SAML Authentication

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorisation data between service providers and identity providers. SAML allows you to log into multiple applications, using the same login credentials.

SAML Authentication Flow

Note: Ooyala Flex applications must have the IDP certificates registered in the SAML Keystore. This certificate must be valid. If the certificate has expired, the system administrator must replace the certificate with a valid one and restart the application.

The following diagram provides a high level overview of the SAML authentication flow:

Configuring SAML

Warning: When accessing Ooyala Flex applications, users within accounts must use a consistent URL style that corresponds to the URLs defined in the identity provider you have chosen to use.

It is possible to configure an Ooyala Flex environment to use either host-based or path-based application URLs.

For example: In the case of the ‘oktatest’ account, you could access the MAM application using a host-based application URL such as: https://mam.qa1.ooyala.net/mam/a/oktatest or a path-based URL such as: https://oktatest.qa1.ooyala.net/mam/

When using SAML, all accounts should configure the URLs in the Identity Provider to match the environment configuration. For example:

  • Path Based: https://oktatest.qa1.ooyala.net/mam/
  • Host Based: https:/mam.qa1.ooyala.net/mam/a/oktatest

SAML authentication must be configured in both Ooyala Flex Core, and in the identity provider that maintains identity information for the users.

The configuration for each identity provider varies, but they share particular characteristics:

  • SAML 2 must be enabled.
  • A callback URL must be specified, which corresponds to the particular service (MAM, Reviewer and so on) for which you wish to enable SAML.
Note: This guide has been created with the assumption that users have a certain level of familiarity with SAML. Below are the steps for configuring SAML using Auth0 as an example identity provider. Other identity provider services may differ. Where known, we have noted specific configuration differences for other identity providers in the Appendix.
Note: If you do not have an account with Auth0, visit the Auth0 website in order to create one.

To configure Auth0 as an identity provider, follow these steps:

1) Log into your Auth0 account.

2) Click + New Application.

Note: The creation of new applications must be repeated for each Ooyala app that you wish to authenticate against.

3) In the Name field, enter a name for your application.

4) In the Choose application type section, select the Regular Web Applications option.

5) Click Create.

6) Click Settings.

7) Scroll down to the Allowed Callback URLs section and add the callback URL that you wish to authenticate against.

Generic examples:

  • Path Based: https://account.environment.com/application/saml/SSO
  • Host Based: https://application.environment.com/application/saml/SSO

8) Click Save Changes.

9) At the top of the page, click the Add-ons tab.

10) Select SAML2 Web App.

11) In Settings, set the correct JSON

Example JSON:

                {
                "audience": "urn:ooyala:flex:flex-operationsdashboard-app",
                "signResponse": true,
                "signatureAlgorithm": "rsa-sha256",
                "digestAlgorithm": "sha256"
                }
                
                {
                "audience": "urn:ooyala:flex:flex-mam-app",
                "signResponse": true,
                "signatureAlgorithm": "rsa-sha256",
                "digestAlgorithm": "sha256"
                }
            

12) Click Save.

13) Click Debug and test the JSON.

14) If the JSON is valid, you will see the SAML response for the application you have specified.

15) Click Show Advanced Settings.

16) Click the Endpoints tab.

17) Scroll down to the SAML Metadata URL field and copy the URL.

18) Log into Ooyala Flex

19) Create an account. For more information on creating an account, see the Accounts section.

20) On the Account Details page, click the Metadata sub-tab.

21) Expand the External Authentication complex.

22) From the Default Role drop down, select a default role.

23) From the Default Owner drop down, select a default owner.

24) Click + next to the SAML Configuration field.

25) In the SAML IDP Display Name field, enter a display name for the authentication button that will appear on the landing page for the application.

26) In the SAML IDP Metadata URL field, paste the metadata URL obtained from the Advanced Settings section in the SAML UI.

27) Click Save, to save the configuration.

28) Click Enable, to enable the account.

29) Go to the application and check that SAML is enabled. If SAML has been enabled correctly, your custom SAML button will appear on the login page for the application.

Note: If you have not correctly configured this, the button will still appear on the login page got the application, but it will not function.
Note: These configuration steps must be repeated for each application within Ooyala Flex. For example: MAM, Reviewer, Web Transfer, Workflow Designer, and so on.

Keystore Generation

Below you can see the bash script used to add or update a certificate in the keystore. In order to use this script, you must update the IDP_HOST, KEYSTORE_FILE and KEYSTORE_PASSWORD.

#!/usr/bin/env bash
                IDP_HOST=flex.authenticationprovider.com
                IDP_PORT=443
                CERTIFICATE_FILE=$IDP_HOST.cert
                KEYSTORE_FILE=samlKeystore.jks
                KEYSTORE_PASSWORD=nalle123
                
                openssl s_client -host $IDP_HOST -port $IDP_PORT -prexit -showcerts </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTIFICATE_FILE
                keytool -delete -alias $IDP_HOST -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
                keytool -import -alias $IDP_HOST -file $CERTIFICATE_FILE -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -noprompt
                
                rm $CERTIFICATE_FILE

Okta Integration

Please refer to the following developer article on the OKTA website, in order to register an Ooyala Flex application: https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta

The following advanced settings fields must be specified, if you intend to use OKTA:
Note: The http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress attribute must be set to user.email

https://help.ooyala.com/sites/all/libraries/dita/en/media-logistics/flex/user/70/Metadata_Designer_70_SAML.html

Was this article helpful?