Set up and Configure SAML-Based SSO Authentication in Vidyard
Vidyard supports SAML-Based Single Sign-On (SSO), which is a secure way to streamline your team’s sign-on and user-creation process. If you're the IdP (Identity Provider) Admin for your team, learn everything you need to know right here.
To learn how to manage user roles and permissions in the Vidyard Platform, see the Managing Users and Roles with SAML-Based SSO Authentication article.
Let's get oriented:
If you're not familiar with this system, here's a quick rundown of some important terms before we start:
- Single Sign-On (SSO): SSO is an authentication process which lets users sign into multiple applications with a single set of credentials.
- Security Assertion Markup Language (SAML): SAML is a fast, secure, and popular SSO standard.
- Identity Provider (IdP): IdP refers to a service which provides the centralized authentication platform to manage user identities for your organization.
- Just-in-Time Provisioning: The first time a user logs into Vidyard with SSO, Vidyard will create a user account for them in real-time. This means you don't have to manually create a Vidyard account for new users!
What's the benefit to you?
Enabling Single Sign-On Authentication means that your team’s credentials are stored with your IdP, and not with Vidyard. This way, the secure information can stay in one place. You can even keep your IdP behind a firewall so your users' credentials never have to leave the safety of your firewall.
It also means you can manage all your users in one centralized location. Any changes you make to users and their roles in the IdP will automatically be updated in Vidyard the next time that user logs in.
How does SAML-Based SSO Authentication work?
- A user wants to log into Vidyard. They go to their SAML SSO login page and enter their login credentials.
- The IdP (or 'authorization server') verifies the authentication.
- If the authentication is verified, the IdP server sends a special token to Vidyard, saying that the user is authenticated. Login credentials are not communicated in this token.
- The IdP also sends Vidyard a package of information with the most up-to-date information on that user's metadata and assigned role.
- Vidyard then logs the user into their account. If they are not a user in Vidyard yet, Vidyard will instantly create a user account for them using Just-in-Time provisioning.
- Voila! Your user is securely logged in and up-to-date, without any extra work from you.
What's your role in all this?
As the Admin for your IdP, you will be responsible for:
- Connecting Vidyard and your IdP
- Configuring authentication settings in your IdP (ex. how long before a user times out)
Note: It's critical that you ensure that your IdP sends an nameID for each user, which must be an email address.
- Creating, deleting, and modifying users, and assigning user roles
Note: Vidyard users create roles within Vidyard, but the IdP but assign roles to individual users.
Setting up SSO
To set up SAML SSO, all you have to do is connect your IdP to Vidyard. All it really takes to make this connection is to copy and paste a few codes from Vidyard into your IdP, and vice versa.
Note: You will need to have Administrator permissions within Vidyard.
To get started:
- Log into Vidyard.
- In the Group menu, click Single Sign On.
Note: If you do not have this option, contact your Account Manager.
- In the Vidyard SAML URL's section, you will see three URL's. Copy these URL's into your IdP's configuration page.
Note: Individual IdP's will often have different terms for these URL's. Visit your IdP's support site if you need assistance locating where to place these URL's.
Note: You must enter and save the X. 509 Certificate and SAML Endpoint URL before you are able to access these URL's.
- Your IdP will provide a Certificate and Endpoint URL. Locate these in your IdP Account, and paste them into the Your Identity Provider fields. Ensure that the whole of the certificate is inserted, including any Start and End of Certificate text that may appear.
Note: Individual IdP's will also often have different terms for 'certificate' or 'endpoint URL'. Visit your IdP's support site if you need assistance locating these values within your IdP account.
- Click Save.