General
Single Sign-On (SSO) is an authentication and authorization process that allows a user to access multiple applications with a single set of login credentials. In case of the customer, this implies that once an employee is successfully authorized, the employee will not need to re-authenticate to access the MediaHaven application. This, in turn, contributes to the ease of use and user experience when accessing MediaHaven.
Single Sign-On is based around the principle of a trust relationship between MediaHaven (as Service Provider/Relying Party) and the Identity Provider (IdP) of the customer. The identity provider offers user authentication as a service and acts on behalf of the customer. This authentication service can then be used by MediaHaven.
This document describes the basic information that needs to be exchanged between Zeticon and the customer in order to set up an SSO integration.
Capabilities of the SSO
When setting up an SSO between Mediahaven and the customer, the SSO will ensure that:
A new user is automatically created in Mediahaven (if the user logs on for the first time and does not yet exist)
The IdP is used for authentication. Hence, when the user cannot
https://docs.seon.io/knowledge-base/user-manuals/sso-integration#connect-your-sso-account-with-seon
1. Federation Metadata URL
Provide us with the URL to the Federation Metadata of the AAD of your organisation.
This is usually an URL of the form:
https://login.microsoftonline.com/XYX/federationmetadata/2007-06/federationmetadata.xml
where XYZ is replaced with
your AAD tenant id (e.g. 08fee436-8e26-486b-9de2-803127c8cb88)
or domain name (e.g. zeticon.com)
You can find the URL by:
navigating and logging in to the Azure Portal (portal.azure.com)
go to Azure Active Directory
click App Registrations in the left pane
click Endpoints
find the Federation Metadata URL in the right popup pane
2. Integration User
Create an integration user in the AAD domain.
Make sure this users is similar to the users that will log on to the MediaHaven application. It should have the same attributes configured and have similar group memberships.
This integration user will be used for testing. Without it, we cannot ensure quality of the AAD integration.
Provided us the username and password for this user.
3. App registration
In AAD, create a application registration, following these steps:
navigate to Azure Active Directory
click App registrations in the left pane
click + New Registration on the top of the page
Fill in these:
Name: MediaHaven SAML integration
Who: Accounts in this organizational directory only (Single tenant)
Redirect URI:
https://$HOSTNAME/simplesaml/module.php/saml/sp/saml2-acs.php/$ORGANISATION_NAME
REPLACE $HOSTNAME and $ORGANISATION_NAME before sending to customer!If your organization has a QA environment, add a second redirect URI for this installation:
https://$HOSTNAME-QA/simplesaml/module.php/saml/sp/saml2-acs.php/$ORGANISATION_NAME-QA
Click register
Provided us the Application (client) ID for this App registration.
4. Minimal claims needed
In order to be able to integrate, Zeticon requires the following claims to be present in the Azure AD answer:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Please make sure they are provided.
5. Technical contact
In order to integrate quickly, Zeticon needs to be able to get in touch with your AAD administrator.
Please provide an e-mail address and a telephone number.
6. Answer Form
1 Federation Metadata URL | |
2a Integration User - username | |
2b Integration User - password | |
3 App registration Client ID | |
5a Technical contact e-mail | |
5b Technical contact phone number |