Authenticating app registrations using Identity Providers

The Pexip app for Windows must be registered in order to make or receive calls, and the registration must be authenticated with an Identity Provider using SSO. This topic explains how to configure Pexip Infinity and your chosen Identity Provider to enable users to register their Pexip app for Windows using their SSO credentials.

To enable registration authentication you must:

Configure Pexip Infinity with the aliases to be registered — see Creating the registration alias.
Configure Pexip Infinity with details of an Identity Provider to use to authenticate registrations — see Configuring Pexip Infinity with Identity Providers.
Configure the Identity Provider to support authentication of registrations — see Configuring the Identity Provider.

We have provided step-by-step guides for configuring common SAML Identity Providers, including the open-source Keycloak (which may be an option if you only require an IdP for Pexip app registrations).

Registration process

The process of the app registering to Pexip Infinity is outlined below.

The user enters the alias they wish to register in the app's Your video address field, for example alice@pexample.com.
The app performs a DNS SRV lookup on _pexapp._tcp.<domain>, for example _pexapp._tcp.pexample.com, to locate a Conferencing Node where it can send its registration request.
When the Conferencing Node receives the request, it checks whether the alias is configured under Users & Devices > Device aliases.
If the alias is configured and has Enable registration using IdP SSO enabled, the Conferencing Node checks the configured Identity Provider group and obtains the configured Identity Provider SSO URL.
The Conferencing Node provides the SSO URL to the app; the app then sends its registration request to this URL, including the alias being registered.
Upon receipt of the registration request, the Identity Provider requests authentication information from the app.
The user provides the Identity Provider with their SSO username and password via their default browser.
If the user successfully authenticates with the Identity Provider, the Identity Provider returns the registration alias and display name for that user.
If the registration alias that is returned matches the alias being registered, the registration will be permitted and the display name that was returned is used as the app's display name (and cannot be changed by the user).

Creating the registration alias

When registering a Pexip app to Pexip Infinity, the alias (video address) being registered by the Pexip app must match one of the device alias entries on the Management Node. You can either create device registration aliases manually, or import them from a LDAP source.

For full information about registrations, see Registering devices to Pexip Infinity. The sections below describe the configuration that is specifically required for device aliases being registered by Pexip app for Windows.

Configuring the alias manually

To configure a device alias for Pexip app registrations, on the Management Node under Users & Devices > Device aliases select Add Device alias. The following fields are required (other fields can be configured as appropriate for your deployment):

Device alias	The alias that app users will enter in the video address field when registering their app.
Description	The description of this device; this appears to other app users when searching the directory.
Enable registration using IdP SSO	Select this option. The Identity Provider group option appears.
Identity Provider group	From the drop-down list, select the Identity Provider group containing the Identity Provider to use to authenticate the registration.

Importing device aliases from LDAP

To import device aliases from a LDAP source using a LDAP synchronization template, from the Management Node go to Utilities > LDAP Sync Templates and select Add LDAP sync template. The following fields are required (other fields can be configured as appropriate for your deployment):

Sync devices	Select this option. The Device settings and Device registration settings panels appear.
Device alias pattern	The pattern for the alias that app users will enter in the video address field when registering their app. If users' video addresses are the same as their email addresses, use the default {{mail}}.
Device description pattern	The pattern for the description of this device; this appears to other app users when searching the directory.
Enable registration using IdP SSO	Select this option. The Identity Provider group option appears.
Identity Provider group	From the drop-down list, select the Identity Provider group containing the Identity Provider to use to authenticate the registration.

There is a known limitation in Pexip Infinity version 37 and earlier when using an LDAP sync template for device alias registrations. The options to Enable registration using IdP SSO and enter a corresponding Identity Provider group are not included, so you must manually set these fields after importing the new aliases or use an update script. Contact your Pexip authorized support representative with the reference 42719 to obtain the update script.

Configuring Pexip Infinity with Identity Providers

Pexip app registrations must be authenticated with an Identity Provider using SSO. You can use an existing Identity Provider, or create a new one.

For full information about creating and configuring Identity Provider, see Using Identity Providers. The sections below describe the configuration that is specifically required for Pexip app registration.

Creating Identity Providers

To configure Pexip Infinity with an Identity Provider to use for registration, go to Users & Devices > Identity Providers > Identity Provider Configuration. The following fields relate specifically to registration authentication (other fields can be configured as appropriate for your deployment):

Registration Alias Attribute Name (SAML)

Registration Alias Claim Name (OpenID Connect)

You must enter a value in this field.

The alias returned by the Identity Provider must match the alias being registered, otherwise the registration is not permitted.

Display Name Attribute Name (SAML)

Display Name Claim Name (OpenID Connect)

This field is optional.

The name returned is used as the user's display name. If the field is blank, the user's alias is used as their display name.

Users cannot change the display name provided during registration.

Creating Identity Provider groups

We recommend that you create a new Identity Provider group containing a single Identity Provider and use this group for the sole purpose of authenticating Pexip app for Windows registrations. This is the Identity Provider group you select when configuring device aliases.

The Identity Provider in this group can be used for other purposes as part of another Identity Provider group.

Configuring the Identity Provider

When authenticating with the IdP using SSO, users enter their email address as their SSO username. If your users' aliases (video addresses) are different from their email addresses, we recommend you use a SAML-based IdP. This allows you to create a custom attribute in the IdP to validate that the video address being registered matches the user's email address.

The Pexip app requires specific IdP attribute entries in your configuration for validating user authentication. The video address that a user signs in and registers with must match an IdP attribute to validate that the correct person is using the video address to sign in.

If users' video addresses are the same as their email, use the email attribute for validation.
If users' video addresses are not the same as their email, you must create a custom attribute. This is a top-level SAML configuration and does not require a new entry for every user.

This allows you to create a custom attribute in the IdP to validate that the video address being registered matches the user's email address.

Session duration and timeout

To prevent a user from authenticating with your Identity Provider and staying authorized indefinitely, the Pexip app for Windows periodically invalidates the session and requires users to re-authenticate their registration. The session will be invalidated 24 hours after successful authentication unless you customize the session timeout duration.

For OIDC IdPs, the session timeout duration is controlled via the required exp field of the JWT provided by the IdP.

For SAML IdPs, you customize the session timeout duration either:

via the SessionNotOnOrAfter attribute and value (if this is supported by your IdP), or
by configuring a SessionDuration custom attribute and value. For an example of how to do this for Microsoft Entra ID, see Microsoft Entra ID (formerly known as Azure AD).

Registering and provisioning Pexip apps

When your Identity Provider integration is complete, Pexip app for Windows users can use their SSO credentials to register their Pexip apps to Pexip Infinity. For information on the registration experience for end users, see Registering.

As an administrator you can provision individual users with pre-configured settings for their app, including their registration alias. See Provisioning the app for instructions about how to do this and for information on the associated end-user experience.