Setting up Vista Web (a.k.a. HFF or Keystyle) Access - IT ADMINS
Using Trimble ID SSO
IMPORTANT
These instructions walk an IT Administrator through how to set up a user to be able to access Vista Web through Trimble ID SSO. It does NOT walk the end user through accepting their invitation to create their Trimble ID account, NOR does it walk the end user through linking their Vista Web account to their new Trimble ID account.
REMINDER: If your users will need to use Vista Web to approve invoices, timecards, etc. they should have their VA User Profile records set up properly. Please see following article for more information on this: Creating a Vista User Record for Vista Web Use
For information on how to set up Vista users to be ready for TID SSO, please use the following: Creating and Managing Vista Trimble ID SSO Users After Initial Setup
For steps on how to log in to Vista using Trimble ID SSO, please see this other FAQ article: Logging in to Vista - Via Trimble ID SSO
For steps for END USERs on how to set up their Trimble ID accounts and on how to log in to Vista Web, the following articles are more appropriate:
Trimble ID Account Setup: Creating Your Trimble ID SSO Account
Logging in to Vista Web: Logging in to Vista Web (HFF / Keystyle) - Via Trimble ID SSO
Author: Eric Vasbinder
Overview
Prior to moving in to the cloud, customers who used Vista Web (a.k.a. HFF or Keystyle) would often use local Windows Active Directory (AD) or SAML Single Sign On (usually tied to Azure Active Directory / Entra ID) to log in to their on-premise Vista Web portal. This access was pretty straightforward and involved the user merely browsing to the Vista Web portal and selecting "Use Windows Account" or, if using a SAML SSO provider like Microsoft Azure AD, clicking a tile or hyperlink from within their SSO home page. Once there, the system would usually automatically log the end user in after validating that user's identity with the third party, like Microsoft.
However, once customers move to the cloud, local Windows domain logins are not supported, and SAML SSO logins are optional but not recommended. Instead, we recommend setting up authentication through Trimble ID (formerly Viewpoint ID) (a.k.a. TID). Fortunately, the process to set up TID authentication into Vista Web is fairly smooth for end users and, better yet, TID can be linked to your Azure AD or Okta setup so that users do not need to create and manage yet another login. However, please note that if the user in question does not have access to log in via Azure AD or Okta (e.g. they do not have a corporate email address), then that user should set up their own, new standalone account in Trimble ID to log in to Vista Web.
Please note that as of today, users may also log in with their PR Employee number and a password they create when first enrolling in the portal, though this login method will not be tied to the Trimble ID SSO system that shares a single set of credentials between our products. In addition, if a user is set up to log in to the Vista Web Portal using Trimble ID, they will lose the ability to login via that Employee number and password and will be required to log in via Trimble ID.
Please see below for the prepratory steps needed for you, as the IT admin, to take.
Requiring MFA for All Vista Web Users (OPTIONAL)
If you wish to allow users to sign in to Vista Web using standalone Trimble ID SSO accounts, you can also require those accounts to have Multi-Factor Authentication (MFA) turned on within their standalone Trimble ID accounts. To do so, please use the following steps:
NOTE: These steps REQUIRE that the user making these changes in the TC1 platform have Team Enterprise Admin rights. If you are not already a Team Enteprise Admin, you can have your Team Enterprise Admin perform these Tasks, or have a support request created by an authorized support portal user to ask for those rights.
Click on your name in the upper right hand corner, then click on the name of the Enterprise that you wish to edit.
Figure 1: Select the Enterprise to Enforce MFA
3. Ensure the "Enterprise" tab at the top is selected.
4. Click on Enterprise Settings on the left hand menu to open that sub menu.
5. Click on "Security".
6. If your screen is showing "MFA is Disabled", please click on the blue "Enable" button.
Figure 2: Enable MFA
7. Confirm the request on the next screen by clicking on the "Yes" button.
Figure 3: Confirm MFA Enablement
8. You should now see a screen with a notification saying that MFA has been enabled and the button will change to a red "Disable" button.
At some point in the future, if you desire to turn off MFA being required (not recommended), you may click the red "Disable" button to turn off the MFA requirement.
As a reminder, none of the above is necessary in the TC1 (Team) platform if your users are leveraging existing federations to Okta or Entra ID (Azure AD) as those identity providers will handle MFA instead. This is ONLY necessary to force MFA for those users who need to log in with STANDALONE SSO accounts into Vista, Team, or Vista Web.
Add Vista Web Users - (Option A): Add Through Vista VA User Profile
Please note that if you wish, you may add users as a "User Application" type into Vista's VA User profile form. Once added in there, you may use the Vista User Migration portal (described here: Creating and Managing Vista Trimble ID SSO Users After Initial Setup) as a means to add Vista Web users into the entire Viewpoint ecosystem. To be honest, this is the simplest way to add users into Vista web and ensure SSO functionality at the same time. In addition, if the users are added into Vista as "User Application" type, they will NOT count against your Vista license count, but will be unable to log into Vista of course.
Add Vista Web Users - (Option B): Using Team Platform - Step by Step (IT Admins ONLY)
Prior to having users log in to Vista Web, you need to understand the answers to two questions: if you wish to grant the ability for those end users to approve invoices and timecards through Vista Web AND if those users will be using Vista itself at all.
VISTA USERS: If your users are using Vista in any way, then the migration steps to push Vista accounts into Trimble ID SSO take care of the following steps. The instructions for you to get this going for your Vista users are listed in the following FAQ article:
THE REST OF THIS ARTICLE DOES NOT APPLY TO YOUR VISTA USERS AND MAY BE IGNORED FOR THOSE USERS
APPROVING INVOICES AND TIMECARDS: If your users will be approving timecards or invoices in Vista Web, you will need to have them added to Vista itself; not as an actual Vista User, but as a "User Application" record in Vista's VA User Profile. To do so, please use the instructions on creating a user record for Vista Web, located here: Creating a Vista User Record for Vista Web Use
Please perform the steps to create a Vista User Record FIRST if your user will need to approve invoices, timecards, etc. in Vista Web.
NOT USING VISTA: If your users will NOT be using Vista AND if their VA User Profile records are already set up or if they do not need them, THEN the rest of this article applies. These users who fit in this bucket need to be added into Team, regardless of whether they are using a corporate email address that is linked (i.e. Federated) to Azure AD / Okta or not. These steps detail that process for IT admins.
REMINDER - OPTION A TO USE VISTA VA USER PROFILE FORM (DESCRIBED ABOVE) IS HIGHLY PREFERRED AS IT ENABLES AUTO LINKING OF THESE VISTA WEB USERS AND SIMPLIFIES THE PROCESS. IF YOU STILL WISH TO USE THIS OPTION B, PLEASE READ ON BELOW.
First, have one of your IT admins with Enterprise Admin rights in our Viewpoint Team platform browse to https://team.viewpoint.com
Once on that page, click on your username in the upper right, then click "Admin Center". If you have multiple Team enterprises, you will need to select the proper one in the drop down menu.
Figure 4: Select the Admin Center for the correct Enterprise you need.
3. Click on the menu "User Management"
4. Click on "Add User" button.
Figure 5: Click User Management, then click "Add User".
5. You will now see the screen to add the user's information. Please add their First and Last Names and their email address, then click Save.
NOTE: For regular Vista Web Portal users, they should not have any roles assigned. LEAVE ALL ROLES AS NONE for those users.
Figure 6: Add User Screen
Your users will now need to proceed through setting up and registering their new Team user account. Please note that if their email is part of your domain and if your domain is federated to Azure or Okta, the user will have a slightly different registration look and feel.
IMPORTANT
NOW THAT YOUR END USERS HAVE BEEN INVITED INTO TEAM, THEY NEED TO ACCEPT THOSE INVITATIONS AND CREATE THEIR TRIMBLE ID ACCOUNTS.
The instructions for end users on how to accomplish this task are located here: Creating Your Trimble ID SSO Account
Once they have completed creating their Trimble ID accounts, they will need to then complete the final step of linking their Vista Web Account to their Trimble ID account: Logging in to Vista Web (HFF / Keystyle) - Via Trimble ID SSO
changelog
Thursday, 16 May 2024 at 11:17AM:
Added section on how to force MFA for Vista Web, Vista, and Team logins if you are using standalone SSO accounts - not federated.
Friday, 12 April 2024 at 06:21PM:
Removed all end user sections and placed in a separate article.
Friday, 12 April 2024 at 01:53PM:
Added Trimble ID to Vista Web Portal linking.
Friday, 12 April 2024 at 09:00AM:
Minor edits of a screenshot and removal / changing of a couple of words for clarity.
Wednesday, 10 April 2024 at 07:28PM:
Significant refactoring based on feedback to the initial user set up. Added section on needing to create VP Team platform accounts FIRST, then inviting to team, THEN logging in to Vista Web. Additional screenshots as well.
Monday, 08 April 2024 at 06:08PM:
Initial posting.