Veeva Snap Configuration Options

Note: Support for Veeva Snap expired on December 1, 2023 and was replaced by the Vault Mobile app.

Veeva Snap is a mobile application for iOS devices (iPad, iPhone, and iPod Touch) that allows Vault users to scan and upload documents to their Vaults using their device’s camera. There are several Veeva Snap configuration options available to Admins.

Configuring Veeva Snap to allow users to log in using your corporate identity system is a two-step process:

First, configure OAuth 2.0 for your Vault. See Configuring OAuth 2.0 / OpenID Connect Profiles for detailed instructions.
Next, configure and register an OAuth 2.0 / OpenID Connect App for Veeva Snap in your authorization server. See below for detailed instructions.

Authorization Server Support

This section explains the steps necessary to configure a variety of compatible authorization servers. For security purposes, we recommend that PKCE is enabled in your authorization server.

ADFS

To set up Veeva Snap as an application in ADFS:

Within ADFS, navigate to Application Groups > Application > Native Application.
Enter the Client ID: veevasnap.
Enter the following Redirection URI: com.veeva.snap:/authorize.

Next, you must set up Vault as a Web API:

Within ADFS, navigate to Application Groups > Application > Web API.
Click into the Identifiers tab to add Vault as a relying party identifier.
Enter “Vault” as the Display name.
Enter the following Relying party identifier: https://login.veevavault.com.
Click into the Issuance Transform Rules tab to create a custom claim rule.
In this tab, click Add Rule > Send Claims Using a Custom Rule > Next.
Enter the following custom rule, replacing “mail” with the field you wish to use as the Federated ID:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("sub"), query = ";mail;{0}", param = c.Value);
Click into the Client Permissions tab and select Veeva Snap.
Select the allatclaims checkbox.
Select the openid checkbox.
Click Apply to save your Web API configuration. Click OK to exit the dialog.

PingFederate

To configure a new Ping Identity profile:

Set the profile clientID to veevasnap. Ensure that there is “No client secret” for the client ID.
For Client Authentication, select None.
Enter a display Name. For this profile, we recommend “Veeva Snap”.
Enter the following Redirection URI: com.veeva.snap:/authorize.

Your application should be configured to honor the following grant types:

Authorization Code
Refresh Token

Vault will use the sub claim in the id_token and the access_token as the Federated ID.

Your application configuration should honor the following scopes:

openid
offline_access

Microsoft Azure AD

To set up Veeva Snap as an application in Microsoft Azure AD, you must first create an application registration for login.veevavault.com:

Within Microsoft Azure navigate toAzure Active Directory > App Registrations and click New Registration.
Enter a Name. We recommend login.veevavault.com.
Click Register.

Next, create an application registration for Veeva Snap:

Within Microsoft Azure, navigate to Azure Active Directory > App Registrations and click New Registration.
Enter a Name. We recommend “Veeva Snap.”
Under Supported account types, select which users can access Veeva Snap.
In the Redirect URI panel. select Public client/native (mobile and desktop) from the drop-down and enter the following URI: veevasnap://authorize.
Click Register.
Navigate to App Registrations > Expose an API.
In the Application ID URI field, click Set. After Azure selects an ID, click Save.
Click Add a scope. In the Scope name field, enter the name you selected in step 2.
In the Who can consent? field, select Admins and users.
Enter the desired names and descriptions, then select Enabled in the State field. When finished, click Add Scope.

Edit your OAuth 2.0/OpenID Connect profile to ensure that:

Identity Claim is set to Identity is in another claim.
Claim is set to upn.
User ID Type is set to Federated ID.

Add Veeva Snap as a Client Application and ensure that:

Application ClientID is set to veevasnap.
Authorization Client Server id matches the Application (client) ID that Azure generated in step 7.

Okta

To set up Veeva Snap as an application in Okta:

Within Okta, navigate to Applications > Add Application > Create New App.
For Platform, select Native App.
For Sign on method, select OpenID Connect.
Click Create.
Enter an Application Name. For this profile, we recommend “Veeva Snap”.
Enter the following Login redirect URI: com.veeva.snap:/authorize.
Click Save to create the application.

After you’ve created the application, navigate to the General Settings tab to confirm the following settings:

Application label: Value you entered as the Application Name, for example, Veeva Snap
Application type: Native
Allowed grant types: Authorization Code and Refresh Token
Login redirect URIs: com.veeva.snap:/authorize

In the General Settings tab, you’ll also need to scroll to the Client Credentials section. In Okta, you can’t configure the Client ID; instead, Okta assigns a random unique identifier. To support this, you’ll need to configure ClientID mapping in your Vault and enter this unique identifier in the Authorization Server Client ID field. In this section, Client authentication should be set to Use PKCE (for public clients).

Next, navigate to the Sign On tab to ensure that the Sign On Methods are set to OpenID Connect.

Finally, navigate to the Assignments tab to add Okta users. For every Vault user you assigned to the OAuth 2.0 / OpenID Connect Profile for Okta, you must add a corresponding user here. If the User ID Type in the OAuth 2.0 / OpenID Connect Profile is set to Vault User Name, the Okta user name must match the Vault user name. If it is set to Federated ID, the Okta user name must match the Vault user’s Federated ID.

Exostar SAM

Contact your Exostar representative to configure Exostar SAM for Veeva Snap.

Adding the Authorization Server Metadata

After you’ve set up the profile, get the authorization server metadata. Most authorization servers expose the AS Metadata via a URL, while some allow you to download an AS Metadata JSON file. Use either the URL or the JSON file to upload the AS Metadata in your OAuth 2.0 / OpenID Connect profile in Vault.

Enterprise Mobility Management

You can configure Veeva Snap for your organization using Enterprise Mobility Management (EMM) software, such as MobileIron or AirWatch. To control various application properties, you can create a profile overriding default Veeva Snap behavior.

Creating an EMM Profile

You can define the values for the properties that you wish to control, and deploy the configured version of Veeva Snap to your users through your EMM vendor. You can also adjust the Veeva Snap permissions in Vault to work alongside your EMM configuration.

How you create your EMM profile to control Veeva Snap depends on the EMM vendor that you use. Some vendors, for example, MobileIron, include an interface where you can specify application properties.

Other applications, such as AirWatch, require an XML configuration file detailing your properties. The configuration includes all available controllable settings. Download this sample file to see how to configure your XML. You can also see the AirWatch online help documentation for more information.

Controllable Application Properties

VeevaVaultBiometricAuthenticationVisible: Controls: Biometric Authentication checkbox appearance and usage.; Values: Visible (default), NotVisible
VeevaSnapCertifiedCopyVisible: Controls: Certified Copy enablement setting visibility on the Veeva Snap Settings screen.; Values: Visible (default), NotVisible
VeevaSnapCertifiedCopyEnforced: Controls: Require Certified Copy be performed before a user can upload the document to Vault. If this property is set to Enforced, VeevaSnapCertifiedCopyVisible is ignored and the Certified Copy enablement setting is set to on.; Values: Enforced, NotEnforced (default)
VeevaSnapNotesFieldMinimum: Controls: The minimum number of characters users need to enter in the Notes field on the document review screen. When users launch Veeva Snap from a Vault email to upload a document to a placeholder, this field is ignored.; Values: 0 – 255
VeevaSnapEMMProvisioned: Controls: Whether Veeva Snap is provisioned from the Apple App Store or an organization’s EMM software. This will always be set to Yes when the application is provisioned from your EMM vendor. This property is not available when using the App Store version of Veeva Snap.; Values Yes (default)

You may be able to control other general mobile application properties through your EMM software. Consult your vendor’s documentation for information about other properties available.

Vault Permissions

Along with your EMM profile, Veeva Snap includes two Vault Application permissions that can enable or restrict users’ access to the application: Veeva Snap: Enable and Veeva Snap: Enable Direct Installation. See details about these permissions.

Enabling Copy Certification

To enable Copy Certification in Vault, navigate to Admin > Configuration > Document Fields and set the Base Document Certified Copy (certified_copy__v) field Status to Active. When Veeva Snap users upload a document to Vault after completing Copy Certification in the application, the Certified Copy field value is set to Yes when users classify the document.

You can also use Enterprise Mobile Management to enforce that all of your organization’s Veeva Snap users utilize Copy Certification when uploading documents to Vault.

Configuring Email Templates

Users can upload a captured document as a source file for a placeholder, as a new version of an existing Vault document, or as an attachment to another Vault document or object record by opening Veeva Snap from a specially formatted URL. To do this, you must configure or update a document message template to include a link to the Veeva Snap application. See Email & Message Administration for details about configuring email templates. If users don’t have the Veeva Snap application downloaded on their devices, the URL will not work.

For example, you might update the message template associated with a Send for Authoring workflow to include the link to the Veeva Snap application. When a user initiates this workflow on a placeholder document, Vault sends an email to a user identified in the workflow configuration. That user can then click the link to launch Veeva Snap and upload a captured document directly to the placeholder identified in the template.

Note: Because Gmail and other mail clients aside from Apple’s iOS Mail app do not support non-HTTP URLs, links in emails sent from these clients do not work. We recommend using the standard iOS Mail app or placing the URL in the text of the email, where the recipient can copy and paste it into their browser.

Custom URL for Placeholders & New Document Versions

Veeva Snap supports a custom URL format to allow uploads to a placeholder document or as a new version of an existing document in Vault:
veevasnap://uploadplaceholder/<VaultID>/<PlaceholderDocumentID>/<PlaceholderDocName>.

For example, the custom URL would be: veevasnap://uploadplaceholder/16315/1169/Test%20Document.

Learn more about placeholders.

Custom URLs for Attachments

Veeva Snap supports a custom URL format to allow users to upload a captured document as an attachment on another Vault document: veevasnap://uploadDocAttachment/<vaultID>/<docID>/<parentDocName>.

For example, the custom URL identifying a document would be: veevasnap://uploadDocAttachment/12345/123/Cholocap%20Trial%21Update.

Veeva Snap supports a custom URL format to allow users to upload a captured document as an attachment on an object record: veevasnap://uploadObjectAttachment/<vaultID>/<objectType>/<objectID>/<parentObjName>.

For example, the custom URL identifying an object record would be: veevasnap://uploadObjectAttachment/12345/study__v/12/Study%20123.

Learn more about documents and object records.

Example Email Template Message

The following email template message shows how to enable users to upload a captured document to a placeholder in Vault:

<p>${notificationMessage}</p>
<p>Due date: ${taskDueDate}</p>
<p>Document owner: ${docOwnerName}</p>
<p>Workflow owner: ${workflowInitiatorName}</p>
<p>Task instructions: ${taskInstructions}</p>
<p>You can see all of your tasks on your Vault homepage under <a href='${taskHome}'>Tasks</a>.</p>
<p><a href='veevasnap://uploadplaceholder/${vaultId}/${docId}/ ${docNameNoLink}'><img src='https://example.com/veeva-snap-email-button.png'/></a></p>

We recommend including the following image in your template as a button for users to launch Veeva Snap:

(Right-click image to save.)

To upload documents via Veeva Snap, users must have the following permissions:

Security Profile

Veeva Snap: Enable: Controls ability to upload a document to Vault from the Veeva Snap mobile application. Without this permission for a given Vault, users will see an error when attempting to upload a document from Veeva Snap.
Veeva Snap: Enable Direct Installation: Controls aility to use the public version of Veeva Snap, available from the Apple App Store. Without this permission, users must use the Veeva Snap application version provisioned by their organization.
Document: Always Allow Unclassified: Controls ability to create unclassified documents if users don’t have Create Document permission on any document types.
API: Access API: Controls ability to communicate with and upload documents to Vault from Veeva Snap.
All Documents: All Document Create: Controls ability to upload unclassified documents; this permission is not required, but can be set as a substitution in situations where the Document: Always Allow Unclassified permission is required but not enabled.

Document Type

Create Document: Controls ability to create documents with a specific document type and ability to create unclassified documents; this permission is not required, but users must have either this permission or the security profile Document: Upload permission.

Document Role

View Document: Controls ability to view a placeholder document; users need this permission when capturing documents as source files for placeholders.
Edit Document: Controls ability to edit a placeholder document; users need this permission when capturing documents as source files for placeholders.
Version: Controls ability to upload a new version of a placeholder document; users must have this permission on the Unclassified state of the Unclassified document lifecycle.
Edit Relationships: Controls ability to add, delete, and version document attachments.
Edit Sharing Settings: Controls ability to include default document role assignments when creating unclassified documents; users must have this permission on the Unclassified state of the Unclassified document lifecycle. Without this permission, users will see an error when uploading an unclassified document from Veeva Snap.

Security Profile

{Object}: Edit: Controls ability to add, delete, and version object record attachments.

Configuring Enterprise Login for Veeva Snap

Authorization Server Support

ADFS

PingFederate

Microsoft Azure AD

Okta

Exostar SAM

Adding the Authorization Server Metadata

Enterprise Mobility Management

Creating an EMM Profile

Controllable Application Properties

Vault Permissions

Enabling Copy Certification

Configuring Email Templates

Custom URL for Placeholders & New Document Versions

Custom URLs for Attachments

Example Email Template Message

Related Vault Permissions

Security Profile

Document Type

Document Role

Security Profile