Configuring Enterprise Login for Vault Mobile

Configuring Vault Mobile to allow users to log in using your corporate identity system is a two-step process:

  • First, configure OAuth 2.0 for your Vault. See Configuring OAuth 2.0 / OpenID Connect Profiles for detailed instructions.
  • Next, configure and register an OAuth 2.0 / OpenID Connect App for Vault Mobile in your authorization server. See below1 for detailed instructions.

Authorization Server Support

This section explains the steps necessary to configure a variety of compatible authorization servers. For security purposes, we recommend that PKCE is enabled in your authorization server.

ADFS

To set up Vault Mobile as an application in ADFS:

  1. Within ADFS, navigate to Application Groups > Application > Native Application.
  2. Enter the Client ID: vaultmobile.
  3. Enter the following Redirection URI: com.veeva.vaultmobile://authorize.

Next, you must set up Vault as a Web API:

  1. Within ADFS, navigate to Application Groups > Application > Web API.
  2. Click into the Identifiers tab to add Vault as a relying party identifier.
  3. For the Display name, enter Vault.
  4. Enter the following Relying party identifier: https://login.veevavault.com.
  5. Click into the Issuance Transform Rules tab to create a custom claim rule.
  6. In this tab, click Add Rule > Send Claims Using a Custom Rule > Next.
  7. Enter the following custom rule, replacing mail with the field you wish to use as the Federated ID: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("sub"), query = ";mail;{0}", param = c.Value);
  8. Click into the Client Permissions tab and select Vault Mobile.
  9. Select the allatclaims checkbox.
  10. Select the openid checkbox.
  11. Click Apply to save your Web API configuration. Click OK to exit the dialog.

In Admin > Domain Settings > OAuth 2.0/OpenID Connect Profiles Details, add Vault Mobile as a Client Application and ensure that:

  • Application ClientID is set to vaultmobile
  • Authorization Server Client ID is set to vaultmobile

PingFederate

To configure a new Ping Identity profile:

  1. Set the profile clientID to vaultmobile. Ensure that there is No client secret for the client ID.
  2. For Client Authentication, select None.
  3. Enter a display Name. For this profile, we recommend Vault Mobile.
  4. Enter the following Redirection URI: com.veeva.vaultmobile://authorize.

Your application should be configured to honor the following grant types:

  • Authorization Code
  • Refresh Token

Note that Vault uses the sub claim in the id_token and the access_token as the Federated ID.

Your application configuration should honor the following scopes:

  • openid
  • offline_access

In Admin > Domain Settings > OAuth 2.0/OpenID Connect Profiles Details, add Vault Mobile as a Client Application and ensure that:

  • Application ClientID is set to vaultmobile
  • Authorization Server Client ID is set to vaultmobile

Microsoft Azure AD

To set up Vault Mobile as an application in Microsoft Azure AD, you must first create an application registration for login.veevavault.com:

  1. Within Microsoft Azure,navigate to Azure Active Directory > App Registrations.
  2. Select New Registration.
  3. In the Name field, enter a name for your registration. We recommend login.veevavault.com.
  4. Select Register.

Next, create an application registration for Vault Mobile:

  1. Within Microsoft Azure, navigate to Azure Active Directory > App Registrations.
  2. Select New Registration.
  3. In the Name field, enter a name for your registration. We recommend Vault Mobile.
  4. Under Supported account types, select which users can access Vault Mobile.
  5. In the Redirect URI panel, select Public client/native (mobile and desktop) and enter the following URI: com.veeva.vaultmobile://authorize.
  6. Select Register.
  7. Navigate to App Registrations > Expose an API.
  8. In the Application ID URI field, select Set.
  9. After Azure selects an ID, select Save.
  10. Select Add a scope.
  11. In the Scope name field, enter the name you selected in step 3.
  12. In the Who can consent? field, select Admins and users.
  13. Enter the desired names and descriptions.
  14. In the State field, select Enabled.
  15. Select Add Scope.

Edit your OAuth 2.0/OpenID Connect profile to ensure that:

  • Identity Claim is set to Identity is in another claim.
  • Claim is set to upn.
  • User ID Type is set to Federated ID.

Add Vault Mobile as a Client Application and ensure that:

  • Application ClientID is set to vaultmobile.
  • Authorization Server Client ID matches the Application (client) ID that Azure generated in step 8.

Okta

The following steps outline how to set up Vault Mobile as an application in Okta. The Product Support Portal provides additional instructions and an example video for an Okta setup.

  1. Within Okta, navigate to Applications > Add Application > Create New App.
  2. For Platform, select Native App.
  3. For Sign on method, select OpenID Connect.
  4. Click Create.
  5. Enter an Application Name. For this profile, we recommend Vault Mobile.
  6. Enter the following Login redirect URI: com.veeva.vaultmobile://authorize
  7. Enter the following Initiate login URI: com.veeva.vaultmobile://authorize
  8. Click Save to create the application.

After you’ve created the application, navigate to the General Settings tab to confirm the following settings:

  • Application label: Value you entered as the “App integration name” in Okta, for example, Vault Mobile
  • Application type: Native
  • Allowed grant types: Authorization Code and Refresh Token
  • Login redirect URIs: com.veeva.vaultmobile://authorize

In the General Settings tab, scroll to the Client Credentials section. In Okta, you can’t configure the Client ID; instead, Okta assigns a random unique identifier. To support this, you’ll need to configure ClientID mapping in your Vault and enter this unique identifier in the Authorization Server Client ID field. You can use vaultmobile for the Application Client ID field. In this section, Client authentication should be set to Use PKCE (for public clients).

Next, navigate to the Sign On tab to ensure that the Sign On Methods are set to OpenID Connect.

Finally, navigate to the Assignments tab to add Okta users. For every Vault user you assigned to the OAuth 2.0 / OpenID Connect Profile for Okta, you must add a corresponding user here. If the User ID Type in the OAuth 2.0 / OpenID Connect Profile is set to Vault User Name, the Okta user name must match the Vault user name. If it is set to Federated ID, the Okta user name must match the Vault user’s Federated ID.

Adding the Authorization Server Metadata

After you’ve set up the profile, get the authorization server metadata. Most authorization servers expose the AS Metadata via a URL, while some allow you to download an AS Metadata JSON file. Use either the URL or the JSON file to upload the AS Metadata in your OAuth 2.0 / OpenID Connect profile in Vault.