Articles in this section

Single Sign-On: Configuring Auth0 using SAML

  • Updated
OTT sellers using this integration must agree to provide their own buyer support. Information on how support works can be found here.

Single Sign-On with OTT allows you to connect your Identity Provider (IdP) to your Enterprise Vimeo OTT account. Enabling this feature will redirect all Customers who are signing in to use your Identity Provider as the primary means of authentication.

If you are using the Identity Provider Auth0 for your SSO service, this article will teach you how to configure your integration. For more information about granting Entitlements with Single Sign-On, please see our primary Configuring SSO documentation

In this article:

Configuring Auth0

To begin, make sure you have an Auth0 account already registered. Vimeo OTT cannot troubleshoot your Auth0 account or provide technical support on how to populate your Identity Provider with user information.

Note that these instructions will require some values from your SSO settings, so be sure to navigate to your OTT Site Settings page and open the SSO settings as you follow along. 

  1. Create a new Auth0 application. 
    • Give your Application a memorable name - i.e. “My Site - OTT.”
    • Choose the “Regular Web Applications” option.

  2. After creating, go to the Addons tab and enable “SAML2 Web App” option.
    This activates your Auth0 account to use the required SAML payload for authenticating with OTT. Once the “SAML2 Web App” is activated, it will need to be configured.

  3. In the SAML2 Web App window that opens, click over to the “Settings” tab and set the Application Callback URL to your SAML Consumer URL found in your OTT SSO Settings
    I.e. https://subdomain.vhx.tv/saml/consume
  4. Under Addons, choose the SAML2 Web App option. In the window that opens, click over to the “Settings” tab, click in to the Settings window and configure the following:
    1. “Audience”
      Set this to your SAML Service Provider URL found in your OTT SSO Settings
      Non-Custom Domain example: subdomain.vhx.tv/saml/metadata
      Custom Domain example: yoursite.com/saml/metadata

    2. “Recipient”
      Set this to your SAML Consumer URL found in your OTT SSO Settings
      Non-Custom Domain example: subdomain.vhx.tv/saml/consume
      Custom Domain example: yoursite.com/saml/consume

    3. “Mappings”
      Uncomment the mappings array, allowing user_id, email and name to be sent

    4. “mapIdentities”
      Set this to true

    5. “Destination”
      Set this to your SAML Consume URL founding in your OTT SSO Settings
      Non-Custom Domain example: subdomain.vhx.tv/saml/consume
      Custom Domain example: yoursite.com/saml/consume

    6. “typedAttributes”
      Set this to true

    7. “includeAttributeNameFormat”
      Set this to true

    8. “nameIdentifierFormat”
      This needs to be set to the Email Address standard. Insert this value:
      “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”

    9. “nameIdentifierProbes”
      Uncomment this array and include the following:
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

  5. “authnContextClassRef”
    Uncomment (or add) this and make sure it is set to:
    “urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport”

  6. “binding”
    Uncomment this and make sure it is set to
    “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
    Once the above is complete, please compare against the sample configuration shown below.

  7. Save your SAML2 Web App Settings.

Sample SAML2 Web App Configuration (Using Non-Custom Domain):

{

  "audience": "https://your-subdomain.vhx.tv/saml/metadata",

  "recipient": "https://your-subdomain.vhx.tv/saml/consume",

  "mappings": {

    "user_id": "id",

    "email": "email",

    "name": "fullName"

  },

  "mapIdentities": true,

  "destination": "https://your-subdomain.vhx.tv/saml/consume",

  "typedAttributes": true,

  "includeAttributeNameFormat": true,

  "nameIdentifierFormat": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

  "nameIdentifierProbes": [

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

    "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"

  ],
  "authnContextClassRef":    

      "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",

  "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

}

 

Configuring Vimeo OTT

To configure your Vimeo OTT site for Single Sign-On, you will use the information provided from your Site Settings under “Single Sign-On” in the left rail. If you do not already have this page open, do so to begin.

Note: when an Identity Provider is enabled, _all_ authentication for your OTT Site will be sent to your IdP. This means if you have any existing customers on OTT before enabling the integration that are not _also_ in your IdP, they will need to be migrated. Vimeo OTT can not provide support for this migration but we do provide tools for exporting Customers to CSV.

  1. In your Single Sign-On settings, give your integration a SAML Service Name. This does not have to match the Application name you provided in Auth0 but it is a recommended practice to do so.

  2. Provide “Log in button text” - this is generally a generic message along the lines of “Sign In with [Your Site]”
    In most cases, your Customers will never see a button in order to sign in but in certain cases where this need surfaces, we will use the text you have provided.

  3. In Auth0, navigate to your Application, choose the “Addons” section and click on the “SAML2 Web App” that you previously configured. A window will open and you will see a tab for “Usage.” Use the information in that window for the following step.

  4. You will need to copy and paste the SAML2  settings from the Usage window into your OTT Account before enabling the Integration.
    • In Auth0, copy the “Identity Provider Login URL” link. Paste this into OTT under “Single sign-on endpoint.”
    • In Auth0, copy the entire “Certificate” value. Paste this into the OTT Settings for “Certificate"

  5. Under “Remote Account Registration URL,” provide a URL to the page where your costumers should sign in. This is most likely your Auth0 domain name.

  6. Under “Remote Settings Page URL” provide a URL to the page where your Customers can manage their settings. As Vimeo OTT is no longer the source of truth for authentication, this will be handled on your service.

  7. Under “Support Email” provide an email address where Customers can contact your Support team to help troubleshoot signing in. As Vimeo OTT is no longer the source of truth for authentication, your team must provide this information.

  8. Optional: Under “Default Products”, choose from your list of Active products that you wish to grant Entitlements to Customers who first authenticate successfully. If your integration with Vimeo OTT requires more granular Entitlements than a default product, please leverage the OTT API to add Products to your Customers.

  9. Save your data.

When you are ready, choose “Enable SSO” and save again. Once this option is selected and saved, your Customers will immediately start to be redirected to your Identity Provider.

 

Related articles