Skip to main content
System StatusContact Support
VersionOne Community

On-Premise Single Sign-On


This feature is available in Ultimate edition only.


The content in this article applies to On-premise VersionOne instances only. If you are an On-Demand (V1 Hosted) customer, see On-Demand (V1 Hosted) System Maintenance.

SAML-based Single Sign-On is a security configuration option available to on-premises VersionOne Ultimate customers.  Using SAML, VersionOne integrates with your SSO environment and defers to your Service Provider and Identity Provider for authentication when anyone attempts to access your VersionOne instance.  This eliminates the need for separate credentials managed inside VersionOne.  It also gives you better control over authentication, access and more flexibility with password rules for your users.

For additional information about SAML, please refer to the SAML SSO Overview page.

The following diagram illustrates SAML SSO using the VersionOne web application:


  1. This diagram illustrates an unauthenticated user flow that starts with the user trying to access the VersionOne web application. 
  2. VersionOne requires an external (3rd party) Service Provider. On-Premises customers are responsible for this component in addition to the Identity Provider.

The instructions below describe how to enable SAML-based SSO in an on-premises VersionOne instance. If your organization uses SAML-based SSO and your VersionOne instance is on-demand (aka hosted or SaaS) please refer to the On-Demand Single Sign-On page.

Enabling SSO

  1. Install VersionOne using the default V1 authentication.
  2. Rename the 'admin' username to match the administrator's SSO username.

  3. Add the following to appSettings in user.config (or create a user.config if it doesn't already exist):

    <add key="DelegatedAuthHeader" value="HTTP_USER"/>

    If creating a new user.config file its contents would be:

    <add key="DelegatedAuthHeader" value="HTTP_USER"/>


  4. Configure your SSO system to supply the username to VersionOne via HTTP_USER header variable

  5. Configure your SSO system to protect the following VersionOne endpoints

    • /default.aspx

    • /downloadfile.aspx

    • /attachment.img

    • /attachment.v1

    • /export.v1

    • /assetdetail.v1

    • /ui.v1

    • /rest-1.v1

    • /roadmapping.v1

    • /*.mvc

    • /oauth.v1/auth

    • /query.legacy.v1

Several customers have chosen to configure their SSO system to secure the entire VersionOne virtual directory. When choosing this approach, you must disable SSO when installing or upgrading Analytics because that installer relies on two VersionOne endpoints that are not secure in a non-SSO environment.

Once configured, VersionOne will authenticate users based on username supplied in HTTP_USER header variable. An 'Access Denied' message displays to users who do not have a matching username defined in VersionOne.


From V1 Dev Team concerning the SSO config: "Respecting the cache control headers is the right strategy."