SAML Authentication

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorisation data between service providers and identity providers. SAML allows you to log into multiple applications, using the same login credentials.

SAML Authentication Flow

Note: Ooyala Flex applications must have the IDP certificates registered in the SAML Keystore. This certificate must be valid. If the certificate has expired, the system administrator must replace the certificate with a valid one and restart the application.

The following diagram provides a high level overview of the SAML authentication flow:

Configuring SAML

Warning: When accessing Ooyala Flex applications, users within accounts must use a consistent URL style that corresponds to the URLs defined in the identity provider you have chosen to use. For example, for the "oktatest" account:
  • Path Based: https://oktatest.qa1.ooyala.net/mam/
  • Host Based: https://mam.qa1.ooyala.net/mam/a/oktatest

See here for a full list of Single Sign On URLs, Audience Restrictions, and Attribute Statements relating to OKTA, for the different applications.

SAML authentication must be configured in both Ooyala Flex Core, and in the identity provider that maintains identity information for the users.

The configuration for each identity provider varies, but they share particular characteristics:

  • SAML 2 must be enabled.
  • A callback URL must be specified, which corresponds to the particular service (MAM, Reviewer and so on) for which you wish to enable SAML.
Note: This guide has been created with the assumption that users have a certain level of familiarity with SAML. Below are the steps for configuring SAML using Auth0 as an example identity provider. Other identity provider services might differ. Where known, we have noted specific configuration differences for other identity providers in the Appendix.
Note: If you do not have an account with Auth0, visit the Auth0 website in order to create one.

To configure Auth0 as an identity provider, follow these steps:

  1. Log into your Auth0 account and click + New Application.
    Note: You must create a new application for each Ooyala app that you want to authenticate against.
  2. In the Name field, enter a name for your application.
  3. In the Choose application type section, select Regular Web Applications.
  4. Click Create.
  5. Click Settings. Scroll down to the Allowed Callback URLs section and add the callback URL that you wish to authenticate against.

    Examples:

    • Path Based: https://account.environment.com/application/saml/SSO
    • Host Based: https://application.environment.com/application/saml/SSO
  6. Click Save Changes.
  7. At the top of the page, click the Add-ons tab.
  8. Select SAML2 Web App. In Settings, set the correct JSON.

    Example JSON:

                            {
                            "audience": "urn:ooyala:flex:flex-operationsdashboard-app",
                            "signResponse": true,
                            "signatureAlgorithm": "rsa-sha256",
                            "digestAlgorithm": "sha256"
                            }
                            
                            {
                            "audience": "urn:ooyala:flex:flex-mam-app",
                            "signResponse": true,
                            "signatureAlgorithm": "rsa-sha256",
                            "digestAlgorithm": "sha256"
                            }
                        
  9. Click Save.
  10. Click Debug and test the JSON. If the JSON is valid, the SAML response will be displayed for the application you have specified.
  11. In Show Advanced Settings, click the Endpoints tab. Scroll down to the SAML Metadata URL field and copy the URL.
  12. Log into Ooyala Flex and create an account. For more information on creating an account, see the Accounts section.
  13. On the Account Details page, click the Metadata sub-tab and expand the External Authentication complex. From the Default Role drop down, select a default role.
  14. From the Default Owner drop down, select a default owner.
  15. Click + to expand the SAML Configuration field. Enter the Application Name of the application to use these SAML settings.
  16. IdP Redirect is to specify whether the application login page should redirect to the IdP login page. This should be set to Yes or No.
  17. In the SAML IDP Display Name field, enter a display name for the authentication button that will appear on the landing page for the application.
    Note: If IdP Redirect has been selected, this field does not need to be completed.

26) In the SAML IDP Metadata URL field, paste the metadata URL obtained from the Advanced Settings section in the SAML UI.

27) Click Save, to save the configuration.

28) Click Enable, to enable the account.

29) Go to the application and check that SAML is enabled. If SAML has been enabled correctly, your custom SAML button is displayed on the login page for the application.

Note: If you have not correctly configured this, the button will still appear on the login page got the application, but it will not function.
Note: These configuration steps must be repeated for each application within Ooyala Flex. For example: MAM, Reviewer, Web Transfer, Workflow Designer, and so on.
Note: If IdP Redirect has been selected, the login page for the application will not display, but will instead redirect to the IdP login page.

Keystore Generation

Below you can see the bash script used to add or update a certificate in the keystore. In order to use this script, you must update the IDP_HOST, KEYSTORE_FILE and KEYSTORE_PASSWORD.

#!/usr/bin/env bash
                IDP_HOST=flex.authenticationprovider.com
                IDP_PORT=443
                CERTIFICATE_FILE=$IDP_HOST.cert
                KEYSTORE_FILE=samlKeystore.jks
                KEYSTORE_PASSWORD=nalle123
                
                openssl s_client -host $IDP_HOST -port $IDP_PORT -prexit -showcerts </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > $CERTIFICATE_FILE
                keytool -delete -alias $IDP_HOST -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD
                keytool -import -alias $IDP_HOST -file $CERTIFICATE_FILE -keystore $KEYSTORE_FILE -storepass $KEYSTORE_PASSWORD -noprompt
                
                rm $CERTIFICATE_FILE

Okta Integration

Please refer to the following developer article on the OKTA website, in order to register an Ooyala Flex application: https://developer.okta.com/standards/SAML/setting_up_a_saml_application_in_okta

The following advanced settings fields must be specified, if you intend to use OKTA:

https://help.ooyala.com/sites/all/libraries/dita/en/media-logistics/flex/user/70/Metadata_Designer_70_SAML.html

Was this article helpful?