Cloud Streaming - SSO - SAML Configuration

This guide will walk through the steps required for the new Authentication process released in Q1 of 2025.   This new process is aimed at providing an easier configuration for SSO, with easier management of users, roles, and SSO options.

Some new features include:

1. More than one SSO Identity Provider may be configured and activated at a time.
2. A SSO configuration may be used on more than a single portal at a time. 
   1. For districts who may leverage multiple portals per school or class level.
   2. For universities who may leverage multiple Swank products for different audiences.
3. Both SAML v2.0 and ODIC / OAuth 2.0 are supported.  Deprecated is the Legacy Google OAuth.
4. SSO Users are now displayed in the Users table.  An individual's role may be "promoted" there.

Step 1 – Configure SAML Application in your IDP

Choose the guide below to see examples of how to configure your IDP. If your IDP is not listed, please review the Okta guide as it tends to be the most helpful for less common applications. 

• Cloud Streaming - SSO - Google SAML 2.0 Setup Guide
• Cloud Streaming - SSO - Azure SAML 2.0 Setup Guide
• Cloud Streaming - SSO - Classlink SAML 2.0 Setup Guide
• Okta (TBA)

(Note: This new SAML configuration will now support multiple portals with a single configuration.  If you'd like an additional portal with the same configuration setup, please contact support.  This action cannot be done via the UI.  However, we recommend adding additional portals as additional "Applications" within your IDP whenever possible for the best tailored experience.)

You must start an IDP configuration to continue below.  It is best to configure both ends of this SAML handshake together with 2 open windows or tabs on your browser.

Step 2 – Configure SAML Authentication

1. Log Into your Portal to the Admin section (e.g.: https://digitalcampus.swankmp.net/[your site ID]/admin or https://streaming.swankmp.net/[your site ID]/admin)
2. Select SSO Configuration in the left menu
   
3. Review the list of SSO Configuration Providers for your portal
   1. Legacy Providers:  If you've previously configured SSO via SAML or Google OAuth, you'll find their configuration listed at the bottom here.
      • Note: You cannot "upgrade" your existing SAML configuration to our new Identity Service host - you must create a new SAML configuration. 
      • The legacy configurations are deactivated automatically when a new SSO Identity Provider is activated.  You can "fallback" to the legacy provider by deactivating the new provider(s).
   2. SSO Providers:  At the top of the page, see the list of available providers.  You can:
      • Activate or Deactivate existing configurations via the Active toggle.
      • Edit or Delete existing configurations via button actions
      • Add new SSO Providers via the button at the Top.  (We'll continue this guide from this route)
4. Click the Add Configuration button.  
   • 
5. Choose the Provider Type of SAML
   • 
6. Enter a Display Name - This displays on the list of SSO Configurations as well as the button added to the Login page.
7. Complete the IdP Metadata via the method given by your Identity Provider when setting up a SAML connection on their end.
   • Preferred (Azure, Classlink):  Provide the URL of a valid metadata XML file hosted by your provider. 
     • 
       
   • Alternative (Google):  Upload the Metadata XML file copied or downloaded from your provider.
     • 
8. Validate Metadata:  Click to verify accuracy of the metadata aligns with expectations. 
   • Some Providers may not validate, yet still work.  You may toggle off the Require Valid Metadata in these cases to allow
     
9. Optional - Add a Certificate:  If your provider requires a certificate, you may upload it here.  This will provide additional security functionality, allowing additional encryption features.  This may also require adding an additional password from your Identity provider.
   1. Upload the certificate file
   2. Validate Certificate once uploaded
   3. If the Certificate requires a password, you will be asked to provide it.  (Google calls this the SHA-256 fingerprint., Azure the Thumbprint)
10. Click the Save button to generate your SAML configuration.
11. Complete the SAML handshake:  
    
    • These values will be presented for you to copy and enter back into your SAML Identity Provider's configuration.
      • SP EntityID - Required
      • SP Metadata URL - Optional (Google does not support)
      • Callback Path (ACS Endpoint) - Required
        
      • Signed Out Callback Path (SLO Endpoint) - Optional (Google does not support)
    • Once these values are saved at the Identity Provider end, this SAML handshake between your Portal and your Identity Provider should be complete.

Step 3

Role Mapping, User Authorization, and Permission Elevation

All successful authentications will be authorized at the "Basic" or "User" account levels (role) by default depending on the market. To elevate permissions to a higher permission level for Instructors or Administrators you will need to add Role Mappings to grant this elevation either by Attribute Value or Individual UserID. For more information on Account Level Permissions, please see the following article: 
https://swankmp.zendesk.com/hc/en-us/articles/5723258435092-Cloud-Streaming-User-Account-Roles

There are 3 methods of providing roles and are respected in the following order - with the former values overriding any latter options.

1.  Claim/Attribute of "role" directly provided by your Identity Provider
2.  Role Mapping on the Portal's SSO Configuration
3.  The Portal Default "User" or "Basic" role (Set by your Swank support)

Option 1: Identity Provider Role Assignment (Recommended)

Your Identity Provider can provide a Claim or Attribute for each User with the Name of "role" and the Value of one of our available user roles:  "Admin", "Instructor", "User", or "Basic".  This allows your Identity Provider Admin to set the roles based on policies and rules aligned with your organizations larger technology access strategy and to manage that access centrally at your User Directory.

Each Identity Provider has a different method for handling this action, below are some examples for Google and Azure for reference.

For Google:

1. Go to Users and under More options, choose Manage custom attributes
2. Add a Custom Attribute: Choose any name you'd like for tracking.
3. Assign that Custom Attribute to an App Attribute of "role" in the SAML Attribute mappings.
4. Make sure the User Information in Google Directory populates that Custom Value correctly for each user:

For Azure:

1. Add a User Attribute such as 'SwankRole' that has a Data Type of String
2. Define this string for your users as required
3. In your Azure SAML Configuration, go to the Attributes & Claims and click Add new claim 
   
4. Edit the Name values to role, and map the  Source attribute to the User Attribute created in step 1
   

You can verify you have "Role" attribute provided by checking your diagnostics while logged in under the desired SSO setup.  Log into your Portal's catalog, appending /diagnostics to the URL:  (e.g.: https://digitalcampus.swankmp.net/[your site ID]/diagnostics or https://streaming.swankmp.net/[your site ID]/diagnostics)

Option 2: Role Mapping via Attributes

To use this, you will need to identify or create an attribute that defines the user group(s) (such as a department) and differentiates them from the general population (students). Those attributes must be provided to your SSO configuration via your Identity Provider.  You can see what attributes are currently being delivered in your SAML statement via checking your diagnostics.
 

Log into your Portal's catalog, appending /diagnostics to the URL:  (e.g.: https://digitalcampus.swankmp.net/[your site ID]/diagnostics or https://streaming.swankmp.net/[your site ID]/diagnostics)

Under Access Token you will find the available attributes available to role map. 

In this example, you can see the attribute "department" has a value of "adminDepartment". We will use this as an example as to how to grant "Admin" permissions to all users with this attribute value: 

1. While editing the SSO Provider, go to the Claims Role Mappings table, click Add Role Mapping
2. In the Add Role Mapping pop-up window, for this example you would enter:
   Claim Name: "department"
   Claim Value: "adminDepartment"
   Role: "Admin"
    
3. Click Save, You will now see your Role Mappings in the listing
   

You may add as many of these as needed for Instructor and Administrator permissions.   You can see from the example above, you can use direct email addresses, or even these can be based on Groups, such as email groups provided by Google:

Final Step