1. RealVNC Help Center
  2. RealVNC Connect
  3. For Reference

RealVNC Account SSO - Setup Reference

Follow
Avatar
Jack N RealVNC
Updated

Self-service setup of RealVNC Account SSO is now supported through the RealVNC Portal. Go to People > Single-Sign-On to find the setup instructions.

Single Sign-On is available for Enterprise subscription holders only. See our pricing page for more information.

Restrictions and Security Considerations

When enabling RealVNC Account SSO for your RealVNC Connect team, please be aware of the below restrictions and security considerations.

Restrictions

Teams

  1. Your SSO tenant/identity provider can only be associated with one Team.
  2. All other members of an SSO-enabled Team must be SSO users; users with a standard RealVNC account cannot be part of an SSO-enabled Team.
  3. Mandated two-factor authentication using RealVNC Connect's 2FA cannot be enabled on SSO-enabled Teams.
    1. Note, this does not prevent using your identity provider's 2FA for accounts, this refers to RealVNC's own 2FA for accounts which cannot be used with an SSO account.
  4. Once a Team has SSO enabled, it cannot be undone.

People (Users)

  1. SSO Users cannot sign in to the License Wizard, a cloud connectivity token must be used instead.
  2. SSO Users cannot change their contact details or authentication settings in the RealVNC Connect Portal as they are controlled by your identity provider.

Compatibility

  1. Role-linked SSO is currently not compatible with our new My Organization feature.

Security considerations

Once your Team has been enabled for SSO sign-in, please be aware that:

  1. RealVNC Connect will not perform device authorization or two-factor authentication for users
  2. Mandated two-factor authentication using RealVNC Connect's 2FA is disabled on the Team.
    1. Note, this does not prevent using your identity provider's 2FA for accounts, this refers to RealVNC's own 2FA for accounts which cannot be used with an SSO account.
  3. It is up to the customer to ensure that their identity provider is configured to provide adequate security for their users.

Just in Time User Provisioning Options

As part of the SSO setup process, you will need to select a provisioning method for the users in your RealVNC Connect Team. This will determine how users are added to your team when signing in using SSO.

Auto Provisioning

This option allows users from your OIDC provider to sign in and be automatically added to your remote access team. By default, users won't have access to the devices in your organization.

Role-linked auto provisioning

This option allows users from your OIDC provider to sign in and be automatically added to your remote access team, with their roles mapped from those defined in your OIDC provider.

No provisioning

This option allows users from your OIDC provider to sign in, but they won’t be automatically added to your remote access team. Their accounts must be created and managed through the SSO User Management page found in the RealVNC Portal.

Existing user migration

RealVNC Connect accounts must have a unique email address/UPN, which means when you want to enable RealVNC Account SSO for an existing team we will need to migrate your users from using standard RealVNC Accounts to SSO-enabled RealVNC accounts.

User migration can be carried out via the RealVNC Portal. Navigate to People > Single-Sign-On and select the SSO User Management tab. 

From here you can use the provided template to migrate existing RealVNC users to SSO-enabled accounts. 

 

For role-linked teams

To migrate existing users you will need to provide their existing RealVNC Username (email address), their SSO username (email address) and their SSO ID. You will find the SSO related details in your OIDC provider.

You cannot invite new users using this as the SSO team has role-linked auto provisioning.

For non- role linked teams

To create new users you will need to provide their SSO username (email address), SSO ID and their role.

To migrate existing users you will need to provide their existing RealVNC Username (email address), their SSO username (email address) and their SSO ID.

To note, you will find the SSO related details in your OIDC provider and roles could be one of User, Device Joiner, Technician, Manager or Admin.

The downloadable template works for both new user creation and user migration, so no formatting changes are needed—just fill it in and upload.

For teams using the My Organization feature

To create new users you will need to provide their SSO username (email address), SSO ID, their role and whether to give each user access to all the devices in your hierarchy.

To migrate existing users you will also need to provide their existing RealVNC Username (email address).

To note, you will find the SSO related details in your OIDC provider and roles could be one of User, Device Joiner, Technician, Manager or Admin.

 

For help finding the correct information for your IDP, see our individual Help Center pages for Entra & Okta.

 

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Article is closed for comments.