IBM Cloud Videos SAML based SSO capability for Streaming Manager for Enterprise is based on SAML 2.0 - Security Assertion Markup Language.
The basic way that SAML works is in the exchange between an identity provider (IdP) and a service provider (SP). In this case the service provider is IBM Cloud Video.
An identity provider is a service that a company uses to manage the access of their employees to other third party services. Popular identity providers include OneLogin and Okta. Traditionally, companies used employee directories to manage access to on-premise resources. Two of the most common directories used are LDAP and Microsoft Active Directory. These older systems are not based on the SAML standard, but most of the newer identity providers are.
This guide contains information about how to connect a SAML 2.0 compliant identity provider to IBM Cloud Video’s SAML based SSO functionality.
Identity Provider Settings
You need to set up IBM Cloud Video as a service provider within your identity provider. Use the following settings to set up IBM Cloud video as a service provider.
Depending on your identity provider, these fields may be labelled differently, so consult the documentation for your identity provider to understand where to copy each URL.
- This should be the page URL where you would like to allow your users to authenticate, either the Streaming Manager for Enterprise channel page or the page where you have embedded the IBM Cloud Video player.
- The URL is your channel url: https://align.ustream.tv/channel/[YOUR CHANNEL ID] or your portal url: https://align.ustream.tv/[YOUR PORTAL NAME]
In case of IdP initiated login Portal URL should be set as RelayState .
SAML Assertion Consumer Service URL (ACS)
SAML Audience (this is the Ustream service’s Entity ID)
SAML Single Logout URL (SLO)
SAML User Profile Attributes
IBM Cloud Video requires email address to be provided in the NameID attribute.
First and Last name are also recommended for easier identification of your users within the Streaming Manager for Enterprise dashboard.
SAML Group Support
To be able to restrict access to channels based on the groups you have set up at your Identity Provider, IBM Cloud Video requires these groups to be sent in the Group attribute.
IBM Cloud Video SAML SSO Settings
You can choose between SP initiated SSO or IdP initiated SSO.
In IdP initiated SSO the federation process is initiated by the IdP sending an unsolicited SAML Response to the SP. In SP-Init, the SP generates an AuthnRequest that is sent to the IDP as the first step in the Federation process and the IDP then responds with a SAML Response. Consult your IdP to determine the appropriate setting here.
To connect your IdP with you Streaming Manager for Enterprise account, you need to provide your IdP’s credentials under Integrations & Apps and Security Settings on the IBM Cloud Video Dashboard:
There are 4 fields in the IBM Cloud Video dashboard SSO Settings you need to populate with the information from your IdP:
- Entity ID of your IdP
- Login URL
- Logout URL - optional
Viewer Registration Flow
Viewer starts on viewing page
In this scenario, you viewer is not yet authenticated with your identity provider. You share with your viewers the URL where they will watch the IBM Cloud Video content. This can either be your Streaming Manager for Enterprise channel page, or the page where you have embedded the IBM Cloud Video player. This should be the same URL that you entered in your identity provider’s settings as the Login URL.
When your viewers arrive on the page, they will see the prompt to login to their company account.
Pressing the "Sign In" button opens your identity provider’s login page in a popup.
If the viewer successfully authenticates at your identity provider, the popup closes and the viewer can access to the content.
Viewer starts at Identity Provider Page
In this scenario, the viewer starts on a URL for your identity provider.
The viewer clicks on a link to access the Streaming Manager for Enterprise viewing page. Since they were already authenticated at your identity provider, they will have immediate access to the IBM Cloud Video content when they arrive on the viewing page and will not see the prompt to authenticate.