Which identity providers does Visylix SSO support?

Any IdP that speaks SAML 2.0 or OpenID Connect (OIDC). We have tested turn-key flows with Okta, Azure AD / Microsoft Entra ID, Google Workspace, Auth0, OneLogin, Keycloak, PingFederate, JumpCloud, and Duo SSO. If you can share a SAML metadata URL or an OIDC discovery document, we can federate with you.

How long does SSO setup take?

Most customers go from "first click" to "employees signing in with SSO" in under 15 minutes. You paste your IdP metadata URL into the Visylix admin console, map IdP groups to VMS roles (admin, operator, viewer, custom), and enable Just-In-Time (JIT) provisioning. No manual user sync, no SCIM setup required for the basic flow.

Can we enforce SSO-only login and disable passwords?

Yes. Once SSO is verified working, you can enforce SSO-only for any or all users, which disables password login entirely. A configurable "break-glass" local admin account is preserved for disaster recovery (lockout protection). Break-glass logins are heavily audit-logged and can trigger alerts to a SOC.

How does group-based RBAC work?

When a user signs in via SSO, Visylix reads the SAML attribute or OIDC claim you designate (typically a "groups" or "roles" claim). You map those IdP group names to Visylix RBAC roles. A user in IdP group "Security-Operators" automatically receives the Visylix "operator" role on each login. Roles update on every sign-in, so removing a user from an IdP group immediately revokes their VMS permissions on next login.

Are SSO logins audit-logged?

Every SSO login writes a signed audit record: timestamp, user principal, source IP, IdP name, assertion ID, and assigned role. Logs are retained per your retention policy and can be streamed to your SIEM (Splunk, Datadog, Elastic, Sumo Logic) via our webhook or syslog forwarder. This is critical for SOC 2, ISO 27001, and HIPAA compliance audits.

Available on Scale and Enterprise

One login. Every camera. Every site.

Federate Visylix with Okta, Azure AD, Google Workspace, Auth0, OneLogin, or Keycloak. SAML 2.0 and OIDC, JIT provisioning, group-based RBAC, and audit-logged logins , setup in 15 minutes.

Start Free Trial See pricing

Works with every major identity provider

Okta

Azure AD

Google Workspace

Auth0

OneLogin

Keycloak

Why surveillance teams standardize on SSO.

VMS access is one of the most sensitive credentials in your organization. Treat it like it is.

Employee offboarding that actually works

Without SSO, removing someone from a VMS means an admin hunts through manual user lists. With SSO + group-based RBAC, deprovisioning in your IdP instantly revokes VMS access across all sites. One source of truth.

Password reuse risk eliminated

Surveillance passwords get shared, written on sticky notes, and reused. SSO pipes all access through your IdP, where MFA, conditional access policies, and anomaly detection already protect other critical systems. Zero new password surface area.

Audit-ready by default

SOC 2 auditors, ISO 27001 auditors, and insurance carriers all ask the same question: can you prove who accessed what camera and when? Visylix SSO logs are signed, tamper-evident, and stream to your SIEM. Audit answered.

Everything the security team asks for.

Enterprise SSO features that map to real SOC 2, ISO 27001, and HIPAA audit requirements.

SAML 2.0 + OIDC

Industry-standard federation. SAML 2.0 for traditional enterprise IdPs, OpenID Connect for modern identity. Both work with the same admin console, pick whichever your IdP supports.

Metadata URL setup

Paste your IdP metadata URL. Visylix fetches and validates the signing certificate, entity ID, and SSO endpoints automatically. No XML editing, no certificate uploads for most providers.

Group-based RBAC

Map IdP groups (or roles claim) to Visylix roles. Users in the "Security-Operators" group get the operator role on every login. Remove from group → access revoked on next sign-in.

JIT provisioning

New user signs in via SSO for the first time? Their Visylix account is created automatically with the right role based on IdP group membership. No manual user setup, no SCIM sync required.

Signed audit logs

Every SSO login logged with assertion ID, IdP, source IP, role assignment. Streamed to your SIEM (Splunk, Datadog, Elastic) via webhook or syslog. Required for SOC 2, ISO 27001, HIPAA audits.

Break-glass protection

Local admin account preserved for IdP outage scenarios. Break-glass logins trigger immediate SOC alerts and leave a heavily audited trail. Enforce SSO-only for all other users.

15 minutes from zero to SSO-only.

Four steps, one admin console, zero XML editing.

Paste your metadata URL

From Okta, Azure AD, Google Workspace, or any SAML 2.0 / OIDC provider. Visylix fetches certs and endpoints automatically.

Map IdP groups to VMS roles

Drag-and-drop mapper. "Security-Operators" → operator role, "Security-Admins" → admin role. Add custom roles as needed.

Test with a pilot user

Visylix runs an end-to-end SAML/OIDC assertion test. You see exactly which claims arrived and which role was assigned.

Enforce SSO-only

Flip the switch to disable password login. Break-glass admin preserved. Existing users prompted to sign in via IdP on next session.

Use case, Retail chain

“Store managers rotate every quarter. Before SSO, deprovisioning took weeks across 140 locations. Now it happens the moment HR offboards them in Okta.”

Regional retail chain, 140 stores, 2,800 cameras. IdP: Okta. Migration from manual user management to Visylix SSO completed in one afternoon.

Audit log every surveillance team wants.

Timestamp, user principal, source IP, and IdP name on every sign-in
SAML assertion ID or OIDC token ID for replay investigation
Assigned VMS role captured at sign-in time, not inferred later
Signed with the Visylix audit key, tamper-evident
Streamed to Splunk, Datadog, Elastic, Sumo Logic via webhook or syslog
Retained per your policy, 90 days default, up to 7 years for regulated industries

Ready to retire shared VMS passwords?

SSO is included on Scale and Enterprise. Start a free trial today, your IdP admin will thank you.

Start Free Trial See pricing