SAML-based Single Sign On (SSO) in Vidyard
What is SAML-based Single Sign On (SSO)?
Single Sign On is an authentication process whereby users are granted access to multiple, yet independent software programs through a single set of login credentials. SSO eliminates the need for users to remember, change and manage several sets of login information. It also allows organizations greater control over the administration of users and the allocation of company tools and assets.
SAML (Security Assertion Markup Language) is the standard authentication mechanism for SSO. It is used to communicate authentication requests between your Service Provider (SP)—the application being used—and an Identity Provider (IdP), the platform that manages users' identities for your company.
Vidyard supports the use of SAML-based SSO as a secure and streamlined way to manage your team's sign-on and user-creation process.
- Securely grant access to Vidyard groups and assets with SSO
- Centralize and manage your teams' access to Vidyard through your IdP
- Changes made to users and their roles in the IdP update automatically as those users log in to Vidyard.
How does SSO authentication work?
Single Sign On utilizes SAML as a web-based authentication mechanism to communicate login requests between your Service Provider (SP) and Identity Provider (IdP). SAML relies on your browser to broker the flow of authentication requests and other security information.
- When a user wants to access Vidyard, they will be prompted to sign in through your SSO login page.
- The IdP (or 'authorization server') verifies the authentication and sends a special token to Vidyard indicating that the user has been authenticated. Login credentials are not communicated in this token.
- The IdP also sends Vidyard a package of information with the most up-to-date information on that user's metadata and assigned role.
- Vidyard then logs the user into their account. If the user has never accessed Vidyard before, an account will be instantly created for them using Just-in-Time provisioning.
- Voila! Your user is securely logged in and up-to-date.
Using Single Sign On in Vidyard
Vidyard allows for the creation of SSO "profiles". Profiles are a way for administrators to create and manage multiple SSO configurations and assign them to different Vidyard groups.
SSO profiles easily allow for instances where:
- Administrators want to grant several sets of video assets to one team, but only some of those same assets to another. For example, in the diagram below, both Marketing and Sales share customer testimonials, but not website or demo videos.
- Your company may need to use more than one identity provider (IdP) to manage people and content. You may even use more than one identity provider to grant two sets of teams access to the same Vidyard group.
- You must be a member of the parent group for your organization
- The Manage Single Sign On permission must be enabled for your role
Set up SAML SSO in Vidyard
The set up process for SSO will differ depending on your IdP. In all cases, however, the process requires you to provide several URLs from Vidyard to your IdP in exchange for an X.509 Certificate and an Endpoint URL.
- From the Vidyard dashboard, select Group > Security
- Under the Single Sign On tab, click + New Profile
- Enter a profile name and set a default role (more information about roles below)
- Notice the three Vidyard SAML URLs provided. When creating a new SSO application from your IdP, copy the appropriate URLs to your IdP.
- In exchange, retrieve from your IdP the X.509 Certificate and the SAML Endpoint URL. Copy these in their entirety into the SAML configuration fields provided in Vidyard. This includes any "Beginning" or "End of" text that may appear in the X.509 Certificate.
- Click Confirm
Important: Individual IdPs may have different terms for the URLs provided in Vidyard. They may also only require some of the URLs provide. In other cases, your IdP may require all three.
Visit your IdP's support site if you need assistance understanding which values to provide from Vidyard as well as where to locate your X.509 Certificate and SAML Endpoint URL.
Assign an SSO profile
Once you have created an SSO profile, assign it to any group(s) for which users will require access through your IdP.
- From the Single Sign On tab, select Assign next to an existing profile
- Assign the SSO profile to an available group(s) within your organization
- The assign interface demonstrates groups to which the profile has already been assigned as well as those still available for assignment.
- Use the search bar to quickly find unassigned groups within your organization
- Click Confirm
Important: For any group to which an SSO profile has not been assigned, users may continue to log in through standard Vidyard authentication.
Administrators for that group may also manage user roles and permissions within Vidyard, rather than relying on their IdP.
Manage users and roles with SSO
One of the primary advantages of SSO is the ability to manage user information from one central location—your Identity Provider (IdP). Your IdP acts as the host for user sign-on credentials as well as other additional metadata, such as their username, email address, and the role to which they are assigned.
Important: setting up SSO means that Vidyard relinquishes control over the creation, deletion, and assignment of user roles to your IdP.
Here's how your IdP creates a user in Vidyard:
- When a user logs into Vidyard using SSO, your IdP sends along their information and role metadata.
- If the user does not exist within the group to which they were assigned, Vidyard will automatically create a user account and assign their role in real-time.
- If the user already exists within the Vidyard group but is assigned to a different role in your IdP, the user will be re-assigned to the role specified in your IdP.
- If the user has not been assigned a role in your IdP at all, Vidyard will assign that user to the Default Role set within the SSO configuration in Vidyard.
Your Vidyard account is used to organize the users that your IdP sends along. This includes managing what roles are available within Vidyard and which permissions each role has. However, users cannot be moved between roles in Vidyard—these changes must be made in your IdP.
Keep in mind: Individual IdPs may have a different process for setting user role information. Roles that are specified in your IdP must exactly match the name of a role in Vidyard (these are character, case, and space-sensitive).
Visit your IdP's support site if you require assistance.
Set a default role
To manage the default role for an SSO profile:
- Select Group > Security to navigate to the Single Sign On settings tab in Vidyard.
- Select Assign next to an existing profile.
- Use the Default Role dropdown menu to select a role.
- Click Confirm.
Manage role permissions
To change the permissions for a role in Vidyard:
- From the Vidyard Dashboard, select Group > Groups and Users
- Click Manage next a group to reveal its roles
- Select Options > Edit Permissions beside a role to change its permissions.
- Use the ON/OFF toggle switches to manage permissions for a role.
Note: See our documentation for more information on available role permissions
Important: The Manage Single Sign On permission is enabled by default for all admins in the parent group. Should you require, it can also be enabled for any other role within the parent group.
Manage Single Sign On is not available as a permission in any Vidyard subgroup.
Manage GoVideo Users
GoVideo Enterprise customers with Single Sign-On enabled must also invite users to GoVideo using their IdP.
To invite GoVideo users using SSO:
- From the Vidyard Dashboard select Group > Groups and Users. Then click + Add Role (or configure an existing role for GoVideo)
- Next to the role, select Options > Edit Permissions from the dropdown menu
- Ensure that the Send GoVideo Invite toggle is switched to ON
- In your IdP, assign any users that you wish to invite to GoVideo to the role with the Send GoVideo Invite permission enabled.
Note: When a user assigned to this role logs into the Vidyard platform through SSO, they will receive an invitation to GoVideo from their administrator.
Frequently asked questions
Does Vidyard sign users out after a duration of inactivity?
Yes. A user's session will timeout after 24 hours. Thereafter the user will need to sign in again.
Does Vidyard require identities to be provisioned and de-provisioned in its database?
Vidyard supports account provisioning through any SAML IdP. Just-in-time provisioning creates an account upon a successful SAML assertion.
If disabled in the IdP, a user's account will remain in Vidyard but will be inaccessible. Because we cannot delete a user in Vidyard via the IdP, an administrator will have to manually remove the user's account from Vidyard thereafter.
Does Vidyard honor both IDP & SP workflows or one over the other?
Vidyard allows for both IdP-initiated sign in and SP-initiated sign in. In other words, while the user has an active role in your IdP, the user may sign in through either the IdP or through Vidyard directly.