What is this?
A guide regarding how the user migration process looks like for organizations that have SAML SSO enabled.
Why is this needed?
With the introduction of SAML based SSO, Verified users can now log into the platform using their organization's credentials/identity provider (such as Active Directory). This comes with a lot of benefits in terms of security and user management.
However, for existing Verified clients, their users' account data (such as all their envelopes) will need to be migrated.
Here is what the difference will be from the perspective of a user that is part of the "Ryk & Reis" organization.
As you can see, before, the user would go to app.verified.eu and log in with Verified platform credentials. After the user data migration has been completed, they would go to an organization specific URL, and log in with their organization credentials. Then, they would end up in the same Verified dashboard as before, looking at the same envelopes that they're familiar with.
The migration steps can be broken down into:
- Enable the SAML SSO functionality for your organization
- Notify the users (members of your organization) about the SAML SSO functionality
- Users log in, and then go through the migration process
- With the migration complete, users will be able to log in with their organization credentials
1. Enabling the SAML SSO functionality for your organization
This feature is available on demand and it requires you to contact the Verified support team.
Since you're reading this article, we'll assume you've gone through this step, so let's move on.
2. Informing the users about the SAML SSO functionality
You will need to inform the members of your organization about the introduction of this feature. In addition to the benefits in terms of security that this feature brings, a crucial reason to do this is the fact that the users will need to access a different link to the Verified platform.
People usually bookmark links that they often use, so they will need to remove the old bookmark (or shortcut) pointing to https://app.verified.eu and replace it with the new one, which will point to your organizations' custom subdomain (such as https://ryk-and-reis.verified.eu)
Here is an example for how such an internal email/announcement could look:
In order to improve our security and provide you with a smoother experience,
we have enabled the SAML Single Sign-On functionality in the Verified platform.
This will allow you to login using our Ryk & Reis organization credentials.
To make use of this feature, you will need to go to:
There, you will be asked to login with our Ryk & Reis credentials.
Afterwards you will need to enter the Verified credentials in order to link
your existing envelopes to your Ryk & Reis account. You will only need
to do this once, and the process will take just a couple of minutes.
Make sure you have your Verified credentials (email and password) ready before
As of today you should remove any bookmarks or shortcuts you had pointing
towards the Verified platform, and bookmark https://ryk-and-reis.verified.eu instead.
3. Users will log in, and then go through the migration process
Here is how the migration process will look for a user:
3.0 Some users will probably ignore your announcement
No matter how well you prepare, some people might still end up at the old URL. Let's say that a user forgot about the announcement or just made a simple human error, and got to app.verified.eu.
In this case, they would need to log in with their Verified account's email and password. Once they are logged in, they will be greeted by the following screen:
At this point, they will either have to proceed with the migration or log out.
If they proceed, they will be taken to the next step.
3.1 The users will end up at your organization-specific URL
Either from following your internal announcement or from the previous step, the users will eventually arrive at the correct URL (such as ryk-and-reis.verified.eu)
Here, clicking the "Login" button will take them to your organization-specific SSO method.
3.2 They will be asked to migrate their existing data
Next, they will be asked if they have used the Verified platform before. Here there are 2 scenarios:
- The user has used Verified before
In this case, they will be asked to enter their Verified credentials (email and password) so that the platform can migrate their old envelopes
- The user has never used Verified before
And thus, they have no existing envelopes to migrate
This step is needed because the platform doesn't know who this SAML user is, and needs to map them to an existing Verified user. This process only happens once, in order to flag the user as having been migrated.
All existing users in your organization will need to choose the first option.
All new users (after the AD integration has been set up) will need to choose the second one.
3.3 They will need to log in one more time
If this was an existing user, then after clicking "Yes, migrate my data", the process will begin and after 1-2 seconds the SAML user will be associated with their old Verified account's data.
Afterwards, the user will need to click "Log in to access envelopes" to log in one more time.
This step is needed because the SAML user has now been linked to their old account data, and logging back into the platform will display their existing envelopes.
4. With the migration complete, users will be able to log in with their organization credentials
Afterwards, users will need to make sure to always access the new URL, where they will simply log in with their organization credentials to get into the Verified platform.
That concludes the process from the user's point of view.
What if a user selects "I have no data to migrate" even though they do?
In that case you will need to contact Verified support, and we will remove the flag from that user in our backend. The next time they log in they will land in the 3.2 step
What if a user was part of multiple companies (departments in your organization)?
All their data is migrated during the migration process. If they were able to access multiple companies before, they will be able to access the same companies (departments) after the migration
What if a user still tries to access app.verified.eu after migration?
They won't be able to do anything. They will no longer see the company or companies they had access to, as the data attached to them has been migrated.
Will all new users need to go through the 3.2 step (have you used Verified before)?
Yes. The Verified platform has no way of knowing if a SAML user has used Verified before. Once the user makes that choice, they are flagged, and will never see that screen again.
Is there a risk of data being lost during the migration?
No. Although we call the process migration for the sake of simplicity, what actually happens is a change in user rights. The data remains in place, the access rights to the old account is severed and only the new account, behind your SAML SSO solution, is granted access to it.