Manage user access to Vidyard with SAML Single Sign On (SSO)

Avatar
Brendan O'Driscoll
Who Can Use This Feature?
Self-Service Plans
Free Pro Plus
Business Plans
Essentials (with add-on) Growth Enterprise
Users must have the Manage SSO permission enabled.

You can use single sign on (SSO) with Vidyard to simplify the sign-in process and allow users to access their account with the same credentials they use every day.

As long as your identity provider software (IdP) supports SAML 2.0, you can use SSO to centrally manage user access to Vidyard. Some popular IdPs include Google SSO (for G-Suite customers) or Okta.

Requirements

To set up SAML SSO, your user must:

  • Have access to the top-level parent folder in the account
  • Belong to a team with the Manage SSO setting enabled

Create an SSO profile

A "profile" is an SSO configuration that maps to an application in your IdP. If necessary, you can create multiple SSO profiles to manage user authentication—for example, if your company manages more than one IdP. However, in most cases, you may only require one profile.

  1. Sign in to your Vidyard account
    • If you are not already, switch into the account’s top-level parent folder
  2. Select Admin > Single Sign On from the main menu, then click on Add ProfileSelecting the Add Profile in Vidyard to create a new SSO configuration with your IdP
  3. Give your profile a name
  4. Provide your IdP with the ACS URL + Entity ID URL from Vidyard
  5. Obtain the X.509 Certificate and SAML Endpoint URL from your IdP and paste into the fields provided in VidyardPasting the X.509 Certificate and SAML Endpoint values from your IdP into the corresponding fields in the new SSO profile
  6. Click Save
Note: having a name for your Profile(s) is important. If you have more than 1 profile and enable SP-initiated sign-in, users must select the profile they belong to from Vidyard's sign-in page. The Profile name should be something users understand and recognize (e.g. Marketing, Sales, etc).


Assigning users to a Team

There are 2 ways to assign users to a Team in Vidyard with SSO:

  • Add a custom attribute in your identity provider (IdP) that specifies which team a group of users belongs to
  • Create an SSO profile for each team in Vidyard

Use a custom attribute to specify your users’ teams

Most IdPs allow you to add a custom attribute (sometimes called a custom “field” or “claim”) to a user or group of users’ profiles. The attribute is then included in the SAML assertion that gets sent from your IdP to the service provider's app — in case this, Vidyard.

Create a custom attribute in your IdP with the name vyTeam. The corresponding value should be the name of the team in Vidyard that you want to assign users to. 

  • Example: attribute name = vyTeam, value =Adminor User

Additionally, each SSO profile allows you to set a fallback team. If a user signs in to Vidyard through your IdP without a valid vyTeam attribute, the user will be assigned to the fallback team instead. 

  1. Under Fallback Team, open the dropdown menu and select a team from the list
  2. Select Save to confirm

Opening the dropdown menu in the Fallback Team section select a team

If you are unsure how to use SAML custom attributes, consult with your IdP vendor for more information. Here’s some documentation on how to use custom attributes with common IdPs.

Identity Provider How to use custom attributes
Okta Add custom attributes to a user profile or group profile
Google Create custom attributes for user profiles
Azure Use custom claims based user type and group
OneLogin Create custom user fields

Create an SSO profile for each Team in Vidyard

Alternatively, if you are unable to use custom attributes with your IdP, you can instead create an SSO profile for each team that you need to assign users to in Vidyard.

Without a vyTeam attribute, users will be automatically assigned to the fallback team that you select within each SSO profile.

For example, if you have 2 teams (Admins and Users):

  1. Create an SSO profile for each team
      • This should give you 2 apps in your IdP (one for each team in Vidyard)
  2. Set a fallback team for each SSO profile (one for Admins, another for Users)
  3. Assign users to each app in your IdP according to the Vidyard team you want them to belong to

This image is a diagram demonstrating how each SSO profile in Vidyard maps to a different app in your identity provider. The fallback team in each profile is used to assign users to a team based on the app they have access to in the identity provider.

Accepted SAML attributes

Vidyard accepts 1 required and 1 optional attribute in the SAML assertion from your IdP. All other attributes are ignored.

  • Required: Email
  • Optional: vyTeam

Enable SP-initiated sign in

SP-initiated sign-in allows users to authenticate via your identity provider directly from Vidyard’s sign-in page and any of Vidyard's apps (browser extension, desktop app, mobile app, +more). Users who select Continue with SSO are directed to your identity provider to sign in (if not already). Then, if successful, they are sent back to Vidyard and let into their account.

  • Once you set up and configure an SSO profile(s), SP-initiated sign-in should be available for your users. If users cannot Continue with SSO from Vidyard's sign-in page within 24 hours, contact our Support Team; we'll need to add your company's email domain(s) to an allowlist.

  • As you add new users to your account, they must use IdP-initiated sign in the first time they access Vidyard. This will provision a new user. Once their user has been created, they can use SP-initiated sign in going forward.

Selecting the Continue with SSO option from the Vidyard sign-in page

Restrict users to SSO sign-in 

Organizations with enhanced security requirements may require that users only sign in to Vidyard through their SSO identity provider.

Once SSO has been set up successfully, any new users that you provision through your identity provider are automatically restricted and must sign-in to Vidyard with SSO. All other sign-in options are disabled (email + password, or third-party authentication like Google, Apple, LinkedIn or Microsoft).

If there are users that signed up for Vidyard or were added to your account prior to SSO being enabled, these users are classified as unrestricted and can continue to use all available sign-in methods.

You may contact our Support Team to request that pre-existing users become restricted and must authenticate with SSO, disabling all other sign-in options.

To ensure SSO is the only sign-in method going forward, continue to provision users through your identity provider. Any users directly added to Vidyard from the Users page (Admin > Users), even after SSO has been enabled, will be unrestricted and allowed to sign in with alternate methods. 

Supported SSO capabilities

Below is table that outlines Vidyard’s supported SSO capabilities

SSO feature Level of support
Provisioning & de-provisioning Vidyard supports Just In Time (JIT) provisioning to create and update users through SAML. JIT applies changes made to a user’s profile in your IdP when the user next signs in to their Vidyard account.

De-provisioning users is currently not supported.

Single Logout (SLO) Not supported
IdP and SP-initiated sign-in Vidyard supports both IdP and SP-initiated sign in.

If you don't have SP-initiated sign-in available, contact our support team to add your company’s email domain to an allowlist.

Delete an SSO profile

If you need to, you can delete an SSO profile. But be careful if you have enforced SSO as a sign-in option, users associated with the profile will no longer be able to sign in to their accounts.

Make sure you set up an alternate profile with your IdP before deleting an existing profile. Alternatively, in the absence of SSO, you may want to contact Vidyard Support to un-restrict users and allow for alternative sign-in methods (email + password, for example).

  1. From the main menu in Vidyard, select Admin > Single Sign On
  2. Select Manage next to an active profile
  3. Open the menu in the top-right corner (the three dots), then select Delete
  4. Select Delete again to confirm

Need support

Submit a ticket or start a chat. We'll provide a self-serve resource or connect you with our support team, available 24x5.

Chat with Our Team