Single Sign-On (SSO) is a user authentication process that allows your users to sign in to multiple applications using the same set of login credentials. This allows ease of use for the end users and ease of management for administrators. VIDIZMO offers the most flexible options for you to integrate with a wide range of single sign-on authentication providers, including:
- Directory services such as Azure AD etc.
- Identity Access Management (IAM) services such as Okta, OneLogin, Ping, Centrify,
- Third-party login services such as Facebook, Google, Office 365, Twitter, LinkedIn, etc.
With an app model integration for SSO, VIDIZMO makes the integration as easy as enabling/disabling your identity provider from within the platform administrator interface in minutes. Enterprises using Okta as their identity provider can utilize SSO option with VIDIZMO, allowing users to sign in using the same set of credentials.
For more information about VIDIZMO SSO Apps, read Understanding Single Sign-On.
This article has following sections:
- For configuring Okta SSO with VIDIZMO, you must have an Okta developer account so that you can create an Okta application. For creating an Okta account, visit https://developer.okta.com/signup/.
- If more SSO Apps have been configured and enabled on your Portal other than Okta SSO, your users will see multiple buttons on the login page allowing them to choose any identity provider of their choice to log in to their VIDIZMO Portal.
- VIDIZMO requires your Okta authorization server to expose a list of scopes to map attributes and provide user authentication. These scopes include:
- Profile (The user's First Name and Last Name are exposed and mapped in your VIDIZMO account in this Scope)
- Email (The user's Email Address is exposed and mapped in your VIDIZMO account in this Scope)
- Phone (The user's Phone Number is exposed and mapped in your VIDIZMO account in this Scope)
- Groups (This is a custom Scope that must be exposed by your Authorization Server. See Adding Custom Scope and Claim to read how to configure it)
- Managers and Administrators of the Portal can configure and enable SSO options in VIDIZMO.
Firstly, you are required to create an application in Okta in order to configure Okta SSO in VIDIZMO. Following steps show you how to create an application in Okta:
1. Go to https://login.okta.com/ and enter your ORG URL that you received while creating your Okta developer account.
2. At the Sign In page:
i. Enter your email address and password.
ii. Click on Sign In.
3. From the Developer's Dashboard, click on Applications
4. From the Applications page, click Add Application and navigate to create new app
5. From the Create New Application page:
i. Choose Web as your platform.
ii. Choose OpenID Connect as your sign on method.
iii. Click Create.
6. From the Create New Application page:
i. Specify the Name of the Application.
ii. Enter the Sign-in redirect URL which is your Portal URL concatenated with /sso/signin-okta.
iii. Enter Sign-out redirect URI which specifies the URI where Okta will send the authorization response. This is your Portal URL with /sso/signout-okta appended at the end.
iv. Select Save to create the application.
You will be directed to your created application:
The users and groups that you want to allow to sign in to VIDIZMO using their Okta credentials must be assigned to your created application. Follow the steps to do just that:
1. From the created application's page:
i. Navigate to the Assignments tab
ii. Expand Assign to.
iii. Click on Assign to People or Assign to Groups depending on whom you wish to assign the created application.
iv. Search and select the relevant users or groups and click Done when completed.
Once you've assigned the application to relevant users and groups, you can move on to the next section.
By default, Okta's authorization servers expose a number of scopes during user authentication that allow VIDIZMO to map user information from your identity provider to VIDIZMO. As VIDIZMO synchronizes your Okta groups to your VIDIZMO Portal, it is required that you add a custom Scope named groups in the list of scopes exposed by your authorization server. To know more about Scopes and Claims in Okta, read Key Concepts: Scopes, Claims and, Response Types.
To add a custom scope, follow the steps:
1. From the top menu bar:
i. Expand Security.
ii. Select API.
2. From the API page:
i. Click on the Edit icon against your default authorization server.
ii. Navigate to the Scopes tab.
iii. Select Add Scope.
3. A popup Add Scope appears:
- Specify the Name for the scope as groups.
- Enter a relevant Display phrase as shown.
- Enter a relevant Description as shown.
- Select the checkbox for User Consent.
- Select the checkbox for Default Scope.
- Select the checkbox for Metadata.
- Click on Create to add the Scope.
4. After creating the Scope:
i. Navigate to Claims tab.
ii. Click Add Claim.
5. An Add Claim popup appears:
i. Specify a Name for the Claim
ii. Specify Include in token type as ID Token and Always.
iii. Select the Value type as Groups from the dropdown.
iv. For Filter, select Matches regex and specify .* as the condition.
v. Specify the groups scope as created in the previous section under the Include in attribute.
vi. Click Create to add the claim.
Once done, you'll be able to see the created claim in the list:
1. Navigate to your created application in the previous section. Under the General tab, you'll be able to see Client Credentials. Copy the Client ID and Client Secret.
2. Navigate to API > Authorization Servers > default, under the Settings tab, copy Metadata URI:
1. From the Portal's Homepage,
i. Click on the navigation menu on top left corner.
ii. Expand Admin tab.
iii. Click on the Settings tab and you'll be directed to Portal Settings page.
2. On Portal Settings page,
i. Click on the Apps tab on the left-hand panel.
ii. Further click on the Single Sign-On tab.
iii. Locate the Okta App on the screen, and click on the Settings icon at the right-hand side.
3. After clicking on the Settings icon, a window will appear which offers various fields, each of which is explained below:
i. SSO Login Message: Enter here the message that you want to display on your portal login screen for Okta login.
ii. SSO Login Button Label: The text entered here would display on the button used for Okta login.
iii. Client ID: This attribute is the unique identifier for the client application that was created in the previous section.
iv. Client Secret: The client secret is used for accessing groups in your Identity Provider (IdP).
v. Meta Address: This is the Metadata URI used to login to the IdP. Enter here the URL of the App that you created in Okta.
vi. Requires HTTPS Metadata: Select this check box to get metadata. When the request is handled for the first time, it tries to retrieve some metadata from the authorization server (also called an authority or issuer). This metadata, or discovery document in OpenID Connect terminology, contains the public keys and other details needed to validate tokens.
vii. Force Login: Select the checkbox to enable forced login and it will take you directly to Okta. When unchecked, it will not redirect automatically to the IdP and you will be required to sign in through your Portal's sign in screen.
viii. Callback Path: Specifies the callback location where the authorization will be sent to your Portal.
ix. Scope: A space-delimited list of scopes. OpenID Connect uses scope values to specify what access privileges are being requested for access tokens. The scopes associated with access tokens determine which claims are available when they are used to access the OIDC /userinfo endpoint. The following scopes are supported: openid, profile, email, phone, groups etc.
x. Response Type: Specifies the response type for OIDC authentication. Any combination of code, token, and id_token is used and is an opaque value that can be used to redeem tokens from the token endpoint. In our example, we have used "code" type. The code is returned if the response_type includes code. The code has a lifetime of 60 seconds.
xi. Save Tokens: Select to save tokens. You will need administrator privileges to save. API tokens have the same permissions as the user who creates them, and if the user permissions change, the API token permissions will also change.
xii. Get Claims From UserInfo Endpoint: Selecting this option returns claims about the authenticated end user if the UserInfo endpoint claims need to be obtained implicitly.
xiii. Attribute Mapping: Attribute Mapping allows you to map your attributes with the IDP's attributes.
xiv. Click on the button Save Changes.
A notification will appear stating Portal Information Updated Successfully.
4. On the Portal Settings > Apps > Single Sign-On screen:
i. Click on the toggle button at the right-side of Okta to enable Okta SSO.
Navigate to the Portal's login screen and you will see an option Login with Okta.