Set up our app with ADFS SSO (SAML) for your organization
Set up our app with ADFS SSO (SAML) for your organization
Active Directory Federation Services (ADFS) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to your Team Plan. When Team users first authenticate via SAML and you have configured SAML to create users, we set up their dedicated hosting account as part of the Team Plan.
Prerequisites
- Your organization must be using a dedicated ADFS instance
- You will need administrative permissions to your ADFS instance
- You must be using a Team Plan
- You will need administrative permissions for your Team Plan
Get SAML Setup Information from our app
Once you have your ADFS server set up, your Team Admin can choose to optionally require login via SAML.
1. Log into ScreenPal as a Team Owner or Team Admin and click Settings.
2. On the left sidebar, under Team Settings, click Authentication.
3. Under SAML Authentication move the slider to On, which requires your users to log in via SAML.
Once enabled, additional settings are displayed, enabling you to set up communication between our application and the ADFS identity provider.
4. In the SAML Service Provider Info (ScreenPal) section, click the Download icon to download the metadata XML file:
5. Save this XML file for a later step.
6. In the text box under Access URL, specify a unique access URL.
This URL will be used by your Team the first time they authenticate into ScreenPal. When visiting this URL, the user will be redirected to your organization network login for sign-in or, if they are already logged into your network, they will be automatically signed into our site.
7. If you intend to have your users enjoy the advanced features provided in hosting (such as the branded player, content sharing, channel carousel, stock library images and videos, etc.) you must select the check box for Create users on ScreenPal using SAML for this Access URL. The first time a user from your organization logs in via SAML, their hosting account will be set up so they can manage and share content.
Next, we will get ADFS set up before coming back to this settings page to upload the IDP identify file.
Set up ADFS Identity provider
This section covers an ADFS instance setup for single sign-on. Refer to this article if you are using Azure.
To update your ADFS metadata complete the steps below. You will likely require admin privileges for your ADFS instance to perform these steps.
1. Log in to the ADFS Management Console.
2. In the left sidebar, click ADFS 2.0 > Trust Relationships.
3. Click on Relying Party Trusts.
4. Click Update from Federation Metadata.
5. Right click on the relying party trust, then click Properties.
6. Click Monitoring, and paste the following URL into Relying party's federation metadata URL: https://screenpal.com/saml/metadata.xml
7. Select the checkboxes for Monitor relying party and Automatically update relying party.
8. Click OK.
9. Select the same relying party trust item that you just configured. In the right sidebar, click Update from Federation Metadata.
10. Ignore the message regarding ADFS2.0 support if one is displayed. Click OK.
11. Finally, click Update to complete updating the federation metadata with the ScreenPal metadata file.
Upload the Identify Provider File to your account
With ADFS setup, we need to find the IDP file / Federation Metadata XML and to upload it to the your Admin Account Authentication settings.
Typically, this file is found here:
https://myadfs.example.com/FederationMetadata/2007-06/FederationMetadata.xml
Download this file, and navigate back to the ScreenPal Admin Account Authentication settings.
1. Under Upload SAML Identity Provider (IDP) Metadata File, click the Choose IdP Metadata File button.
Once uploaded, the file will be validated and you should see a confirmation message and the fields in the Current SAML Identify Provider (IdP) Metadata File section will be populated.
3. Use the Test Login link to verify your current IdP configuration.
- Click the link to open it in a new tab and perform an end-to-end SAML authentication round-trip against the currently saved IdP configuration, using your team's ScreenPal source ID. This is the custom Entity ID if you set one. If you did not, the default ID is used.
- Click the clipboard icon next to the Test Login link to copy the URL. You can send this URL to any team member who is having trouble logging in so they can test the the SAML authentication and forward the results to a Team Admin or support person.
Note: The Test Login link is not displayed when SAML is disabled, you have unsaved changes on the Authentication page, your IdP certificate has expired, or the Entity ID is still in the temporary test verification state when there is newly uploaded metadata that has not yet been confirmed.For more information about how the Test Login link works and how to read the output data that is displayed after your test login, please see our SAML Test Login output data article.
Frequently Asked Questions
Q: Are first and last names required to set up SAML authentication with ScreenPal? Can we just use the Name ID?
A: First and Last Name are required, as SAML requires setting up a user within the ScreenPal system.
Q: How do I get the First and Last Name (or the Given Name and Surname) to autopopulate?
A: If a user's name is not automatically populating as expected, you need to ensure that SAML claims sent by Microsoft Entra are using the correct attributes for the account identifier. More information about these attributes and the order in which ScreenPal processes them can be found in our article titled Configure SAML to resolve unexpected name display
Q: How often are user credentials revalidated?
A: SAML enabled, users will be required to log in again after one month of usage.
Related Articles
Google Workspace SAML integration
Google Workspace SAML integration Google Workspace serving as an Identity Provider (IDP) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to our Recorder and Video Editor under your ...Use the SAML Test Login and output data
When you configure ScreenPal user access using SAML for a Team Plan, after you upload a valid IdP metadata file, you can test the SAML authentication using the Test Login link. This link is displayed in the Authentication area of Settings in the ...Set up ScreenPal in Classlink
As an administrator, you can create a Classlink LaunchPad app for ScreenPal to make it easy for your team members to access the ScreenPal apps. Before you begin If you are requiring SAML login for your users, you will first need to configure ...Add ScreenPal as an app in Clever
You can use Clever single sign-on (SSO) to enable your users to be securely authenticated into ScreenPal from their Clever Portal. Before you begin If you require SAML login for your users, you will first need to configure ScreenPal SAML ...Why do I have to download the ScreenPal app every time I open it?
You may notice that the ScreenPal desktop app initiates a new download every time you open it from screenpal.com. This is because ScreenPal makes a note in your local storage that you have downloaded the application before. When ScreenPal sees this ...