In this article

Overview

Before you start

Configuration on ADFS Server

Add VIDIZMO as a Relying Party Trust

Configuration on VIDIZMO Portal

Read Next

Overview

SAML allows its users to seamlessly access multiple applications with their same credentials offering them faster and efficient business conduct. VIDIZMO provides SSO functionality to all of its customers with SAML making it easier to login without having to type in different credentials every time.


Before you start

  • Make sure you are logged in as Manager+ role to be able to configure SAML-P SSO using ADFS. 


Note: Before you start connecting your VIDIZMO Application with SAML-P, make sure your portal is in HTTPS Domain. For more details on how to change the Portal in HTTPS Domain, check out the article: How to Configure VIDIZMO Portal to use HTTPS only.


Configuration on ADFS Server

To configure SAML-P using ADFS, you have to open ADFS management on your Local Server. Make sure that the version used is AD FS 3.0 Windows server 2012 R2


Add VIDIZMO as a Relying Party Trust


1. Open the AD FS Management, on your local server. 





2. To build trust among two parties, click on the 'Trust Relationships' > 'Relying Party Trust'. Click on Add Relying Party Trust. This will start the 'Add Relying Party Trust Wizard'.





3. Click on Start to get started with the process of Adding a Relying Party Trust into ADFS.





4. You will be shown a screen where it will ask you to choose an option:

i. The first option 'Import data about the relying party published online or on a local network' will attempt to contact another Federation Server using the network to obtain the information that it requires in order to create the trust, this is the simplest option but does require a network connection between two servers. 

ii. The second option 'Import data about the relying party from a file' will obtain this information from the file exported from the other Federation Server. You would use this option if you do not have a direct connection between the two servers. For example, the other Federation Server is on another company's network and there is a firewall between the two servers that prevents the connection.

iii. The last option 'Enter data about the relying party manually' allows the administrator to enter the details about the trust manually. This requires the administrator to know all this information and generally, if possible, it is best to use from the other options.


Choose the third option Enter data about the relying party manually as the administrator will manually fill the required details and then click on Next.





5. Enter the Display Name, you can write whatever name you want as the Display Name and under notes, you can write a description for your Relying Party Trust. Click on Next.





6. Select the first option AD FS profile as it supports parties that are interoperable with new ADFS Features such as SAML 2.0 protocol. Click on Next.





7. You will see the below screen, click on Next.





8. For configuring SAML with your VIDIZMO Portal, select the second option Enable support for the SAML 2.0 Web SSO Protocol and enter your VIDIZMO Portal URL with “/Saml2/Acs” in “Relying Party SAML 2.0 SSO Service URL” like https://vidizmo.enterprisetube.tv/Saml2/Acs and click Next.





9. Add your VIDIZMO Portal URL in the “Relying party trust identifier” and click on Add.





10. This screen will be shown where it will ask you to choose an option:

i. Selecting 'I do not want to configure multi-factor authentication settings for this relying party trust at this time' will not ask for the authentication of the factors shown in the screenshot below.

ii. Selecting 'Configure multi-factor authentication settings for this relying party trust' will ask for the authentication of each factor.


Select the first option I do not want to configure multi-factor authentication settings for this relying party trust at this time and click Next.





11. You will be asked to choose the issuance authorization rule for the users. It either allows the users to have permission to access the relying party or not. Select the first option to Permit all users to access this relying party. This option will permit a user to receive claims from the relying party. Although the relying party may still deny the user access. 





12. Click on Next.





13. Mark the checkbox that says 'Open the Edit Claim Rules dialog for this relying party trust when the wizard closes', then click on Close. This marked checkbox will open a new dialog box where it will ask you to Add Claim Rules.





14. If the Add Claim Rule dialog box failed to open automatically then you can open it by selecting your Relying Party Display Name, right-click on it to choose the option Edit Claim Rules.





15. This screen will open and from here you can Add or Edit Claim Rules. Click on Add Rule.





16. When you click on Add Rule, This below screen will pop up in front of you. Here is a drop-down list of Claim Rule Template: The option 'Send LDAP Attributes as Claims', will select the attributes from a Lightweight Directory Access Protocol (LDAP) such as Active Directory to send claims to the relying party. You can use this rule to send all the user's group memberships. Select Send LDAP Attributes as Claims and Click on Next.





17. Write the Claim Rule Name and select the 'Attribute Store' as Active Directory because we are selecting attributes from it. Edit the Mapping of LDAP attributes to outgoing claim types as Follows, and click on Finish. 



LDAP Attribute

Outgoing Claim Type

E-Mail-Addresses

EmailAddress

Given-Name

FirstName

Surname

LastName

User-Principal-Name

Primarysid

Token-Groups – Unqualified Names

Groups





18. Now you need to add another Rule.





19. From the Claim Template, select the Transform an Incoming Claim rule template which allows you to select an incoming claim, change its claim type and change its claim value. Click on Next.





20. Set the Claim rule name, select Incoming claim type as UPN(User Principal Name), Outgoing claim type as Name ID and Outgoing Name ID Format as Email and Click on Finish.





21. As you have added both the rules, you can click on Apply.





Note: ADFS configuration has been completed. Three URLs are required for VIDIZMO configuration from the ADFS Server which includes Samlp Issuer, Meta Address, and Portal Identity.


For SAML Issuer


1. For SAML Issuer URL, open ADFS management and right-click on service to select Edit Federation Service Properties.





2. Select the Federation Service Identifiercopy this URL to paste it in the VIDIZMO Application in the field of SAML Issuer. This URL will be in this form: 'https://[ADFSDomain]/adfs/services/trust'




For Meta Address


1. On ADFS Management, click on endpoints, in the Metadata section copy this URL to paste it in the field of Meta Address in VIDIZMO Application. It will be in the form of  'https://[ADFSDomain]/FederationMetadata/2007-06/FederationMetadata.xml'.





For Portal Identity


1. On ADFS Management, select the Relying Party Trusts which is recently added. Select its Identifier which is URL of your Portal (vidizmo.enterprisetube.tv).




All URL's


SAML Issuer: https://[ADFSDomain]/adfs/services/trust
Meta Address: https://[ADFSDomian] /FederationMetadata/2007-06/FederationMetadata.xml
Portal Identity: your portal(vidizmo.enterprisetube.tv)


Configuration on VIDIZMO Portal


1. In the VIDIMZO Portal on Side Panel Select Portal Settings.





2. Select Apps and Click on Single Sign-On.





3. Now Scroll down to SAML SSO and click on Settings Button.





4. Now Enter the Saml Issuer, Meta Address, and Portal Identity and click on Save Changes. The other two fields are optional, you can type-in your SSO Login message and SSO Login button label to appear on the Login screen. Turn on the toggle button in the SAML field.





5. On the VIDIZMO Login page, select the option Sign in with SAML SSO. This will redirect you to the page of ADFS.





6. The page has redirected to ADFS Server and asks you to enter your AD id and password. As soon as you fill in your details, click on sign in.





7. The Portal will be Logged in with your AD credentials.