Google SAML Integration

Similar documents
Integrating YuJa Active Learning into Google Apps via SAML

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Integrating YuJa Active Learning with ADFS (SAML)

Integrating YuJa Active Learning into ADFS via SAML

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Integrating YuJa Enterprise Video Platform with LDAP / Active Directory

Google SAML Integration with ETV

Add OKTA as an Identity Provider in EAA

Configuring Alfresco Cloud with ADFS 3.0

Configuration Guide - Single-Sign On for OneDesk

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

RSA SecurID Access SAML Configuration for Kanban Tool

RSA SecurID Access SAML Configuration for StatusPage

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

RSA SecurID Access SAML Configuration for Samanage

Five9 Plus Adapter for Agent Desktop Toolkit

Configuring the vrealize Automation Plug-in for ServiceNow

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Quick Connection Guide

Integration of the platform. Technical specifications

All about SAML End-to-end Tableau and OKTA integration

Zendesk Connector. Version 2.0. User Guide

WebADM and OpenOTP are trademarks of RCDevs. All further trademarks are the property of their respective owners.

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

Google Auto User Provisioning

RSA SecurID Access SAML Configuration for Datadog

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

SAML-Based SSO Solution

Configuring Confluence

Configuring and Delivering Salesforce as a managed application to XenMobile Users with NetScaler as the SAML IDP (Identity Provider)

RSA SecurID Access SAML Configuration for Brainshark

Morningstar ByAllAccounts SAML Connectivity Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Bonusly

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Cloud Access Manager Configuration Guide

Single Sign-On Administrator Guide

Webthority can provide single sign-on to web applications using one of the following authentication methods:

SafeNet Authentication Manager

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Cloud Secure Integration with ADFS. Deployment Guide

Security Provider Integration SAML Single Sign-On

Single Sign-On Administrator Guide

TECHNICAL GUIDE SSO SAML Azure AD

OneLogin Integration User Guide

Admin Panel for MEETS. User Guide

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Okta Integration Guide for Web Access Management with F5 BIG-IP

CA SiteMinder Federation

McAfee Cloud Identity Manager

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Introduction to application management

Configure Brightspace (D2L) and Panopto - Admin

Welcome to Oracle Service Cloud Ask the Experts

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

Configure Unsanctioned Device Access Control

Qualys SAML & Microsoft Active Directory Federation Services Integration

MyWorkDrive SAML v2.0 Azure AD Integration Guide

ComponentSpace SAML v2.0 Okta Integration Guide

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

This section includes troubleshooting topics about single sign-on (SSO) issues.

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

Advanced Configuration for SAML Authentication

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Trusted Login Connector (Hosted SSO)

NETOP PORTAL ADFS & AZURE AD INTEGRATION

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SAML-Based SSO Configuration

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Security Provider Integration SAML Single Sign-On

Colligo Console. Administrator Guide

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Five9 Plus Adapter for Microsoft Dynamics CRM

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

ServiceNow Deployment Guide

Azure MFA Integration with NetScaler

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Security Provider Integration: SAML Single Sign-On

SAP NetWeaver Cloud Security Tutorial Single Sign-On and Identity Federation with SAP NetWeaver Single Sign-On

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

OneLogin SAML Authentication with WatchGuard Access Portal. Integration Guide

D9.2.2 AD FS via SAML2

Oracle Access Manager Configuration Guide

SAML-Based SSO Solution

Administering Jive Mobile Apps

Quick Connection Guide

Obtaining the LDAP Search string (Distinguished Name)?

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Centrify for Dropbox Deployment Guide

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Transcription:

YuJa Enterprise Video Platform Google SAML Integration Overview This document is intended to guide users on how to integrate the YuJa Enterprise Video Platform as a Service Provider (SP) using Google as the Identity Provider (IDP). Once configured properly, users attempting to access YuJa services will first be redirected to Google, prompting for credentials to login. Once authenticated, the browser will again redirect back to YuJa, logged in as a new or existing user. Setup Setup involves creating a new SAML app in the Google admin console, then configuring things on the YuJa side by integrating with Google as an IDP, testing and activating the SAML SSO for users of the institution. NOTE: For some steps, <institution> is to be replaced by the wildcard DNS of the institution associated with YuJa. As an example, for https://hudson.yuja.com, <institution> would be replaced by hudson. Create a New SAML App for YuJa in the Google Admin Console The steps to create a new SAML app are found at: https://support.google.com/a/answer/6087519?hl=en Follow the instructions under the following sections: Set up your own SAML app, Turn on SSO to your new SAML app, and Verify SSO between Google Apps and your new SAML app, referring back to here for specific instructions on certain steps within this document: Referencing the Section: Set up your own SAML app Step 1: Download the IDP metadata. This will be used to configure things on the YuJa side. Step 2: Enter the following information: Parameter ACS URL Entity ID Start URL Name ID Name ID Format Value https://<institution>.yuja.com/d/samlreceiveresponse https://<institution>.yuja.com **leave this blank** Basic Information, Primary Email Email

Step 3: Check Signed Response. This increases security when the SP and IDP are communicating. Step 4: Create four mappings: Application Attribute Category User Field givenname Basic Information First Name familyname Basic Information Last Name email Basic Information Primary Email role Employee Details Job Title (or other appropriate field) This field is used to determine if users are provisioned as students (the default) or are given enhanced privileges (Instructor/IT Manager). The suggested values for this field are IT Manager and Instructor (for users you wish to have IT Manager/Instructor privileges respectively), but you can use existing/custom values (see 2.2 #5 below for a discussion of IT Manager and Instructor mapping) YuJa Platform Side SAML Configuration 1) Go to https://<institution>.yuja.com and login as an IT Manager for your institution. 2) Navigate to the Admin Panel tab in the Main Menu. 3) In the left sidebar, go to Integrations. 4) In the dropdown under Select an API to configure, select SSO Google Apps (SAML). 5) Enter the following information listed in the following table:

Attribute Required? Description Google SSO URL Yes -The URL used for SSO. This is where YuJa will send AuthnRequest tokens. -Found in Google IDP Metadata under: <IDPSSODescriptor> <SingleSignOnService> -as the Location attribute. Note that for YuJa, an HTTP-Redirect binding is used. - For example: https://accounts.google.com/o/saml2/idp?idpid=b05pakw7 Name ID Format Yes -The format to be used by the SP and IDP when communicating about a subject. - Found in Google IDP Metadata under: <IDPSSODescriptor> <NameIDFormat> as the value of that tag. Note that, if available, emailaddress should be prioritized and used. For example: urn:oasis:names:tc:saml:1.1:nameidformat:emailaddress Remote Logout URL Currently not supported - Leave this value blank. Google Signing Certificate Fingerprint Given Name Attribute Family Name Attribute No, but strongly recommended No No The unique fingerprint of the IDP s certificate used when signing SAML responses. See How to derive the fingerprint of a certificate in the Additional Tools section of this document for more details. For example: 7j2mka9cfe2d09j23eefe01442f6a49d1222391f Enter the following value: givenname This is the exact value used in the Application Attribute field when creating attribute Enter the following value: familyname Email Attribute No Enter the following value: email Role Attribute No Enter the following value: role -This is the exact value used in the Application Attribute field when creating attribute -This is the exact value used in the Application Attribute field when creating attribute -This is the exact value used in the Application Attribute field when creating attribute IT Manager No -A comma separated list of values can be used -If the value received in the Role Attribute matches any of these values, the user will be provisioned as an IT manager. -For example: IT Manager

Instructor No -A comma separated list of values can be used -If the value received in the Role Attribute matches any of these values, the user will be provisioned as an instructor. -For example: Instructor or Teacher, TA Automatically sync data on user login No - If checked, whenever a user logs in via Google SAML Apps their basic information will be updated based on the data received in the SAML response. 6) Click Create. In the confirmation dialog, click OK. 7) If required, you can update the configuration settings if you made a mistake. Simply click Save to keep the changes. 8) To test if the configuration was done correctly on both sides, click Test SAML Login. This should open a new tab and navigate to Google, prompting for credentials.

9) Login using a valid Google account. 10) After successfully logging in, you should be redirected back to YuJa, logged in as a new user. Important Note: logging in as a new user will log the original account out. Log out of the newly created account and log back in as an IT Manager. Then navigate back to the Admin Panel Integrations SSO Google Apps (SAML). 11) Once you have verified that the Google SAML Apps SSO works, you can choose to activate the new authentication scheme for your institution. To do so, click Activate, then click OK. Important Note: Only activate the new authentication scheme after successfully performing a test login and are ready to make it available for all users in your institution. Dual Integration with LTI If your institution has enabled both LMS Integration via LTI and also SSO access, then you have the choice to link the two integrations. We generally recommend this because it mean that irrespective of whether your users login via their LMS or their SSO, they will be presented with the same YuJa account information. In contrast, if Dual Integration with LTI is not setup, a user who uses both their LMS and SSO with YuJa will be provisioned with two separate accounts which in many cases isn t ideal. How It Works If your LTI provider within your LMS can be configured to provide YuJa with a unique identifier for the user in the SAML system, it is possible to link the two accounts. 1) Configure your LMS to pass a custom LTI parameter to the YuJa tool called lis_person_sourcedid which contains the cross-matching SSO value. This can be an email, employee ID, or other field. You may need to consult your LMS platform s product documentation on how to set custom LTI parameters. YuJa will make use of this feature to link the two login methods to the same account.

2) Obtain the specific attribute name used in the SAML Response token whose value corresponds to the unique identifier used by the LTI provider (in Step 1 above). a. For example, if the unique identifier is the user's email address, then the linkage attribute would be email. b. The possible values you can use are specifically those set in the Google Admin Console when configuring the SAML App. They are the names used in the Attribute Mapping step. 3) Enter this value into the Linkage Attribute field. Note: This textbox will only appear if your institution has enabled LTI access. 4) Click Save. 5) Now, when logging in for the first time via ADFS (SAML), the YuJa system will search for a link with an LTI account using the value of the linkage attribute. If found, the SAML account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. 6) All logins past the first one will continue to link to the YuJa account created or found on the first login. Usage Once both sides have been configured and the SAML SSO has been activated, it is easy to test and see if everything was done properly. 1) Go to the institution s YuJa domain (i.e. https://<institution>.yuja.com) and press Login. This should redirect the user to the SSO server s login page. 2) Enter valid credentials and sign in. 3) Once authenticated, the user should be redirected back to YuJa and the login was a success

Additional Tools How to Derive the Fingerprint of a Certificate The fingerprint of the IDP s certificate is used for additional security purposes when the SP is verifying a SAML response from the IDP. To derive the certificate s fingerprint, follow the instructions below: 1) In the Google IDP metadata, extract the X509 certificate. This should be located under: <IDPSSODescriptor> <KeyDescriptor use= signing > <KeyInfo> <X509Data> <X509Certificate> 2) Once you have the certificate, go to the following website: https://www.samltool.com/fingerprint.php 3) Paste the certificate in the X509 cert textbox. 4) Make sure sha1 is selected as the Algorithm. 5) Click Calculate Fingerprint. 6) Copy the FingerPrint value generated. This is the value used in the database. Note: The fingerprint should be an array of 20 bytes for sha1. Useful Chrome Plugin for Debugging SAML Token 1) If you are using Chrome as your web browser, you may want to install a useful SAML plugin at: https://chrome.google.com/webstore/detail/saml-chromepanel/paijfdbeoenhembfhkhllainmocckace?hl=en 2) Once installed, simply open the developer tools in the browser (F12) and click on the SAML tab. Now, when doing an SP-initiated login, the SAML tokens sent by the browser will be shown in detail. This tool can be very useful in debugging SAML requests and responses.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback