Overview
SAML allows its users to seamlessly access multiple applications with their same credentials offering them faster and efficient business conduct. VIDIZMO provides SSO functionality to all of its customers with SAML making it easier to login without having to type in different credentials every time. For more information about VIDIZMO SSO Apps, read Understanding Single Sign-On.
Before you start
- Make sure you are logged in as Manager+ role in VIDIZMO to be able to configure SAML-P SSO using Okta.
- For configuring Okta SSO with SAML, you must have an Okta developer account so that you can create an Okta application. For creating an Okta account, visit https://developer.okta.com/signup/
- If more SSO Apps have been configured and enabled on your Portal other than your users will see multiple buttons on the login page allowing them to choose any identity provider of their choice to log in to their VIDIZMO Portal.
- VIDIZMO requires your Okta authorization server to expose a list of scopes to map attributes and provide user authentication. These scopes include:
- Profile (The user's First Name and Last Name are exposed and mapped in your VIDIZMO account in this Scope)
- Email (The user's Email Address is exposed and mapped in your VIDIZMO account in this Scope)
- Groups (This is a custom Scope that must be exposed by your Authorization Server.)
Configuration in Okta
Creating Application
Firstly, you are required to create an application in Okta in order to configure SAML-P SSO using Okta in VIDIZMO. The following steps show you how to create an application in Okta:
1. Go to https://login.okta.com/ and enter the ORG URL that you received while creating your Okta developer account.
2. At the Sign In page:
i. Enter your email address and password.
ii. Click on Sign In.
3. From the homepage, click on the Admin button to navigate to the Dashboard.
4. From the Dashboard:
i. Hover over the Application tab.
ii. Select Application from the drop-down.
5. From the Application page:
i. Click on the Add Applications button to open the Add Application page.
6. From the Add Application Page:
i. Click on the Create New App button.
ii. Select Web from the Platform drop-down.
iii. Now, select SAML 2.0 in the Sign-in method.
iv. Click on the Create button.
7. General Settings page will be opened:
i. Give your Okta App a suitable name.
ii. Click Next to navigate to the Configuring SAML page.
8. On Configuring SAML tab:
i. Single Sign-on URL: The location where the SAML assertion is sent with an HTTP POST. You need to append /Saml2/Acs in your VIDIZMO Portal Url in order to create this link.
ii. Audience URI: Enter here your VIDIZMO Portal Url.
iii. Name ID format: Identifies the SAML processing rules and constraints for the assertion's subject statement. Use the default value of 'EmailAddress' here.
iv. Application username: Determines the default value for a user's application username. The application username will be used for the assertion's subject statement. Use the default value of 'Okta username' here.
v. Update application username on: Use the default value of 'Create and update' here.
vi. Show Advanced Settings: Click here to see the Advanced Settings.
vii. Response: Determines whether the SAML authentication response message is digitally signed by the IDP or not. A digital signature is required to ensure that only your IDP generated the response message. Use the default value of 'Signed' here.
viii. Assertion Signature: Determines whether the SAML assertion is digitally signed or not. A digital signature is required to ensure that only your IDP generated the assertion. Use the default value of 'Unsigned' here.
ix. Signature Algorithm: Determines the signing algorithm used to digitally sign the SAML assertion and response.
x. Digest Algorithm: Determines the digest algorithm used to digitally sign the SAML assertion and response.
xi: Assertion Encryption: Determines whether the SAML assertion is encrypted or not. Encryption ensures that nobody but the sender and receiver can understand the assertion. Use the default value of 'Unencrypted' here.
xii: Assertion Inline Hook: It would be None (disabled) by default.
xiii. Authentication context class: Identifies the SAML authentication context class for the assertion's authentication statement. Use the default value of 'PasswordProtectedTransport' here.
xiv. Honor Force Authentication: Prompt user to re-authenticate if SP asks for it. Use the default value of 'yes' here.
xv. Add Another: Click here to add Name format
xvi. Add Name formats as shown in the screenshot.
xvii. Click on Next to move on to the Feedback tab.
9. From the Feedback tab:
i. Select 'I'm a software vendor. I'd like to integrate my app with Okta'.
ii. Click on the Finish button.
10. You will be navigated to your App page from here:
i. Select the Sign On tab.
ii. Click on the link Identity Provider metadata to navigate to the configuration keys page.
11. From the configuration keys screen, copy the below keys and keep them in a safe place we will use them in the VIDIZMO Portal configuration:
i. URL of the webpage which will be used as Meta address in VIDIZMO configuration part.
ii. Entity ID which will be used as Samlp issuer in VIDIZMO configuration part.
Configuration on VIDIZMO Portal
1. From the Portal's Homepage:
i. Click on the navigation menu on the top left corner.
ii. Expand the Admin tab.
iii. Click on the Portal Settings tab
2. From Portal Settings page:
i. Click on the Apps tab on the left-hand panel.
ii. Further click on the Single Sign-On tab.
iii. Locate the SAML at the right-hand side and click on the gear icon to open SAML P SSO - Settings.
3. In the SAML P SSO - Settings screen:
i. Samlp Issuer: Here, enter the Entity ID copied above.
ii. Meta Address: This is the Metadata URI used to login to the IdP. Enter here Meta address copied above.
iii. Portal Identity: Your portal URL (e.g. https://lexcorp.enterprisetube.com/)
iv. SSO Login Message: Enter here the message that you want to display on your portal login screen for Okta login.
v. SSO Login Button Label: The text entered here would display on the button used for Okta login.
vi. Callback Path: Specifies the callback location where the authorization will be sent to your Portal.
vii. Force Login: Select the checkbox to enable forced login and it will take you directly to Okta. When unchecked, it will not redirect automatically to the IdP and you will be required to sign in through your Portal's sign-in screen.
viii. Attribute Mapping: Attribute Mapping allows you to map your attributes with the IDP's attributes.
ix. Click on the button Save Changes.
A notification will appear stating Portal Information Updated Successfully.