Overview

Single Sign-On (SSO) is a user authentication process that allows your users to sign in to multiple applications using the same set of login credentials. This allows ease of use for the end users and ease of management for administrators. VIDIZMO offers the most flexible options for you to integrate with a wide range of single sign-on authentication providers, including: 

  1. Directory services such as Azure AD etc. 
  2. Identity Access Management (IAM) services such as Okta, OneLogin, Ping, Centrify, ForgeRock,
  3. Third-party login services such as Facebook, Google, Office 365, Twitter, LinkedIn, etc.


With an app model integration for SSO, VIDIZMO makes the integration as easy as enabling/disabling your identity provider from within the platform administrator interface in minutes. Enterprises using ForgeRock Access Management as their identity provider can utilize SSO option with VIDIZMO, allowing users to sign in using the same set of credentials. 

For more information about VIDIZMO SSO Apps, read Understanding Single Sign-On.


Before you start

  • For configuring Ping Identity SSO with VIDIZMO, you must have a Ping Identity server's administrator account so that you can create a Ping Identity OIDC application for authorization.
  • If more SSO Apps have been configured and enabled on your Portal other than Ping Identity SSO, your users will see multiple buttons on the login page allowing them to choose any identity provider of their choice to log in to their VIDIZMO Portal.
  • VIDIZMO requires your Ping authorization server to expose a list of scopes to map attributes and provide user authentication. These scopes include:
    • Profile (The user's First Name and Last Name are exposed and mapped in your VIDIZMO account in this Scope)
    • Email (The user's Email Address is exposed and mapped in your VIDIZMO account in this Scope)
    • Openid (this is required to indicate that the application intends to use OIDC to verify the user's identity)
  • Managers and Administrators of the Portal can configure and enable SSO options in VIDIZMO.
  • If your portal is using HTTPS protocol, make sure your Ping authentication server is also using HTTPS.


Configuration in Ping Identity

Create and Configure OIDC Application


1. After you log into your Ping authorization server using admin account, go to your default view of Applications. Here you need to add a new Web Application of the connection type as OIDC. Now you will be asked to enter Application Name, its Description and Icon.


2. After creating application profile, configure Redirect URLs for the application. Specifying them helps Ping Identity whitelist addresses upon which to send user information after a successful login. 

i. In the Redirect URLs section, enter your Portal URL appended with /sso/signin-pingid as shown

ii. Click Save and Continue.




Grant Access


1. Grant access to the application by selecting the OIDC scopes for the application. The OIDC scopes determine the resources that the application can access. 

i. Search scopes of "email" and "profile" in the left column

ii. Click and drag each of them to add them to the scope grants column on the right

iii. Click Save and Continue.




Map Attributes


1. Here you will have to map PingOne attributes to VIDIZMO Portal's attributes by reading the following article: Map PingOne Attributes. The attribute mapping allows the user information in both platforms can be synchronized after authorization.

i. Apart from the default attribute, click on Add Attribute

ii. Select PingOne Attribute from the dropdown

ii. Now search for the attribute "Given Name" under PingOne User Attribute and select it

iii. Enter "FirstName" under Application Attribute against the PingOne Attribute




2. Similarly now add the following list of attributes within the application. Make sure to mark Email Address as Required.

 

PingOne User AttributeApplication Attribute
Given NameFirstName
surnameLastName
Email AddressEmailAddress
External IDExternalSystemId




Get Client ID, Secret and Meta Address


1. Here is how you can navigate through your applications to get relevant Client ID, Secret and Meta Address to be later used in VIDIZMO configuration:

i. View the application you recently created and copy its Client ID: View Application.

ii. Here is how you can view Client Secret and copy it for later use: View Client Secret.

iii. While viewing your application, go to Configuration section, and copy OIDC Discovery Endpoint for later use.




2. There is one last step you need to perform in same Configuration. Scroll down to see Advanced Configuration in which:

i. Under Token Endpoint Authentication Method, make sure to select Client Secret Post.



Enable Application


Make sure your application is enabled after fully configuring its settings. The application shall not be functional until and unless you switch it on, here's how: Enable or disable an application.



Configuration in VIDIZMO

Configure SSO Apps


1. After logging into your portal, from your homepage:

i. Click on the navigation menu on top left corner.
ii. Expand Admin tab.

iii. Click on the Settings tab and you'll be directed to Portal Settings page.




2. On Portal Settings page, expand Apps and select Single Sign-On.

i. Click on the settings icon against Ping Identity to configure its app in the portal.




Set up Ping Identity SSO Client

1. From the Ping Identity Settings screen:

i. Enter a message that you wish to display along with the login option with Ping ID

ii. Enter a customized label for creating an engaging log-in experience for your end-users

iii. Paste the Client ID you copied in the last step.

iv. Similarly paste the Secret that you set while configuring your application.

vi. The Meta Address is the OIDC discovery Endpoint that you copied in the last step.

vii. Requires HTTPS Metadata: Select this check box to ensure HTTPS is required to get the metadata. When the request is handled for the first time, it tries to retrieve some metadata from the authorization server (also called an authority or issuer). This metadata, or discovery document in OpenID Connect terminology, contains the public keys and other details needed to validate tokens.

viii. Force Login: Force login is to be enabled in order to make sure users can sign in when VIDIZMO sign-in has been turned off.

ix Click on Save Changes to proceed.




2. After saving changes, you will be back on the SSO Apps page from where you can top off the process:

i. Toggle the button against Ping Identity SSO to enable it on your portal.



Sign in using Ping Identity

Sign out from your existing account and navigate back to the Login page only to see an option to sign in using Ping Identity Access Management. Using this button, you will be routed to Ping Identity Login page, and shall be granted access to VIDIZMO after successfully logging in.