Set up our app with ADFS SSO (SAML) for your organization
Active Directory Federation Services (ADFS) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to your Team Plan. When Team users first authenticate via SAML and you have configured SAML to create users, we set up their dedicated hosting account as part of the Team Plan.
Prerequisites
- Your organization must be using a dedicated ADFS instance
- You will need administrative permissions to your ADFS instance
- You must be using a Team Plan
- You will need administrative permissions for your Team Plan
Once you have your ADFS server set up, your Team Admin can choose to optionally require login via SAML.
1. Log in as a Team Owner or Team Admin, click your user badge, and then select Settings.
2. On the left sidebar, click Authentication.
3. Under SAML Authentication move the slider to On, which requires your users to log in via SAML.
Once enabled, additional settings are displayed, enabling you to set up communication between our application and the ADFS identity provider.
4. In the text box under Access URL, specify a unique access URL.
This URL will be used by your Team the first time they authenticate into ScreenPal. When visiting this URL, the user will be redirected to your organization network login for sign-in or, if they are already logged into your network, they will be automatically signed into our site.
Note: "myuniqueurl" shown below is an example. This should be the name you create for your access page.
5. If you intend to have your users enjoy the advanced features provided in hosting (such as the branded player, content sharing, channel carousel, stock library images and videos, etc.) you must select Create users on ScreenPal using SAML for this Access URL. The first time a user from your organization logs in via SAML, their hosting account will be set up so they can manage and share content.
6. Next, download the metadata XML file from the settings area. This file can be found under ScreenPal SAML Info, as displayed in the image below.
7. Save this XML file for a later step.
Next, we will get ADFS set up before coming back to this settings page to upload the IDP identify file.
Set up ADFS Identity provider
This section covers an ADFS instance setup for single sign-on. Refer to this article if you are using Azure.
To update your ADFS metadata complete the steps below. You will likely require admin privileges for your ADFS instance to perform these steps.
1. Log in to the ADFS Management Console.
2. In the left sidebar, click ADFS 2.0 > Trust Relationships.
3. Click on Relying Party Trusts.
4. Click Update from Federation Metadata.
5. Right click on the relying party trust, then click Properties.
7. Select the checkboxes for Monitor relying party and Automatically update relying party.
8. Click OK.
9. Select the same relying party trust item that you just configured. In the right sidebar, click Update from Federation Metadata.
10. Ignore the message regarding ADFS2.0 support if one is displayed. Click OK.
11. Finally, click Update to complete updating the federation metadata with the ScreenPal metadata file.
Upload the Identify Provider File to your account
With ADFS setup, we need to find the IDP file / Federation Metadata XML and to upload it to the your Admin Account Authentication settings.
Typically, this file is found here:
https://myadfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml
Download this file, and navigate back to the ScreenPal Admin Account Authentication settings.
1. Under SAML User Access, click the Choose File button under Upload IDP Metadata File.
Once uploaded, the file will be validated and you should see a message that states, "Metadata matches".
2. Click Test Login under Current IDP Metadata and you should see the normal login prompt for your organization.
3. Next, click the Save button to commit the IDP Metadata and you are done.
4. Click the Test Login link under Current IDP Metadata to make sure the login works for an actual user.
FAQ
IS FIRST AND LAST NAME REQUIRED TO SETUP WITH SCREENPAL SAML AUTHENTICATION? CAN WE JUST USE THE NAME ID?
First and Last name is required as SAML requires setting up a user in our system.
GETTING THE FIRST NAME AND LAST NAME (GIVEN NAME AND SURNAME) TO AUTO-POPULATE.
If the name is not auto-populating, try mapping the LDAP attributes like this.
Surname -> urn:oid:2.5.4.4
Given-Name -> urn:oid:2.5.4.42
HOW OFTEN ARE USER CREDENTIALS REVALIDATED?
With SAML enabled, users will be required to re-login after a month of usage.
Helpful Reference Links
Related Articles