To set up Multi-Pass with Auvik, ensure you meet the following requirements:

- Auvik admin rights

- MPAS Admin rights

- Make sure that all users intended to use SSO in Auvik are registered in your IdP and have the necessary permissions to access Auvik.

Important: Custom elements in URLs (like realm names) are case sensitive. Make sure to match the exact casing from your environment.

Auvik - SSO configuration

Step 1: Access Auvik Authentication Settings

1. Log in to your Auvik Dashboard.
   
2. On the left-hand menu, navigate to Admin > Settings.
   
3. Click on Authentication.
   

If you do not see the Authentication option, go to your global dashboard and make sure you have the correct permissions to make changes to the SSO setup.

Step 2: Enable Single Sign-On (SSO)

1. Select SSO to enable it.
   
2. Below, you will find several fields that need to be completed with Multi-Pass information.
   

Step 3: Gather Required Multi-Pass Information

1. ACS URL
   
2. Audience URI
   
3. Relay State
   

1. Select your dashboard, then click on Advanced Console.
   

1. In the Advanced Console, navigate to Clients.
   
2. Click on Create a Client to set up the integration.
   

1. Complete the required fields:
   
1. Client Type: Select SAML.
2. Client ID: Use the one provided by Auvik (= Audience URI)
3. Name: Enter a recognizable name, e.g., auvik.
4. Description: Add a relevant description, e.g., SSO configuration for Auvik.
5. Always Display in UI: Switch to ON
2. Click on Next to proceed.
   

1. Enter the following values:
1. Home URL: https://ca.auth.kzero.com/realms/<REALM NAME>/protocol/saml/clients/auvik
2. Valid Redirect URIs: Paste the URI provided by Auvik (= ACS URL)
3. IDP-Initiated SSO URL Name: Use the name of the app, the same one you used at the end of the Home URL.
4. IDP-Initiated SSO Relay: Use the Relay State provided by Auvik. (= Relay State)
2. Click on Save to finalize the configuration.
   

1. In the settings tab, scroll dow to Configure SAML capabilities
   
1. Name ID Format: Set to Email.
2. Force POST Binding: Switch ON.
3. Include Auth Statement: Switch ON.
4. Other Parameters: Switch OFF.
2. Keep scrolling to Configure Signature and Encryption
   
1. Sign Document: OFF.
2. Sign Assertion: ON.
   
3. Click on Save
   
4. Change the tab to "Keys" 
   
1. Ensure that both dimensions are switched OFF.
   
5. Change the tab to "Advanced"
   
1. Locate the field Assertion Consumer Service POST Binding URL.
2. Paste the same link that you used in the Valid Redirect URI (provided by Auvik = ACS URL)
   
6. Click on Save

Signing Certificate, X.509 Certificate, Encryption Certificate, or Identity Provider Public Certificate. The certificate should be in the base64-encoded PEM format.

Step 4: Finalize the Configuration in Auvik

Now that we have the X.509 certificate from MPAS, we can complete the setup in Auvik.

1. Upload the X.509 Certificate:
   
1. Click on Browse.
   
2. Select and upload the document containing the X.509 certificate copied from MPAS.
   
2. Complete the Required Fields:
   
1. IdP Issuer URI: https://ca.auth.kzero.com/realms/<REALM NAME>.
2. IdP Single Sign-On URL: https://ca.auth.kzero.com/realms/<REAL NAME>/protocol/saml
3. Click on Save to finalize the setup.