Manage user access to Vidyard with SAML Single Sign On (SSO)

You can use single sign on (SSO) with Vidyard to simplify the sign-in process and allow users to access their account with the same credentials they use every day.

As long as your identity provider software (IdP) supports SAML 2.0, you can use SSO to centrally manage user access to Vidyard. Some popular IdPs include Google SSO (for G-Suite customers) or Okta.

Requirements

To set up SAML SSO, your user must:

• Have access to the top-level parent folder in the account
• Belong to a team with the Manage SSO setting enabled

Create an SSO profile

A "profile" is an SSO configuration that maps to an application in your IdP. If necessary, you can create multiple SSO profiles to manage user authentication—for example, if your company manages more than one IdP. However, in most cases, you may only require one profile.

1. Sign in to your Vidyard account
   • If you are not already, switch into the account’s top-level parent folder
2. Select Admin > Single Sign On from the main menu, then click on Add Profile
3. Give your profile a name
4. Provide your IdP with the ACS URL + Entity ID URL from Vidyard
5. Obtain the X.509 Certificate and SAML Endpoint URL from your IdP and paste into the fields provided in Vidyard
6. Click Save

Assigning users to a Team

There are 2 ways to assign users to a Team in Vidyard with SSO:

• Add a custom attribute in your IdP that specifies which Team a group of users belongs to
• Create an SSO profile for each Team in Vidyard

Use a custom attribute to specify your users’ teams

Most IdPs allow you to add a custom attribute (sometimes called a custom “field” or “claim”) to a user or group of users’ profiles. The attribute is then included in the SAML assertion that gets sent from your IdP to the service provider's app —in case this, Vidyard.

Create a custom attribute in your IdP with the name vyTeam . The corresponding value should be the name of the Team in Vidyard that you want to assign users to. 

• Example: attribute name = vyTeam, value =Adminor User

Additionally, each SSO profile allows you to set a fallback team. If a user signs in to Vidyard through your IdP without a valid vyTeam attribute, the user will be assigned to the fallback team instead. 

1. Under the SSO profile’s Team section, select Change
2. Select a team from the list
3. Click Update to finish

If you are unsure how to use SAML custom attributes, consult with your IdP vendor for more information. Here’s some documentation on how to use custom attributes with common IdPs.

Create an SSO profile for each Team in Vidyard

Alternatively, if you are unable to use custom attributes with your IdP, you can instead create an SSO profile for each team that you need to assign users to in Vidyard.

Without a vyTeam attribute, users will be automatically assigned to the fallback team that you select within each SSO profile.

For example, if you have 2 teams (Admins and Users):

1. Create an SSO profile for each team
   • • This should give you 2 apps in your IdP (one for each Vidyard Team)
2. Set the fallback team within each profile (one for Admins, another for Users)
3. Assign users to each app in your IdP according to the Vidyard team you want them to belong to

Accepted SAML attributes

Vidyard accepts 1 required and 1 optional attribute in the SAML assertion from your IdP. All other attributes are ignored.

• Required: Email
• Optional: vyTeam

Enable SP-initiated sign in

SP-initiated sign-in allows users to authenticate via your identity provider directly from Vidyard’s sign-in page and any of Vidyard's apps (browser extension, desktop app, mobile app, +more). Users who select Continue with SSO are directed to your identity provider to sign in (if not already). Then, if successful, they are sent back to Vidyard and let into their account.

• Once you set up and configure an SSO profile(s), SP-initiated sign-in should be available for your users. If users cannot Continue with SSO from Vidyard's sign-in page within 24 hours, contact our Support Team; we'll need to add your company's email domain(s) to an allowlist.
  
  
• As you add new users to your account, they must use IdP-initiated sign in the first time they access Vidyard. This will provision a new user. Once their user has been created, they can use SP-initiated sign in going forward.

Enforce SSO as a sign-in option

Organizations with enhanced security requirements can enforce SSO as a sign-in option.

When you make SSO mandatory, Vidyard requires users to sign-in with your identity provider going forward. All other sign-in options are not permitted (email + password, or third-party authentication like Google, Apple, LinkedIn or Microsoft).

Enforcing SSO is especially important if there are users in your account that signed up for Vidyard prior to joining your account or SSO being configured. These users are classified as “unrestricted” and can continue to sign in using other methods.

Any brand new users provisioned by your IdP are restricted to using SSO by default.

• Contact our Support Team to enforce SSO as the only sign-in method for users in your account.

Supported SSO capabilities

Below is table that outlines Vidyard’s supported SSO capabilities

Delete an SSO profile

If you need to, you can delete an SSO profile. But be careful — if you have enforced SSO as a sign-in option, users associated with the profile will no longer be able to sign in to their accounts.

Make sure you set up an alternate profile with your IdP before deleting an existing profile. Alternatively, in the absence of SSO, you may want to contact Vidyard Support to un-restrict users and allow for alternative sign-in methods (email + password, for example).

1. From the main menu in Vidyard, select Admin > Single Sign On
2. Select Manage next to an active profile
3. Open the menu in the top-right corner (the three dots), then select Delete
4. Select Delete again to confirm