Skip to main content
Sign in

Cloud Streaming - SSO - Azure SAML 2.0 Setup Guide

Andrew Ricke
  • Updated
Not yet followed by anyone

This document is intended to be paired with Cloud Streaming - SSO - SAML Configuration for users with Azure Entra ID to manage their users.

 

You must start a SAML app on your Azure Portal to obtain the necessary metadata to configure the Swank Cloud Streaming SAML SSO. It is best to configure both ends of this SAML handshake together with 2 open windows or tabs on your browser.

  • One with your Azure Portal.
  • A second with the Swank Cloud Streaming Portal SSO Configuration page.

 

Step 1 - Begin Azure SAML Application Configuration

  1. Navigate to Enterprise applications service within your Azure portal for your desired tenant.
  2. Click New Application
  3. Click Create your own application
  4. Complete the Create your own application form:
    • Name of App:  Swank Digital Campus or Swank Cloud Streaming is recommended
    • Choose "Integrate any other application you don't find in the gallery (Non-gallery)
    • Click Create

Step 2 – Assign Users and groups

  1. With the Overview page of your new app, select the first option under Getting Started, 1. Assign users and groups
  2. Select Add user/group
    • Add Users and/or Groups as desired, completing clicking Select, then Assign

Step 3 – Setup Single sign-on

  1. Within the Overview page or the Manage menu, select Single sign-on to navigate to the SSO configuration page
  2. Select SAML as the sign-on method
  3. Within section 3 of the configuration, copy the App Federation Metadata Url

 

Step 4 - Configure Streaming Server SAML Authentication

  1. In a separate tab/window, login to your Swank Streaming portal with your registered Admin account.
  2. Select SSO Configuration from the left menu.
  3. Review the list of SSO Configurations for your portal
    •  Legacy Providers:  If you've previously configured SSO via SAML or Google OAuth, you'll find their configuration listed at the bottom here.
      • Note: You cannot "upgrade" your existing SAML configuration to our new Identity Service host - you must create a new SAML configuration.
      • The legacy configurations are deactivated automatically when a new SSO Identity Provider Configuration is activated.  You can "fallback" to the legacy provider by deactivating the new provider(s).
    • SSO Configurations:  At the top of the page, see the list of available providers.  You can:
      • Activate or Deactivate existing configurations via the Active toggle.
      • Edit or Delete existing configurations via button actions
      • Add new SSO Configurations via the button at the Top.  (We'll continue this guide from this route)
  4. Click Add SSO Configuration
  5. Choose the Provider Type of SAML
  6. Enter a Display Name - This displays on the list of SSO Configurations as well as the button added to the Login page. (Suggested: Azure SAML)
  7. In your Portal's SSO Configuration, paste the App Federation Metadata Url copied from Azure into the Idp Metadata Address
  9. Toggle Require Valid Metadata to the off position.
  10. Save the Portal's SSO Configuration to generate the additional details
  11. Complete the SAML handshake:   
    • These values will be presented for you to copy and enter back into your SAML Identity Provider's configuration.
      • SP EntityID - Required
      • Callback Path (ACS Endpoint) - Required
    • Once these values are saved at the Identity Provider end, the SAML handshake between your Portal and your Identity Provider should be complete.
    • When copying and pasting this info, make sure there is no trailing "/" or spaces on the G suite side. This will result in errors.  You must include the whole URL including the unique IDs redacted above

 

Step 5 - Complete Azure SAML Application Configuration

  1. Copy the SSO Configuration details back into the Azure SSO Configuration
    1. Click Edit of section 1 Basic SAML Configuration
    2. In the Basic SAML Configuration add values copies from the Portal to complete the SSO handshake
      • Identifier (Entity ID) as the SP EntityID
      • Reply URL (Assertion Consumer Service URL) as the Callback Path (ACS Endpoint)
    4. Click Save
  2. Update Attributes & Claims (section 2) by clicking Edit
  3. Verify Unique User Identifier Name ID is in an Email format.
  4. Go to the Attributes & Claims and edit the Additional claims as follows:
      • Edit the Name values to match as follows to align with the Portal
         
      • Optional: Click Add new claim to add additional attributes to use for Role mapping
         
        • Suggested
           
          • user.department --> department
      • Optional: Click Add a group claim to provide a list of groups to use for Role mapping
        • Choose the desired options and click Save
        • Find the groups claim added under the Additional claims
           

 

Step 6

Role Mapping, User Authorization, and Permission Elevation

All successful authentications will be authorized at the "Basic" or "User" account levels (role) by default depending on the market. To elevate permissions to a higher permission level for Instructors or Administrators you will need to add Role Mappings to grant this elevation either by Attribute Value or Individual UserID. For more information on Account Level Permissions, please see the following article: 
https://swankmp.zendesk.com/hc/en-us/articles/5723258435092-Cloud-Streaming-User-Account-Roles

 

There are 3 methods of providing roles and are respected in the following order - with the former values overriding any latter options.

  1.  Claim/Attribute of "role" directly provided by your Identity Provider
  2.  Role Mapping on the Portal's SSO Configuration
  3.  The Portal Default "User" or "Basic" role (Set by your Swank support)

Option 1: Identity Provider Role Assignment (Recommended)

Your Identity Provider can provide a Claim or Attribute for each User with the Name of "role" and the Value of one of our available user roles:  "Admin", "Instructor", "User", or "Basic".  This allows your Identity Provider Admin to set the roles based on policies and rules aligned with your organizations larger technology access strategy and to manage that access centrally at your User Directory.

Each Identity Provider has a different method for handling this action, below are some examples for Google and Azure for reference.

For Google:

  1. Go to Users and under More options, choose Manage custom attributes
  2. Add a Custom Attribute: Choose any name you'd like for tracking.
  3. Assign that Custom Attribute to an App Attribute of "role" in the SAML Attribute mappings.
  4. Make sure the User Information in Google Directory populates that Custom Value correctly for each user:

For Azure:

  1. Add a User Attribute such as 'SwankRole' that has a Data Type of String
  2. Define this string for your users as required
  3. In your Azure SAML Configuration, go to the Attributes & Claims and click Add new claim 
  4. Edit the Name values to role, and map the  Source attribute to the User Attribute created in step 1

 

You can verify you have "Role" attribute provided by checking your diagnostics while logged in under the desired SSO setup.  Log into your Portal's catalog, appending /diagnostics to the URL:  (e.g.: https://digitalcampus.swankmp.net/[your site ID]/diagnostics or https://streaming.swankmp.net/[your site ID]/diagnostics)

 

Option 2: Role Mapping via Attributes

To use this, you will need to identify or create an attribute that defines the user group(s) (such as a department) and differentiates them from the general population (students). Those attributes must be provided to your SSO configuration via your Identity Provider.  You can see what attributes are currently being delivered in your SAML statement via checking your diagnostics.
 

Log into your Portal's catalog, appending /diagnostics to the URL:  (e.g.: https://digitalcampus.swankmp.net/[your site ID]/diagnostics or https://streaming.swankmp.net/[your site ID]/diagnostics)

 

Under Access Token you will find the available attributes available to role map. 

In this example, you can see the attribute "department" has a value of "adminDepartment". We will use this as an example as to how to grant "Admin" permissions to all users with this attribute value: 

  1. While editing the SSO Provider, go to the Claims Role Mappings table, click Add Role Mapping
  2. In the Add Role Mapping pop-up window, for this example you would enter:
    Claim Name: "department"
    Claim Value: "adminDepartment"
    Role: "Admin"
     
  3. Click Save, You will now see your Role Mappings in the listing

You may add as many of these as needed for Instructor and Administrator permissions.   You can see from the example above, you can use direct email addresses, or even these can be based on Groups, such as email groups provided by Google:

 

Final Step

Make Configuration Active

Once you configured your SAML Identity Provider, and determined your User's roles, remember to click the Activate toggle on the SSO Configuration page for your chosen Provider(s). If you are currently viewing the SSO Configuration detail page, you can click the "Go Back" link at the top of the page or click SSO Configuration from the side menu.

  • Toggle Active to the On position for your new SSO Configuration.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk