...
When setting up an SSO between Mediahaven MediaHaven and the customer, the SSO will ensure that:
A new user is automatically created in
...
MediaHaven (if the user logs on for the first time and does not yet exist) with the default rights as configured.
The IdP is used for authentication.
...
https://docs.seon.io/knowledge-base/user-manuals/sso-integration#connect-your-sso-account-with-seon
1. Federation Metadata URL
Provide us with the URL to the Federation Metadata of the AAD of your organisation.
This is usually an URL of the form:
https://login.microsoftonline.com/XYX/federationmetadata/2007-06/federationmetadata.xml
where XYZ is replaced with
your AAD tenant id (e.g. 08fee436-8e26-486b-9de2-803127c8cb88)
or domain name (e.g. zeticon.com)
You can find the URL by:
navigating and logging in to the Azure Portal (portal.azure.com)
go to Azure Active Directory
click App Registrations in the left pane
click Endpoints
find the Federation Metadata URL in the right popup pane
...
2. Integration User
Create an integration user in the AAD domain.
Make sure this users is similar to the users that will log on to the MediaHaven application. It should have the same attributes configured and have similar group memberships.
This integration user will be used for testing. Without it, we cannot ensure quality of the AAD integration.
Provided us the username and password for this user.
3. App registration
In AAD, create a application registration, following these steps:
...
navigate to Azure Active Directory
...
click App registrations in the left pane
...
click + New Registration on the top of the page
Fill in these:
...
Name: MediaHaven SAML integration
...
Who: Accounts in this organizational directory only (Single tenant)
...
When a user navigates to MediaHaven, the authentication request will be sent to the IdP of the customer. In this respect, if the user is not authorized, he/she will also not be able to login in MediaHaven.
Info |
---|
Based on the information above, it is important that a new user always first authenticates in MediaHaven using the SSO. This way, the user account will automatically be created. In no case should a MediaHaven account be created manually by an admin user. |
Once the user account is created in MediaHaven, a MediaHaven administrative user can update rights and permissions for that particular new user account.
Note |
---|
Important:
|
Required information to setup the SSO
In order to allow MediaHaven to connect to your IdP, the only information needed is/are the application callback URL(s) that will be used:
https://$HOSTNAME/simplesaml/module.php/saml/sp/saml2-acs.php/
...
$ORGANISATION_NAME
...
https://$HOSTNAME-QA/simplesaml/module.php/saml/sp/saml2-acs.php/$ORGANISATION_NAME
...
...
Click register
Provided us the Application (client) ID for this App registration.
4. Minimal claims needed
...
Note |
---|
REPLACE |
Furthermore, following minimal sets of claims are required to be sent:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Please make sure they are provided.
5. Technical contact
In order to integrate quickly, Zeticon needs to be able to get in touch with your AAD administrator.
Please provide an e-mail address and a telephone number.
6. Answer Form
...
1 Federation Metadata URL
...
2a Integration User - username
...
2b Integration User - password
...
3 App registration Client ID
...
5a Technical contact e-mail
...
Information to be provided to Zeticon
In order for us being able to configure the SSO in MediaHaven, following information needs to be provided:
Link to the Federation Metadata XML
Test account (username/password) so we can verify the correctness of the SSO after installation
App registration Client ID (in case of Azure AD IdP) or Issuer ID (in case of SAML/2 integration)
Who to contact in case of technical issues on your side
Answering form
Federation Metadata URL: | |
Test account (username/password): | |
App registration Client ID (Azure AD): | |
Technical contact customer side (e-mail + phone): |