As such, organizations like to have a central, single set of credentials for each user. This allows each user to merely log in once authenticate to all corporate systems. This SSO often involves integrating local Active Directory or external systems like Azure AD, Okta, or Auth0. This is often accompanied by the use of Multi-Factor-Authentication (MFA) for additional security.
To enable SSO, Viewpoint created a long term vision for a common identity framework, known as Viewpoint ID. Viewpoint ID was being rolled out across all Viewpoint products and allowed for a single identity to be used to authenticate a user to each part of the Viewpoint portfolio to which they have access. Viewpoint ID is already in place for Viewpoint Team Project Management, HFF (HR Portal, Financial Controls, and Field Management), and Vista (as of 2021R1). Over time we extended this capability to support other solutions, such as Viewpoint Analytics, and more. Viewpoint ID also supports federation to Azure AD, and thus to local AD through Azure AD.
Customers who are already set up to have federated Azure AD SSO will be using "Viewpoint ID" until Trimble ID is updated to support Azure AD SSO. Please see next section for more details.
ANZ customers should see the ANZ SSO Setup page for more details: The Three Steps to ANZ SSO Joy - Setting up Viewpoint ID SSO
Trimble ID was created as the successor to Viewpoint ID and includes the ability for SSO authentication for Trimble solutions, in addition to the Viewpoint solutions supported by Viewpoint ID. Trimble ID does not yet directly support federation to Azure AD, but that work is in progress. In the meantime, customers who would like to leverage Azure AD federation to their Trimble Viewpoint product may still activate Viewpoint ID as an intermediary "in between" various Viewpoint solutions (such as Vista and HFF) and Trimble ID. Once that is done, by adding the app to your Azure AD app list and approving the permissions request, you will be able to authenticate using Azure AD into Trimble Viewpoint solutions.
CRITICAL NOTE: Vista SSO requires the use of Vista version 2021R1, Service Pack 2 or higher
CRITICAL NOTE 2: Trimble ID (Viewpoint ID) SSO is ONLY Supported on Viewpoint One Cloud at this time - NO ON PREMISE SUPPORT
CRITICAL NOTE 3: VIEWPOINT ID IS NOT SUPPORTED IN THIRD PARTY PRODUCTS HOSTED IN OUR CLOUD, INCLUDING SSRS WEB UI (SSRS THROUGH HFF AND VISTA UI WILL WORK WITH SSO)
SSO USE WITH THIRD PARTY PRODUCTS HOSTED EXTERNALLY TO OUR CLOUD MUST BE EXPERIENCED BY INTEGRATING THE THIRD PARTY WITH AN IDENTITY PROVIDER (e.g. MICROSOFT AZURE AD)
Based on the architecture for Trimble ID (Viewpoint ID), a customer must have a Viewpoint Platform (Team) Enterprise ID (EID) created as their unique Viewpoint One ID prior to using Viewpoint ID (VPID) SSO. Your transformation team will ensure that is set up prior to go-live. Once that Enterprise ID is set up, our team will coordinate with you to push your Vista user accounts into SSO. Please note that this used to not be possible until after go-live, however, it is now possible to set up SSO authentication prior to the go-live of Vista in the cloud.
Multi-factor authentication into Viewpoint products is provided in Trimble ID OR through Viewpoint ID SSO federation with external authentication systems. Today, the only External Authentication System that is supported is Azure AD with Viewpoint ID. Trimble ID does not support Azure AD federation at this time. To be clear, Trimble ID supports MFA without needing to federate it to Azure AD.
NOTE: Trimble ID MFA supports both email, SMS text, and TOTP Google Authenticator style app codes.
CRITICAL REMINDER: MFA IS ONLY SUPPORTED WITH VISTA TODAY THROUGH EITHER TRIMBLE ID OR OUR VIEWPOINT ID INTEGRATION TO MICROSOFT AZURE AD
REMINDER 2: TRIMBLE ID NOW SUPPORTS FEDERATION WITH AZURE AD (ENTRA ID) AND OKTA
Please review the following cloud FAQ article for instructions on how to initially set up Trimble ID SSO, along with ongoing adding of users: The Three Steps to SSO Joy - Setting up Trimble ID SSO
Please review the following cloud FAQ article for instructions on how to initially set up Viewpoint ID SSO, along with ongoing adding of users (FOR ANZ CUSTOMERS ONLY): The Three Steps to ANZ SSO Joy - Setting up Viewpoint ID SSO
Please go to the following URL for specific, detailed steps on how to manage Trimble ID SSO Authentication after you have initially set up Trimble ID SSO: Creating and Managing Trimble ID SSO Users After Initial Setup
A user's email address is their unique identifier in the Trimble ID and Viewpoint ID worlds. As such, in order for authentication to work via either SSO system, whether standalone or Azure AD federated, the user's primary email address in Vista, HFF, and other tools must be unique and not have any special characters (e.g. trailing or leading spaces).
Here are the specifics:
Email for a user must be unique: users may not share email addresses; thus, a single email address will always refer to one user.
No spaces: there must be no spaces in an email address, such as trailing or leading spaces that can sometimes appear from cutting and pasting email addresses into Vista.
Matching Vista Email address and Trimble ID / Viewpoint ID Email: The email address specified for the user in Vista MUST match that email address which is specified for the user either in Azure AD / Exchange (for Azure AD Federated login) or in Trimble ID (if using standalone without Azure AD).
Matching Primary Logins and Email: The username of the user principal (User Principal Name) MUST match that user's primary Exchange email address. If it does not match, please update either the user's primary email address in Exchange to match the user's account name (user principal name in Azure AD) OR update the user principal name in Azure. (AZURE AD-SPECIFIC REQUIREMENT)
There are two paths that consultant access can take in our cloud:
A. Consultants are Granted Client Emails in Azure AD
OR
B. Consultants Are NOT Granted Email Accounts in Client Azure AD
If the consultant's client grants the consultant an account in their Azure AD, the consultant can leverage Azure AD Federation to Trimble / Viewpoint ID, just as any employee might.
However, if the client company does NOT wish to grant the consultant an account in their Azure AD, the consultant can be set up with a standalone Trimble ID SSO account. This type of account will not attempt to authenticate through Azure AD, but will rather require a unique standalone Trimble ID be created for the consultant. In order for this to work, the consultant's account in Vista and the overall Trimble / VP Team platform will need to use a separate email domain than that used by the customer.
For example, assuming the client company is "joesplumbing.com" and the consultant has an email at their company of "jane.consultant@greatconsulting.com", they would have their "GreatConsulting.com" email added into Vista, then push that into Trimble ID. That would allow the consultant to still use SSO, but standalone, not Federated to the Azure AD for "joesplumbing.com".
You may manage your accounts in our cloud using these helpful links:
Link to Cascade User Management Portal: Azure Virtual Desktop (AVD) and Cascade
Link to User Password Reset Page (end users and admins): How to reset passwords in Cascade Portal
We understand that SSO for Vista in our cloud is an important capability for you. Please rest assured that our team is furiously working on extending this capability to additional cloud solutions in our portfolio as soon as practical.
changelog
Monday, 11 November 2024 at 09:50AM:
Updated links to remove references to cloudworkspace and point users to the FAQ articles for Cascade and AVD. Remember, VRL and SSO are the ways to go. If you find VRL is not performant or fast enough or has lags, please reach out to your Trimble Enterprise Solutions Architect (ESA) or Trimble Support to find out workarounds and troubleshooting steps to avoid the use of Trimble's AVD unless absolutely necessary.
Friday, 12 April 2024 at 09:22AM:
Updated TID Warning to show that TID now supports Azure AD and Okta.
Tuesday, 28 November 2023 at 06:16PM:
Added link to ANZ Viewpoint ID SSO setup page
Monday, 17 October 2022 at 10:12PM:
noted that Viewpoint ID is still supported as a tie-in to Trimble ID for Azure AD support. Also, noted that email addresses MUST match Vista and primary email address in Azure Exchange.
Tuesday, 09 August 2022 at 11:34AM:
Added MFA types supported for Trimble ID
Thursday, 07 July 2022 at 02:18PM
added in section about consultants and when standalone SSO would be appropriate for them.
Wednesday, 11 May 2022 at 09:48PM
Separated detailed instructions into dedicated SSO account setup page.
Tuesday, 03 May 2022 at 04:46PM
clarification that Trimble ID does support MFA without needing Azure AD federation, which is not yet supported.
Wednesday, 20 April 2022 at 03:09PM
Updated to include information about Trimble ID and lack of support in Trimble ID for Azure AD federation at this time.
Monday, 18 April 2022 at 09:32AM
Updated transformation section to note that SSO can now be set up prior to go-live instead of being forced to wait until after Vista cloud go-live.
Tuesday, 04 January 2022 at 09:19AM
Specified that MFA is today ONLY available through integration with Microsoft Azure AD.
Wednesday, 08 December 2021 at 12:55PM
Updated to be explicit about the difference between Viewpoint ID SSO for third parties, vs. the third party leveraging a third party identity provider such as Azure AD
Tuesday, 30 November 2021 at 06:05PM
Added note to clarify that transformation customers currently should wait until they are live and their Team Enterprise ID set up prior to implementing Viewpoint ID with Azure AD SSO.
Thursday, 02 September 2021 at 03:03PM
Added note on third party products not being compatible with VP ID SSO.