VIDIZMO supports industry standard implementations of Single Sign-on (SSO) that work with widely used Corporate Authentication services such as Directory and Federation Services, Identity and Access Management (IAM) solutions, as well as 3rd Party Login services using industry standard SAML (Security Assertion Markup Language) 1.0 / 2.0 (SAMLP) protocols.
SSO is an authentication process that allows a user to access multiple applications with one set of login credentials regardless of the applications' platform, technology or the domain being used. With the increase in the number of websites and services requiring authentication to access their features and content, centralized authentication services have become a necessity, especially among large enterprises. Among some of the benefits of implementing SSO is its ability to effectively handle user authentication as a part of Federated Identity Systems, where the identity of a user is established and authenticated via SSO, and shared with other applications that request it. This is made possible via industry standard protocols such as SAML to facilitate the exchange of user authentication and authorization data across secure domains.
VIDIZMO uses SAML, an XML-based protocol that uses security tokens containing assertions to pass user information between the Identity Provider and the Service Provider, thereby enabling web-based authentication and authorization scenarios including cross-domain Single Sign-on (SSO).
Attributes Required From SAML Identity Providers For Integration With VIDIZMO
Every SAML Identity Provider has a different set of attributes that records user data like User Name, First Name, Last Names, and Email etc. This data needs to be mapped correctly in the VIDIZMO application which has its own set of attributes to capture information in its database.
For the information to match between the two applications, you need to have the following attributes either as an exact match or you will have to define them in the SAML Identity Provider application:
In addition to the attributes defined above, the following information is also required from the SAML Identity Provider:
- SAML Login URL
- SAMLP Request
- Issuer URL from SAML response to verify the Identity Provider
- Request Signing Certificate (X.509)
Configure Corporate Login From VIDIZMO
Select the Admin >> Settings link from the dropdown menu on the top bar.
Select the Login Tab
On the Corporate Login section, click on the Enable link:
Once on the Corporate Login screen, you will need to do the following:
i. Enter SAML 2.0 Endpoint (HTTP) URL as the Login URL and then copy the Login URL provided by the SAML Identity
Provider and paste in the text field below the dropdown.
ii. Enter an appropriate Sign-In Caption and a Sign-In Caption Tooltip. This gets displayed on the Sign-in screen of the
iii. Click on the next (>) icon to go to the next screen.
In the Request Signing Certificate (X509) field, paste the Certificate you copied from the SAML IDP.
Note: You do not have to copy the lines Begin Certificate and End Certificate. The certificate should be of SHA1 based signatures.
SAML Request is an optional field, if you need it then modify the following sample request according to your account. Replace your VIDIZMO account URL from the following bold text in the ‘SAMLP Request’ text box:
For HTTP accounts:
<samlp:AuthnRequest ID="_4d7cb64d-d38e-46fd-ac87-2671d4173eaf" Version="2.0" IssueInstant="2013-24-22T8:24:03Z" AssertionConsumerServiceURL="http://<VIDIZMO Account URL>/Handlers/SignInHandler.ashx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <VIDIZMO Account URL></saml:Issuer></samlp:AuthnRequest>
For HTTPS accounts:
<samlp:AuthnRequest ID="_4d7cb64d-d38e-46fd-ac87-2671d4173eaf" Version="2.0″ IssueInstant="2013-24-22T8:24:03Z" AssertionConsumerServiceURL="https://<VIDIZMO Account URL>/Handlers/SignInHandler.ashx" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <VIDIZMO Account URL></saml:Issuer></samlp:AuthnRequest>
Click on the next (>) icon to complete the final step.
Select the Enable SAMLP Request checkbox if your IDP is using SAMLP Request, otherwise, leave it unchecked. Similarly, Use Deflate if your IDP uses the Compressed SAML Request.
If your IDP has provided the Request Signing Certificate (X509) to copy as described in Step # 5 above, then use the Verify Response check box.
- Make sure you are using the "GET" request and not the "POST" request in the IDP API.
- Signing Certificates sometimes expire and using the Verify Response check box allows you to ensure VIDIZMO checks for certificate's validity. In some situations, business operations are more important. This is where VIDIZMO's flexibility in configuring allows you to run SSO setups successfully on expired certificates.
In other cases, the user might not want to use expired certificates and checking the Verify Response check box will prevent you from completing the SSO configuration.
Click on the Done link when you have applied all the settings on this screen.
The last screen you need to provide values in before you start using the SSO feature is the Trusted Domains screen. VIDIZMO needs to add IDPs as trusted domains to allow secure access. You need to provide your IDP domain in the text field on this screen. To do this, click on the Edit link on the Trusted Domain's screen:
The Edit link brings up the text field where you will paste the IDP URL in the Trusted Domains list.
Note: If your IDP does not use Request Signing Certificates, or when the issuing URL is different from that of the IDP, adding Issuer URL to the Trusted Domains allows VIDIZMO to establish a secure connection with the IDP as it would with IDPs using Signing Certificates.
Below is an example of the Issuer URL from SAML Response:
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">[Issuer URL]</saml:Issuer>
Click on the Done link to update and close the screen.
The final step is to click on the Update button towards the bottom of the screen. This will update your Corporate login and Trusted Domains settings and a message will appear on the top of the screen informing you that the settings have been updated.
You can now log out of your channel to test the SSO feature.
From your Channel, click on the Sign In to bring up the SSO login screen.
You will be redirected to the Account/Channel Homepage.