You can use single sign on (SSO) with Vidyard to simplify the sign-in process and allow users to access their account with the same credentials they use every day.
As long as your identity provider software (IdP) supports SAML 2.0, you can use SSO to centrally manage user access to Vidyard. Some popular IdPs include Google SSO (for G-Suite customers) or Okta.
Requirements
To set up SAML SSO, your user must:
- Have access to the top-level parent folder in the account
- Belong to a team with the Manage SSO setting enabled
Create an SSO profile
A "profile" is an SSO configuration that maps to an application in your IdP. If necessary, you can create multiple SSO profiles to manage user authentication—for example, if your company manages more than one IdP. However, in most cases, you may only require one profile.
- Sign in to your Vidyard account
- If you are not already, switch into the account’s top-level parent folder
- Select Admin > Single Sign On from the main menu, then click on Add Profile
- Give your profile a name
- Provide your IdP with the ACS URL + Entity ID URL from Vidyard
- Obtain the X.509 Certificate and SAML Endpoint URL from your IdP and paste into the fields provided in Vidyard
- Click Save
Assigning users to a Team
There are 2 ways to assign users to a Team in Vidyard with SSO:
- Add a custom attribute in your IdP that specifies which Team a group of users belongs to
- Create an SSO profile for each Team in Vidyard
Use a custom attribute to specify your users’ teams
Most IdPs allow you to add a custom attribute (sometimes called a custom “field” or “claim”) to a user or group of users’ profiles. The attribute is then included in the SAML assertion that gets sent from your IdP to the service provider's app —in case this, Vidyard.
Create a custom attribute in your IdP with the name vyTeam
. The corresponding value should be the name of the Team in Vidyard that you want to assign users to.
- Example: attribute name =
vyTeam
, value =Admin
orUser
Additionally, each SSO profile allows you to set a fallback team. If a user signs in to Vidyard through your IdP without a valid vyTeam
attribute, the user will be assigned to the fallback team instead.
- Under the SSO profile’s Team section, select Change
- Select a team from the list
- Click Update to finish
If you are unsure how to use SAML custom attributes, consult with your IdP vendor for more information. Here’s some documentation on how to use custom attributes with common IdPs.
Identity Provider | How to use custom attributes |
Okta | Add custom attributes to a user profile or group profile |
Create custom attributes for user profiles | |
Azure | Use custom claims based user type and group |
OneLogin | Create custom user fields |
Create an SSO profile for each Team in Vidyard
Alternatively, if you are unable to use custom attributes with your IdP, you can instead create an SSO profile for each team that you need to assign users to in Vidyard.
Without a vyTeam
attribute, users will be automatically assigned to the fallback team that you select within each SSO profile.
For example, if you have 2 teams (Admins and Users):
- Create an SSO profile for each team
-
- This should give you 2 apps in your IdP (one for each Vidyard Team)
-
- Set the fallback team within each profile (one for Admins, another for Users)
- Assign users to each app in your IdP according to the Vidyard team you want them to belong to
Accepted SAML attributes
Vidyard accepts 1 required and 1 optional attribute in the SAML assertion from your IdP. All other attributes are ignored.
- Required:
Email
- Optional:
vyTeam
Enable SP-initiated sign in
SP-initiated sign-in allows users to authenticate via your identity provider directly from Vidyard’s sign-in page and any of Vidyard's apps (browser extension, desktop app, mobile app, +more). Users who select Continue with SSO are directed to your identity provider to sign in (if not already). Then, if successful, they are sent back to Vidyard and let into their account.
- Once you set up and configure an SSO profile(s), SP-initiated sign-in should be available for your users. If users cannot Continue with SSO from Vidyard's sign-in page within 24 hours, contact our Support Team; we'll need to add your company's email domain(s) to an allowlist.
- As you add new users to your account, they must use IdP-initiated sign in the first time they access Vidyard. This will provision a new user. Once their user has been created, they can use SP-initiated sign in going forward.
Enforce SSO as a sign-in option
Organizations with enhanced security requirements can enforce SSO as a sign-in option.
When you make SSO mandatory, Vidyard requires users to sign-in with your identity provider going forward. All other sign-in options are not permitted (email + password, or third-party authentication like Google, Apple, LinkedIn or Microsoft).
Enforcing SSO is especially important if there are users in your account that signed up for Vidyard prior to joining your account or SSO being configured. These users are classified as “unrestricted” and can continue to sign in using other methods.
Any brand new users provisioned by your IdP are restricted to using SSO by default.
- Contact our Support Team to enforce SSO as the only sign-in method for users in your account.
Supported SSO capabilities
Below is table that outlines Vidyard’s supported SSO capabilities
SSO feature | Level of support |
Provisioning & de-provisioning | Vidyard supports Just In Time (JIT) provisioning to create and update users through SAML. JIT applies changes made to a user’s profile in your IdP when the user next signs in to their Vidyard account.
De-provisioning users is currently not supported. |
Single Logout (SLO) | Not supported |
IdP and SP-initiated sign-in | Vidyard supports both IdP and SP-initiated sign in.
If you don't have SP-initiated sign-in available, contact our support team to add your company’s email domain to an allowlist. |
Delete an SSO profile
If you need to, you can delete an SSO profile. But be careful — if you have enforced SSO as a sign-in option, users associated with the profile will no longer be able to sign in to their accounts.
Make sure you set up an alternate profile with your IdP before deleting an existing profile. Alternatively, in the absence of SSO, you may want to contact Vidyard Support to un-restrict users and allow for alternative sign-in methods (email + password, for example).
- From the main menu in Vidyard, select Admin > Single Sign On
- Select Manage next to an active profile
- Open the menu in the top-right corner (the three dots), then select Delete
- Select Delete again to confirm