Configuring individual SAML Identity Providers
This topic provides guidance on how to configure the following Identity Providers using SAML, in order to support Participant authentication and device registration authentication:
For guidance configuring other Identity Providers, please contact your Pexip authorized support representative.
For general information on the use of Identity Providers with Pexip Infinity, see Using Identity Providers.
Prerequisites
You should have already created a record for the Identity Provider on Pexip Infinity — for more information on the steps involved, see Process for enabling Identity Providers.

-
From the Azure portal select Integrate any other application you don't find in the gallery and then select :
. Give the application a name, select the option to -
When the application has been created, select
: -
Configure the application with the details of the Identity Provider you configured earlier on Pexip Infinity:
Azure option Infinity Identity Provider option Notes Basic SAML Configuration Identifier (Entity ID) SAML 2.0 Entity ID for this service We recommend that you use the same FQDN from which the web app is accessed. Reply URL (Assertion Consumer Service URL) Redirect URL This should be in the format:
https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>
where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID.
Sign on URL
Relay State
Logout URL
Leave blank Attributes and claims Display Name Attribute Name This page lists the options available for users' display names. Select the format you wish to use (or create a new claim) and enter the corresponding Claim name from AD into the Display Name Attribute Name field on Pexip Infinity.
For example, you may wish to hide surnames in Virtual Meeting Rooms that are used for B2C purposes. To do this, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname on Pexip Infinity.
If you don't specify a claim in Pexip Infinity, participants must enter their own display name.
SAML signing certificate Signing Option Select either Sign SAML assertion or Sign SAML response and assertion. Signing Algorithm This feature supports any of the following:
SHA1, SHA256, SHA384 or SHA512 with RSA certificates
Certificate (Base64) Identity Provider Public Key Download the certificate from Azure and paste into Pexip Infinity. Set up <application name> Login URL Identity Provider SSO URL Copy this value from Azure and paste into Pexip Infinity Microsoft Entra Identifier Identity for the Identity Provider Copy this value from Azure and paste into Pexip Infinity Logout URL This is not used by Pexip Infinity. -
Select
and select the users you wish to allow: -
Go back to
and at the bottom of the page, select : -
Because this test is being initiated from Azure and Pexip Infinity does not support Identity Provider-initiated flows, you won't see the SSO page that users will see when attempting to join the VMR. Instead, you should be able to reach Pexip Infinity and see the following page:
Now that you have set up Microsoft Entra ID as an Identity Provider, you can configure your VMRs and Virtual Auditoriums to use SSO to authenticate participants, and require devices to use SSO when registering an alias.

-
From the AD FS server, open the Server Manager application. From the top right, select :
-
From the Actions panel, select :
-
At the Add Relying Party Trust Wizard, select and then :
-
Select Enter data about the relying party manually, and then :
-
Enter a display name for your own reference, and select
: -
Upload Pexip Infinity's token encryption certificate and select :
-
Select Enable support for the SAML 2.0 WebSSO protocol, and then enter the Pexip Infinity Redirect URL:
AD FS option Infinity Identity Provider option Notes Relying party SAML 2.0 SSO service URL Redirect URL This should be in the format:
https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>
where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID.
-
Enter the Relying party trust identifier:
AD FS option Infinity Identity Provider option Notes Relying party trust identifier SAML 2.0 Entity ID for this service We recommend that you use the same FQDN from which the web app is accessed. -
Select Permit everyone:
-
Close the wizard, and then select the relying party trust you have just created. Open its Properties, and select the Signature tab. the same certificate as you added earlier:
-
Go back and select the relying party trust you have just created, and from the Actions panel select Edit Claim Issuance Policy:
-
Select Add rule, and then at the wizard select a Claim rule template of Send LDAP Attributes as Claims:
-
Enter a name for your own reference. From the Attribute store option, select Active Directory. From the lists that then appear, map the following attributes to claim types:
- Display-Name > Name ID
- Display-Name > Name
AD FS option Infinity Identity Provider option Notes Outgoing claim type Display Name Attribute Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Confirm that the default (NameID) is appropriate for this VMR's use. For example, you may wish to hide surnames in Virtual Meeting Rooms that are used for B2C purposes.
If you don't specify a claim in Pexip Infinity, participants must enter their own display name.
-
Next you must get the AD FS signing certificate. To do this, from the left panel select Certificates panel select Token-signing and then from the Actions panel select View Certificate...:
. From theAD FS option Infinity Identity Provider option Notes Certificate Identity Provider Public Key Download the certificate from AD FS and paste into Pexip Infinity.

-
From Okta, select
. At the screen, select : -
Give the app a name and select
: -
Under the SAML settings section:
enter the following:
Okta option Infinity Identity Provider option Notes Single sign on URL Redirect URL This should be in the format:
https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>
where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID.
Audience URI (SP Entity ID) SAML 2.0 Entity ID for this service We recommend that you use the same FQDN from which the web app is accessed. All other fields can be left as the defaults, or edited according to your deployment.
-
If you wish to enable assertion encryption, or change the signing algorithms, open the
: -
In the Attribute Statements section, , add a custom attribute with a Name of email and a Value of user.email:
Okta option Infinity Identity Provider option Notes Attribute statements name Display Name Attribute Name - Select and then .
- From the page, select :
-
Enter the information provided by Okta into the Pexip Infinity Identity Provider configuration:
Okta option Infinity Identity Provider option Notes Sign-On URL Identity Provider SSO URL Issuer Identity for the Identity Provider Signing Certificate Identity Provider Public Key -
From the Assignments tab, select and select the users you wish to allow access: