# Configuring Enterprise Login for Vault Mobile
Configuring OAuth for Vault Mobile is a two-step process: * First, configure OAuth 2.0 for your Vault. See [Configuring OAuth 2.0 / OpenID Connect Profiles](/en/lr/43329/) for detailed instructions. * Next, configure and register an OAuth 2.0 / OpenID Connect App for Vault Mobile in your authorization server. See the [sections below][1] for detailed instructions. ## Authorization Server Support {#authorization-server-support} This section explains the steps necessary to configure a variety of compatible authorization servers. For security purposes, we recommend that PKCE is enabled in your authorization server. ### ADFS To set up Vault Mobile as an application in ADFS: 1. Within ADFS, navigate to **Application Groups > Application > Native Application**. 2. Enter the **Client ID**: `vaultmobile`. 3. Enter the following **Redirection URI**: `com.veeva.vaultmobile://authorize`. Next, you must set up Vault as a Web API: 1. Within ADFS, navigate to **Application Groups > Application > Web API**. 2. Click into the **Identifiers** tab to add Vault as a relying party identifier. 3. For the **Display name**, enter `Vault`. 4. Enter the following **Relying party identifier**: `https://login.veevavault.com`. 5. Click into the **Issuance Transform Rules** tab to create a custom claim rule. 6. In this tab, click **Add Rule > Send Claims Using a Custom Rule > Next**. 7. Enter the following custom rule, replacing **mail** with the field you wish to use as the _Federated ID_: c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("sub"), query = ";mail;{0}", param = c.Value); 8. Click into the **Client Permissions** tab and select **Vault Mobile**. 9. Select the **allatclaims** checkbox. 10. Select the **openid** checkbox. 11. Click **Apply** to save your Web API configuration. Click **OK** to exit the dialog. In **Admin > Domain Settings > OAuth 2.0/OpenID Connect Profiles Details**, add Vault Mobile as a [Client Application](/en/lr/43329/#client-mapping) and ensure that: * _Application ClientID_ is set to **vaultmobile** * _Authorization Server Client ID_ is set to **vaultmobile** ### PingFederate To configure a new Ping Identity profile: 1. Set the profile clientID to `vaultmobile`. Ensure that there is `No client secret` for the client ID. 2. For **Client Authentication**, select _None_. 3. Enter a display **Name**. For this profile, we recommend `Vault Mobile`. 4. Enter the following **Redirection URI**: `com.veeva.vaultmobile://authorize`. Your application should be configured to honor the following grant types: * Authorization Code * Refresh Token Note that Vault uses the sub claim in the `id_token` and the `access_token` as the Federated ID. Your application configuration should honor the following scopes: * `openid` * `offline_access` In **Admin > Domain Settings > OAuth 2.0/OpenID Connect Profiles Details**, add Vault Mobile as a [Client Application](/en/lr/43329/#client-mapping) and ensure that: * _Application ClientID_ is set to **vaultmobile** * _Authorization Server Client ID_ is set to **vaultmobile** ### Microsoft Azure AD To set up Vault Mobile as an application in Microsoft Azure AD, you must first create an application registration for login.veevavault.com: 1. Within Microsoft Azure,navigate to **Azure Active Directory > App Registrations**. 2. Select **New Registration**. 3. In the _Name_ field, enter a name for your registration. We recommend `login.veevavault.com`. 4. Select **Register**. Next, create an application registration for Vault Mobile: 1. Within Microsoft Azure, navigate to **Azure Active Directory > App Registrations**. 2. Select **New Registration**. 3. In the _Name_ field, enter a name for your registration. We recommend _Vault Mobile_. 4. Under _Supported account types_, select which users can access Vault Mobile. 5. In the _Redirect URI_ panel, select **Public client/native (mobile and desktop)** and enter the following URI: `com.veeva.vaultmobile://authorize`. 6. Select **Register**. 7. Navigate to **App Registrations > Expose an API**. 8. In the _Application ID URI_ field, select **Set**. 9. After Azure selects an ID, select **Save**. 10. Select **Add a scope**. 11. In the _Scope name_ field, enter the name you selected in step 3. 12. In the _Who can consent?_ field, select **Admins and users**. 13. Enter the desired names and descriptions. 14. In the _State_ field, select **Enabled**. 15. Select **Add Scope.** Edit your [OAuth 2.0/OpenID Connect](/en/lr/43329/#hierarchy) profile to ensure that: * _Identity Claim_ is set to **Identity is in another claim**. * _Claim_ is set to **upn**. * _User ID Type_ is set to **Federated ID**. Add Vault Mobile as a [Client Application](/en/lr/43329/#clientid_mapping) and ensure that: * _Application ClientID_ is set to **vaultmobile**. * _Authorization Server Client ID_ matches the _Application (client) ID_ that Azure generated in step 8. ### Okta The following steps outline how to set up Vault Mobile as an application in Okta. The Product Support Portal provides additional instructions and an example video for an Okta setup. 1. Within **Okta**, navigate to **Applications > Add Application > Create New App**. 2. For **Platform**, select _Native App_. 3. For **Sign on method**, select _OpenID Connect_. 4. Click **Create**. 5. Enter an **Application Name**. For this profile, we recommend Vault Mobile. 6. Enter the following **Login redirect URI**: `com.veeva.vaultmobile://authorize` 7. Enter the following **Initiate login URI: `com.veeva.vaultmobile://authorize`** 8. Click **Save** to create the application. After you've created the application, navigate to the **General Settings** tab to confirm the following settings: * **Application label**: Value you entered as the "App integration name" in Okta, for example, Vault Mobile * **Application type**: Native * **Allowed grant types**: _Authorization Code_ and _Refresh Token_ * **Login redirect URIs**: `com.veeva.vaultmobile://authorize` In the **General Settings** tab, scroll to the _Client Credentials_ section. In Okta, you can't configure the **Client ID**; instead, Okta assigns a random unique identifier. To support this, you'll need to [configure ClientID mapping](/en/lr/47341/#okta-oauth) in your Vault and enter this unique identifier in the **Authorization Server Client ID** field. You can use `vaultmobile` for the Application Client ID field. In this section, **Client authentication** should be set to _Use PKCE (for public clients)_. Next, navigate to the **Sign On** tab to ensure that the **Sign On Methods** are set to _OpenID Connect_. Finally, navigate to the **Assignments** tab to add Okta users. For every Vault user you assigned to the _OAuth 2.0 / OpenID Connect Profile_ for Okta, you must add a corresponding user here. If the _User ID Type_ in the OAuth 2.0 / OpenID Connect Profile is set to _Vault User Name_, the Okta user name must match the Vault user name. If it is set to _Federated ID_, the Okta user name must match the Vault user's Federated ID. ## Adding the Authorization Server Metadata After you've set up the profile, get the authorization server metadata. Most authorization servers expose the AS Metadata via a URL, while some allow you to download an AS Metadata JSON file. Use either the URL or the JSON file to upload the AS Metadata in your OAuth 2.0 / OpenID Connect profile in Vault. [1]: #authorization-server-support