IBM Video Streaming SAML based SSO capability for Enterprise Video Streaming is based on SAML 2.0 - Security Assertion Markup Language.
The basic way that SAML works is in the exchange between an identity provider (IdP) and a service provider (SP). In this case the service provider is IBM Video Streaming.
An identity provider is a service that a company uses to manage the access of their employees to other third party services. Popular identity providers include OneLogin and Okta. Traditionally, companies used employee directories to manage access to on-premise resources. Two of the most common directories used are LDAP and Microsoft Active Directory. These older systems are not based on the SAML standard, but most of the newer identity providers are.
This guide contains information about how to connect a SAML 2.0 compliant identity provider to IBM Video Streaming’s SAML based SSO functionality.
Identity Provider Settings
You need to set up IBM Video Streaming as a service provider within your identity provider. Use the following settings to set up IBM Video Streaming as a service provider.
Depending on your identity provider, these fields may be labelled differently, so consult the documentation for your identity provider to understand where to copy each URL.
- This should be the page URL where you would like to allow your users to authenticate, either the Enterprise Video Streaming channel page or the page where you have embedded the IBM Video Streaming player.
- The URL is your channel url: https://secure.video.ibm.com/channel/[YOUR CHANNEL ID] or your portal url: https://secure.video.ibm.com/[YOUR PORTAL NAME]
In case of IdP initiated login Portal URL should be set as RelayState.
SAML Assertion Consumer Service URL (ACS)
SAML Audience (this is the IBM Video Streaming service’s Entity ID)
SAML Single Logout URL (SLO)
Ensure that your hash algorithm is set to SHA-1 or SHA256 (this is often found in advanced settings).
SAML User Profile Attributes
IBM Video Streaming requires email address to be provided in the NameID attribute.
First and Last name are also recommended for easier identification of your users within the Enterprise Video Streaming dashboard.
SAML Group Support
To be able to restrict access to channels based on the groups you have set up at your Identity Provider, IBM Video Streaming requires these groups to be sent in the Group attribute.
A sample configuration:
<saml:Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
Please note that the Attribute's name should be exactly "Group".
IBM Video Streaming SAML SSO Settings
To connect your IdP with your Enterprise Video Streaming account, you need to provide your IdP’s credentials under Integrations & Apps and Security Settings on the IBM Video Streaming Dashboard:
There are 4 fields in the IBM Video Streaming dashboard SSO Settings you need to populate with the information from your IdP:
- Entity ID of your IdP
- Login URL
- Logout URL - optional
Viewer Registration Flow
Viewer starts on viewing page
In this scenario, you viewer is not yet authenticated with your identity provider. You share with your viewers the URL where they will watch the IBM Video Streaming content. This can either be your Enterprise Video Streaming channel page, or the page where you have embedded the IBM Video Streaming player. This should be the same URL that you entered in your identity provider’s settings as the Login URL.
When your viewers arrive on the page, they will see the prompt to login to their company account.
Pressing the "Sign In" button opens your identity provider’s login page in a popup.
If the viewer successfully authenticates at your identity provider, the popup closes and the viewer can access to the content.
Viewer starts at Identity Provider Page
In this scenario, the viewer starts on a URL for your identity provider.
The viewer clicks on a link to access the Enterprise Video Streaming viewing page. Since they were already authenticated at your identity provider, they will have immediate access to the IBM Video Streaming content when they arrive on the viewing page and will not see the prompt to authenticate.
NOTE: Please make sure that as you make changes to your SSO settings that these settings are consistent across you Organization SSO settings as well.
You can find more information on our Organization level management at
as well as our Organization Permissions article at