Overview

Single Sign-On (SSO) is a user authentication process that allows your users to sign in to multiple applications using the same set of login credentials. This allows ease of use for the end-users and ease of management for administrators. VIDIZMO offers the most flexible options for you to integrate with a wide range of single sign-on authentication providers, including: 

  1. Directory services such as Azure AD, Azure Directory Federation Service, etc. 
  2. Identity Access Management (IAM) services such as Okta, OneLogin, Ping, Centrify, ForgeRock,
  3. Third-party login services such as Facebook, Google, Office 365, Twitter, LinkedIn, etc.


With an app model integration for SSO, VIDIZMO makes the integration as easy as enabling/disabling your identity provider from within the platform administrator interface in minutes. Enterprises using ADFS as their identity provider can utilize SSO option with VIDIZMO, allowing users to sign in using the same set of credentials. 

For more information about VIDIZMO SSO Apps, read Understanding Single Sign-On.


Before you start

  • For configuring ADFS SSO with VIDIZMO, you must have an ADFS server's administrator account so that you can create an Application Group for authorization.
  • If more SSO Apps have been configured and enabled on your Portal other than ADFS SSO, your users will see multiple buttons on the login page allowing them to choose any identity provider of their choice to log in to their VIDIZMO Portal.
  • VIDIZMO requires your ADFS authorization server to expose a list of scopes to map attributes and provide user authentication. These scopes include:
    • Profile (The user's First Name and Last Name are exposed and mapped in your VIDIZMO account in this Scope)
    • Email (The user's Email Address is exposed and mapped in your VIDIZMO account in this Scope)
    • Openid (this is required to indicate that the applicant intends to use OIDC to verify the user's identity)
  • Managers and Administrators of the Portal can configure and enable SSO options in VIDIZMO.
  • If your portal is using HTTPS protocol, make sure your ADFS authentication server is also using HTTPS.


Configuration in ADFS


1. Create Application Group (This will help you configure settings for the VIDIZMO in ADFS).

i. In ADFS Management, right-click on Application Groups and select Add Application Group.

ii. On the Add Application Group Wizard, for the name enter ADFSSSO (you can give it any name of your choice) and under Client-Server applications select the Web browser accessing a web application template. 

iii. Click Next.




2. In Add Application Group Wizard

i. Copy the Client Identifier value. It will be used later as the value for ClientId in the VIDIZMO Configuration.

(Client identifier field can be edited, so you can add self-defined client Identifier key)

ii. Enter the following for Redirect URI: - https://portaldomain.com/sso/signin-adfs. Click Add. Click Next.
(Note: Your portaldomain is your portal URL and portaldomain. For example, if your portal URL is lexcorp.com so the Redirect URL will be https://lexcorp.com/ sso/signin-adfs. )


3. From Choose an access control policy select the type of user group policy you want to configure. (e.g. select Permit everyone if you want to allow all your portal members to use ADFS) and click on Next.


4. On the Summary screen review the details, click Next and then click Close.


5. In ADFS Management, click on Application Groups and right-click on ADFSSSO (created in step 1) application and click properties

(This will help you configure/transform the Issuance Transform Rules, which are used by VIDIZMO to authenticate the login process using ADFS)




i. Select and edit the ADFSSSO - Web application




ii. Select Issuance transform Rules Tab and add Add Rule.




iii. Add Transform Claim Rule Wizard will open. 

iv. At Choose Rule Type screen, select Send LDAP Attributes as Claims as the Claim Rule template from the drop-down list. Click. 

v. Next to proceed.

                               



6. You will move on to Configure Claim Rule screen: 

(Here you can configure a rule to send the values of LDAP attributes as claims).

i. Enter Claim rule name

ii. Select Active Directory as the Attribute store from the dropdown list. 

iii. Start Mapping LDAP attributes to Outgoing ClaimTypes.


 


The LDAP Attribute column shows the claims available from Active Directory and Outgoing Claim Type are claim types that will be sent to VIDIZMO. 


LDAP ATTRIBUTE
OUTGOING CLAIM TYPE 
E-Mail-Addresses
 
E-mail Address
 
Given-Name
 
Given Name
 
Surname
 
Surname
 
User-Principal-Name
 
Nameidentifier 
Token-Groups - Unqualified NamesGroup



Once all the LDAP Attributes to outgoing claim types are added, click Finish


Note: Token-Groups - Unqualified Names is used to grant access to all the users of a group as well as the subgroup associated with that group. 



7. Getting the Portal URL and Meta Address. 

(This Portal URL and Meta Address is a required field in for VIDIZMO configuring the ADFS SSO. You will have to use them in combination). Copy these two fields, you will have to use them in VIDIZMO portal settings part.

i. Go to ADFS Management

ii. Select Edit Federation Service Properties..



iii.  Federation Service Properties screen will be opened.

iv. Copy your Federation Service Name




v. Get the Meta Address by going to Endpoints in ADFS Management




Configuration in VIDIZMO

1. After logging into your portal, from your homepage:

i. Click on the navigation menu on the top left corner.
ii. Expand the Admin tab.

iii. Click on the Settings tab and you'll be directed to Portal Settings page.




2. On the Portal Settings page, expand Apps and select Single Sign-On.

i. Click on the settings icon against ADFS SSO to configure its app in the portal.




3. From the ADFS SSO Settings screen:

i. Enter the Client Identifier you copied in step 2 of ADFS Configuration.

ii. Enter the Meta Address. It is the combination of Federation Service Name (Portal URL) and Meta Address

iii. Requires HTTPS Metadata: Select this checkbox to get metadata. When the request is handled for the first time, it tries to retrieve some metadata from the authorization server (also called authority or issuer). This metadata, or discovery document in OpenID Connect terminology, contains the public keys and other details needed to validate tokens.

iv. Force Login: Select the checkbox to enable forced login and it will take you directly to Okta. When unchecked, it will not redirect automatically to the IdP and you will be required to sign in through your Portal's sign-in screen.

v. Click on Save Changes 



4. After saving changes, you will be back on the SSO Apps page from where you can top off the process:

i. Toggle the gear button against ADFS SSO to enable it on your portal.




Sign in using ADFS SSO

Sign out from your existing account and navigate back to the Login page to see an option to sign in using ADFS SSO.


Note: After configuring ADFS, your defined user group (refer to ADFS Configuration Step 3) will be able to login to your portal with the 'Viewer' role and if you have enabled content moderation then with Contributor role by clicking on Sign in with ADFSSSO button.