Skip to end of banner
Go to start of banner

Onboarding template - Single Sign-On Integration

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

General

Single Sign-On (SSO) is an authentication and authorization process that allows a user to access multiple applications with a single set of login credentials. In case of the customer, this implies that once an employee is successfully authorized, the employee will not need to re-authenticate to access the MediaHaven application. This, in turn, contributes to the ease of use and user experience when accessing MediaHaven.

Single Sign-On is based around the principle of a trust relationship between MediaHaven (as Service Provider/Relying Party) and the Identity Provider (IdP) of the customer. The identity provider offers user authentication as a service and acts on behalf of the customer. This authentication service can then be used by MediaHaven.

This document describes the basic information that needs to be exchanged between Zeticon and the customer in order to set up an SSO integration.

Capabilities of the SSO

When setting up an SSO between Mediahaven and the customer, the SSO will ensure that:

  1. A new user is automatically created in Mediahaven (if the user logs on for the first time and does not yet exist) with the default rights as configured.

  2. The IdP is used for authentication. When a user navigates to MediaHaven, the authentication request will be sent to the IdP of the customer. In this respect, if the user is not authorized, he/she will also not be able to login in MediaHaven.

Based on the information above, it is important that a new user always first authenticates in MediaHaven using the SSO. This way, the user account will automatically be created. In no case should a MediaHaven account be created manually by an admin user.

Once the user account is created in MediaHaven, a MediaHaven administrative user can update rights and permissions for that particular new user account.

Important:

  1. In case an employee leaves the customer, his/her MediaHaven account will not be removed. Due to the SSO, the former employee will not be able to authenticate but the MediaHaven account will still exist. It is up to the customer to decide (and remove) the MediaHaven account manually.

  2. When a MediaHaven account already exists for the user prior to authenticating via the SSO, the authentication attempt will fail. In this case, the MediaHaven account will have to be deleted manually.

Required information to setup the SSO

In order to allow MediaHaven to connect to your IdP, the only information needed is/are the application callback URL(s) that will be used:

https://$HOSTNAME/simplesaml/module.php/saml/sp/saml2-acs.php/$ORGANISATION_NAME

https://$HOSTNAME-QA/simplesaml/module.php/saml/sp/saml2-acs.php/$ORGANISATION_NAME

Information to be provided to Zeticon

In order for us being able to configure the SSO in MediaHaven, following information needs to be provided:

  • Link to the Federation Metadata

  • Test account (username/password) so we can verify the correctness of the SSO after installation

  • App registration Client ID

  • Who to contact in case of technical issues on your side

Federation Metadata URL

Test account *username/password)

https://docs.seon.io/knowledge-base/user-manuals/sso-integration#connect-your-sso-account-with-seon

1. Federation Metadata URL

Provide us with the URL to the Federation Metadata of the AAD of your organisation.

This is usually an URL of the form:

  • https://login.microsoftonline.com/XYX/federationmetadata/2007-06/federationmetadata.xml

  • where XYZ is replaced with

    • your AAD tenant id (e.g. 08fee436-8e26-486b-9de2-803127c8cb88)

    • or domain name (e.g. zeticon.com)

You can find the URL by:

  • navigating and logging in to the Azure Portal (portal.azure.com)

  • go to Azure Active Directory

  • click App Registrations in the left pane

  • click Endpoints

  • find the Federation Metadata URL in the right popup pane

2. Integration User

Create an integration user in the AAD domain.

Make sure this users is similar to the users that will log on to the MediaHaven application. It should have the same attributes configured and have similar group memberships.

This integration user will be used for testing. Without it, we cannot ensure quality of the AAD integration.

Provided us the username and password for this user.

3. App registration

In AAD, create a application registration, following these steps:

  • navigate to Azure Active Directory

  • click App registrations in the left pane

  • click + New Registration on the top of the page

  • Fill in these:

    • Name: MediaHaven SAML integration

    • Who: Accounts in this organizational directory only (Single tenant)

    • Redirect URI: https://$HOSTNAME/simplesaml/module.php/saml/sp/saml2-acs.php/$ORGANISATION_NAME
      (warning) REPLACE $HOSTNAME and $ORGANISATION_NAME before sending to customer!

    • If your organization has a QA environment, add a second redirect URI for this installation:
      https://$HOSTNAME-QA/simplesaml/module.php/saml/sp/saml2-acs.php/$ORGANISATION_NAME-QA

    • Click register

Provided us the Application (client) ID for this App registration.

4. Minimal claims needed

In order to be able to integrate, Zeticon requires the following claims to be present in the Azure AD answer:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Please make sure they are provided.

5. Technical contact

In order to integrate quickly, Zeticon needs to be able to get in touch with your AAD administrator.
Please provide an e-mail address and a telephone number.

6. Answer Form

1 Federation Metadata URL

2a Integration User - username

2b Integration User - password

3 App registration Client ID

5a Technical contact e-mail

5b Technical contact phone number

  • No labels