IBM Watson Media SAML based SSO capability for Enterprise Video Streaming is based on SAML 2.0 - Security Assertion Markup Language.
The basic way that SAML works is in the exchange between an identity provider (IdP) and a service provider (SP). In this case the service provider is IBM Watson Media.
An identity provider is a service that a company uses to manage the access of their employees to other third party services. Popular identity providers include OneLogin and Okta. Traditionally, companies used employee directories to manage access to on-premise resources. Two of the most common directories used are LDAP and Microsoft Active Directory. These older systems are not based on the SAML standard, but most of the newer identity providers are.
This guide contains information about how to connect a SAML 2.0 compliant identity provider to IBM Watson Media’s SAML based SSO functionality.
Identity Provider Settings
You need to set up IBM Watson Media as a service provider within your identity provider. Use the following settings to set up IBM Watson Media as a service provider.
Depending on your identity provider, these fields may be labelled differently, so consult the documentation for your identity provider to understand where to copy each URL.
- This should be the page URL where you would like to allow your users to authenticate, either the Enterprise Video Streaming channel page or the page where you have embedded the IBM Watson Media player.
- The URL is your channel url: https://secure.video.ibm.com/channel/[YOUR CHANNEL ID] or your portal url: https://secure.video.ibm.com/[YOUR PORTAL NAME]
In case of IdP initiated login Portal URL should be set as RelayState.
SAML Assertion Consumer Service URL (ACS)
SAML Audience (this is the IBM Video Streaming service’s Entity ID)
SAML Single Logout URL (SLO)
Ensure that your hash algorithm is set to SHA-1 or SHA256 (this is often found in advanced settings).
SAML User Profile Attributes
IBM Watson Media requires email address to be provided in the NameID attribute.
First and Last name are also recommended for easier identification of your users within the Enterprise Video Streaming dashboard.
SAML Group Support
To be able to restrict access to channels based on the groups you have set up at your Identity Provider, IBM Watson Media requires these groups to be sent in the Group attribute.
A sample configuration:
<saml:Attribute Name="Group" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
Please note that the Attribute's name should be exactly "Group".
IBM Watson Media SAML SSO Settings
To connect your IdP with your Enterprise Video Streaming account, you need to provide your IdP’s credentials under Integrations & Apps and Security Settings on the IBM Watson Media Dashboard:
There are 4 fields in the IBM Watson Media dashboard SSO Settings you need to populate with the information from your IdP:
- Entity ID of your IdP
- Login URL
- Logout URL - optional
Viewer Registration Flow
Viewer starts on viewing page
In this scenario, you viewer is not yet authenticated with your identity provider. You share with your viewers the URL where they will watch the IBM Watson Media content. This can either be your Enterprise Video Streaming channel page, or the page where you have embedded the IBM Watson Media player. This should be the same URL that you entered in your identity provider’s settings as the Login URL.
When your viewers arrive on the page, they will see the prompt to login to their company account.
Pressing the "Sign In" button opens your identity provider’s login page in a popup.
If the viewer successfully authenticates at your identity provider, the popup closes and the viewer can access to the content.
Viewer starts at Identity Provider Page
In this scenario, the viewer starts on a URL for your identity provider.
The viewer clicks on a link to access the Enterprise Video Streaming viewing page. Since they were already authenticated at your identity provider, they will have immediate access to the IBM Watson Media content when they arrive on the viewing page and will not see the prompt to authenticate.