How to: Configure & Enable Single Sign-On (SSO)
Secure your account and make registering easy with Single Sign-On.
Brandlive supports Single Sign-On (SSO) for organizations utilizing Security Assertion Markup Language (SAML) 2.0 and OpenID Connect (ODIC) for easy, secure authentication into the platform. SSO can be set up for Admins and other users logging into their Brandlive Platform account or for attendees logging into a public site. Follow the instructions below to set up SSO for either use case.
First, we'll show you how to configure the integration based on the method of authorization, then how to enable it to use for your projects.
*Azure users: When mapping your attributes, make sure to include the full XML SOAP URL per-attribute instead of the named attribute properties.
**PingFederate users: You must include the signing cert by enabling signing for the SP Connection by going into the "credentials" section of the sp connection and checking "include the certificate in the signature <keyinfo> element."
Using SAML 2.0
Step 1: First, you'll configure a SAML integration with help from your IT department.
Settings
Single Sign-On URL: https://sso.brandlive.cloud/saml2/idpresponse
Audience URI (SP Entity ID): urn:brandlive:identity:sp
Attribute Statements: These values will depend on your SSO configuration. Mark them down as they will need to be inserted into the Streams platform.
-
Email (required)
-
First Name (optional)
-
Last Name (optional)
Settings Example
Attributes Example
Step 2: Link your Streams channel to your SAML integration.
First, log in to Brandlive admin.
Then, navigate to the Settings tab in the top menu; Select Integrations from the side panel.
Finally, find the SAML integration card and click configure.
Step 3: Configure SAML for your channel
- XML URL: Metadata XML url for the SAML integration created in step 1. This should be auto-generated when you create the integration.
- Login Button Text: The text you would like displayed on your Login Button
- Attribute Mapping: This should match the attribute mappings created in step 1.
- Upload Image (Optional): Image displayed on Login Button
Once the SAML configuration is complete and turned on, you will be able to add it to any of your projects in the registration settings.
See the section titled "Enabling SSO" below to make SSO available for your users.
Using OIDC
Step 1: Configure an OIDC integration with help from your IT department.
Settings
- Application Type: Web
- Grant Type: Authorization Code
- Sign-in Direct: https://sso.brandlive.cloud/oauth/oidc (This can be added to the list if you already have an OIDC integration)
Please note the following information from your OIDC integration:
-
OIDC Issuer (URL)
-
Client ID
-
Client Secret
-
Attribute Names
Step 2: Link your Streams channel to your OIDC integration.
First, log in to Brandlive Platform.
Then, navigate to the Settings tab from the top menu; Select Integrations from the side panel.
From the dropdown on the right, select "Single-Sign On."
Finally, find the OIDC integration card and click configure.
Step 3: Configure OIDC for your channel.
- OIDC Issuer: Value noted in Step 1
- Client ID: Value noted in Step 1
- Client Secret: Value noted in Step 1
- Login Button Text: The text you would like displayed on your Login Button
- Attribute Mapping Email (Required), First Name (optional), Last Name (optional): These values will depend on your OIDC service. Please contact your IT department for the proper values.
- Upload image (optional): Image displayed on Login Button
Once the OIDC configuration is complete and turned on, you will be able to add it to any of your projects in the registration settings.
See the section titled "Enabling SSO" below to make SSO available for your users.
Using Oauth 2
Step 1: Configure an Oauth 2 integration with help from your IT department.
Although we generally suggests using OIDC first in place of Oauth2 flows for ease of use and setup, Brandlive does offer options for users who would like to use Oauth SSO flows instead.
Settings
- Application Type: Web
- Grant Type: Authorization Code
- Sign-in Direct: https://brandlive-prod.auth.us-west-2.amazoncognito.com/oauth2/idpresponse (This can be added to the list if you already have an Oauth 2 integration)
Please note the following information from your Oauth 2 integration:
- Client ID
- Client Secret
- Authorization Server URL
- Token Server URL
- Resource Server URL
- Logout URL
- Login Button Text
- Scopes
- Attribute Names
- Custom Query Parameters
- Upload Image
Step 2: Link your Streams channel to your Oauth 2 integration.
First, log in to Brandlive Platform.
Then, navigate to the Settings tab from the top menu; Select Integrations from the side panel.
From the dropdown on the right, select "Single-Sign On."
Finally, find the Oauth 2 integration card and click configure.
Step 3: Configure Oauth 2 for your channel.
- Client ID: Value noted in Step 1
- Client Secret: Value noted in Step 1
- Authorization Server URL: Value noted in Step 1
- Token Server URL: Value noted in Step 1
- Resource Server URL: Value noted in Step 1
- Logout URL: Value noted in Step 1
- Login Button Text: The text you would like displayed on your Login Button
- Scopes: Value noted in Step 1
- Attribute Mapping Email (Required), First Name (optional), Last Name (optional): These values will depend on your Oauth 2 service. Please contact your IT department for the proper values.
- Custom Query Parameter: Your custom query parameters will be appended to the authorization server url when an attendee is redirected to sign in.
- Upload image (optional): Image displayed on Login Button
Step 4: Sign-in Redirect URL
In your backend system you will likely need to provide a Sign-in redirect URL, which will be your channel url (custom or otherwise) with /sso-redirect at the end. For example, example.brandlive.com/sso-redirect.
Once the Oauth 2 configuration is complete and turned on, you will be able to add it to any of your projects in the registration settings.
See the section titled "Enabling SSO" below to make SSO available for your users.
Enabling SSO for Projects
To enable Single Sign-On for Brandlive Platform account Administrators, Site builders, and other users (i.e. those logging into https://admin.brandlive.com/), please contact your Account Manager to complete the final step. If you are unsure who your Account Manager is, please reach out to support@brandlive.com.
To enable Single Sign-On for attendees logging into your site, open your project in Brandlive's Sitebuilder and navigate to the Registration tab:
Then, select "SSO Registration" from the page menu.
Toggle on the button next to "Single sign on" and publish your page:
Attendees will now be able to log into your site using their Single Sign-On credentials.
Enabling SSO for Admin Console Access
Single Sign-On for Brandlive Admin Console users can be used in combinations with User Role permissions to have better control over what permissions your backend users have. In order to enable SSO for admins please reach out to your Brandlive Support Representative with a list of Email Domains that you would like to register with Brandlive as SSO users. Once enabled, any user with the provided email domain will automatically get routed to authenticate via SSO.
Related Articles
Comments
Please sign in to leave a comment.