VIDIZMO offers your organization high flexibility and low cost of SSO integration with a number of identity providers, including your organization's Azure Active Directory (AD). VIDIZMO allows its customers to utilize their Azure Active Directory (AD) for facilitating its Portal users with Single Sign-On (SSO) capabilities. Not only this but with an app model SSO integration, VIDIZMO makes the integration as easy as enabling/disabling your AD SSO from within the platform in minutes.


Note: Azure Active Directory does not allow Single Sign-On for embedded media on other platforms. Read more about it here.


To learn more about SSO options with VIDIZMO, read Understanding Single Sign-On.


This article provides you the step-by-step guide to configure SSO using Azure AD with your VIDIZMO portal. Configuration consists of the following two sections:

  • Configuration in Azure portal
  • Configuration in VIDIZMO portal


Configuration in Azure Portal

This section requires you to create an application in your Azure AD. The following article has a section that elaborates how you can proceed with it, use this section within the entire article on how to create an Azure AD application, after which the following steps will help you proceed. 


Note: Sign-on URL required for App Registration in Azure Portal is your organizations's VIDIZMO domain. And for the application to work, this domain needs to be set to HTTPS. To learn how to do that, see: How to configure your Portal to use HTTPS only


1. From Azure AD > App Registrations > App you just created:

i. Follow steps at Add redirect URI(s) to your application and enter a Redirect URI where Azure AD will redirect you after user sign-in is done. This URL would be your VIDIZMO Portal URL with /sso/signin-azuread concatenated to it. 

Example: https://lexcorp.vidizmo.tv/sso/signin-azuread.

iv. Click on the Save button.


  

2. On the same page under the heading Implicit grant and hybrid flows, you need to select the token you would like to be issued by the authorization endpoint. Since VIDIZMO is a single-page application that invokes a web API via JavaScript for authorization, select both access tokens as well as ID tokens.




At the end of this section, follow the steps given here to obtain the following three entities: your Azure AD directory ID, Application ID of the app you created and use this article to generate Key against the app you created, and copy it for later use in VIDIZMO portal.


Note: VIDIZMO configuration may not need your generated Client key if you choose to authorize via ID Tokens while configuring the Azure AD SSO app in VIDIZMO portal, details of which have been covered in the next section.


Configuration in VIDIZMO portal

Now that you have the resources required to configure Azure AD SSO in your VIDIZMO Portal, follow these steps:


1. From the Portal's Homepage,

i. Click on the navigation menu on top left corner.

ii. Expand Admin tab.

iii. Click on the Settings tab and you'll be directed to Portal Settings page.




2. On Portal Settings page,

i. Click on the Apps tab on the left-hand panel.

ii. Further click on the Single Sign-On tab.

iii. Locate the Azure AD App on the screen, and click on the Settings icon at the right-hand side.




3. After clicking on the Settings icon, a window will appear:

i. Client ID: Paste the Application ID in the Client ID text box.

ii. SSO Login Message and Label enables you to set your own custom message for users on the login page to familiarize them with which option they ought to use for signing in.

iii. Authority: Replace directoryId in the following URL by Azure AD Directory ID: https://login.microsoftonline.com/{{directoryId}}/v2.0 and paste it in the Authority text box.


Note: Authority URL endpoints will differ based on the Azure Region you choose below. Here is an article that can guide you on which endpoint to use before you append your Directory ID: Azure AD Authentication Endpoints.


iv. Requires HTTPS Metadata: Select this check box to ensure HTTPS is required to get the metadata. When the request is handled for the first time, it tries to retrieve some metadata from the authorization server (also called an authority or issuer). This metadata, or discovery document in OpenID Connect terminology, contains the public keys and other details needed to validate tokens. Force Login is to be enabled in order to make sure users can sign in when VIDIZMO sign-in has been turned off. Redirect by POST Request will ensure that redirection takes place via a POST request that does not expose your token in the URL.

v. Callback Path: Specifies the callback location where the authorization will be sent to your Portal.

vi. Scope: OpenID Connect uses scope values to specify what access privileges are being requested from the Azure AD authorization server. They determine the scope of the access request being made. We include the following scopes while authentication: 

  • openid is one of the basic scopes that defines the intent of the application to verify the identity of the user.
  • profile is a scope value that defines the request to access user's default profile attributes or claims such as name, gender, picture, etc.
  • user.read grants permission to access the complete profile of the user, which helps in complete attribute mapping.
  • Directory.Read.All is used to grant access to the organization's directory which helps define groups in VIDIZMO that map onto organizational units to streamline content management within the Portal.

vii. Response Type: Specifies the response type for OIDC authentication. Any combination of code, token, and id_token is used and is an opaque value that can be used to redeem tokens from the token endpoint.
It is recommended that you select ID with Token from the drop-down menu.
The option for ID with Code is available for backward compatibility with the apps registered in VIDIZMO before the flow for ID Token was introduced, here we will need the Client Secret key generated in the last section to access the token.

viii. Select Azure Region based on the type of subscription you have. Read more about Global and Government subscriptions here: Compare Azure Global and Government.

ix. Save Tokens: This option remains enabled to map users to their organizational units.

x. Attribute Mapping: Attribute Mapping allows you to map your attributes with the IdP's attributes.

xi. Click on the button Save Changes.



A notification will appear stating Portal Information Updated Successfully.


4. On the Portal Settings > Apps > Single Sign-On screen:

i. Click on the toggle button at the right-side of Azure AD to enable Azure AD SSO.




Result

Navigate to the Portal's login screen and you will see an option Sign in with Azure AD. To learn further about signing in, read Sign in using Microsoft Account.




Roles and Permissions

Only Administrators and Managers can configure an SSO App in Portal Settings.