Configuring individual SAML Identity Providers

This topic provides guidance on how to configure the following Identity Providers using SAML, in order to support Participant authentication:

For guidance configuring other Identity Providers, please contact your Pexip authorized support representative.

Prerequisites

You should have already created a record for the Identity Provider on Pexip Infinity — for more information on the steps involved, see Process for enabling Identity Providers

  1. From the Azure portal select Azure Active Directory > Enterprise Applications > New application > Create your own application. Give the application a name, select the option to Integrate any other application you don't find in the gallery and then select Create:

  2. When the application has been created, select Single sign-on > SAML:

  3. Configure the application with the details of the Identity Provider you configured earlier on Pexip Infinity:

    Azure option

    		 Infinity Identity Provider option Notes
    Basic SAML Configuration
    Identifier (Entity ID) SAML 2.0 Entity ID for this service We recommend that you use the same FQDN from which the web app is accessed.
    Reply URL (Assertion Consumer Service URL) Redirect URL

    This should be in the format:

    https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>

    where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID.

    Sign on URL

    Relay State

    Logout URL

    		   Leave blank
    Attributes and claims
      Display Name Attribute Name

    This page lists the options available for users' display names. Select the format you wish to use (or create a new claim) and enter the corresponding Claim name from AD into the Display Name Attribute Name field on Pexip Infinity.

    For example, you may wish to hide surnames in Virtual Meeting Rooms that are to be used for B2C purposes. To do this, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname on Pexip Infinity.

    If you don't specify a claim in Pexip Infinity, participants must enter their own display name.
    SAML signing certificate
    Signing Option   Select either Sign SAML assertion or Sign SAML response and assertion.
    Signing Algorithm  

    This feature supports any of the following:

    SHA1, SHA256, SHA384 or SHA512 with RSA certificates
    Certificate (Base64) Identity Provider Public Key Download the certificate from Azure and paste into Pexip Infinity.
    Set up <application name>
    Login URL Identity Provider SSO URL Copy this value from Azure and paste into Pexip Infinity
    Azure AD Identifier Identity for the Identity Provider Copy this value from Azure and paste into Pexip Infinity
    Logout URL   This is not used by Pexip Infinity.

  4. Select Users and Groups > Add user/group and select the users you wish to allow:

  5. Go back to Single sign-on and at the bottom of the page, select Test:

  6. Because this test is being initiated from Azure and Pexip Infinity does not support Identity Provider-initiated flows, you won't see the SSO page that users will see when attempting to join the VMR. Instead, you should be able to reach Pexip Infinity and see the following page:

Now that you have set up Azure AD as an Identity Provider, you can configure your VMRs and Virtual Auditoriums to use SSO to authenticate participants.

  1. From the AD FS server, open the Server Manager application. From the top right, select Tools > AD FS Management:

  2. From the Actions panel, select Add Relying Party Trust:

  3. At the Add Relying Party Trust Wizard, select Claims aware and then Start:

  4. Select Enter data about the relying party manually, and then Next:

  5. Enter a display name for your own reference, and select Next:

  6. Upload Pexip Infinity's token encryption certificate and select Next:

  7. Select Enable support for the SAML 2.0 WebSSO protocol, and then enter the Pexip Infinity Redirect URL:

    AD FS option

    		 Infinity Identity Provider option Notes
    Relying party SAML 2.0 SSO service URL Redirect URL

    This should be in the format:

    https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>

    where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID.

  8. Enter the Relying party trust identifier:

    AD FS option

    		 Infinity Identity Provider option Notes
    Relying party trust identifier SAML 2.0 Entity ID for this service We recommend that you use the same FQDN from which the web app is accessed.

  9. Select Permit everyone:

  10. Close the wizard, and then select the relying party trust you have just created. Open its Properties, and select the Signature tab. Add the same certificate as you added earlier:

  11. Go back and select the relying party trust you have just created, and from the Actions panel select Edit Claim Issuance Policy:

  12. Select Add rule, and then at the wizard select a Claim rule template of Send LDAP Attributes as Claims:

  13. Enter a name for your own reference. From the Attribute store option, select Active Directory. From the lists that then appear, map the following attributes to claim types:

    • Display-Name > Name ID
    • Display-Name > Name

    AD FS option

    		 Infinity Identity Provider option Notes
    Outgoing claim type Display Name Attribute Name

    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    Confirm that the default (NameID) is appropriate for this VMR's use. For example, you may wish to hide surnames in Virtual Meeting Rooms that are to be used for B2C purposes.

    If you don't specify a claim in Pexip Infinity, participants must enter their own display name.

  14. Next you must get the AD FS signing certificate. To do this, from the left panel select AD FS > Service > Certificates. From the Certificates panel select Token-signing and then from the Actions panel select View Certificate...:

    AD FS option

    		 Infinity Identity Provider option Notes
    Certificate Identity Provider Public Key Download the certificate from AD FS and paste into Pexip Infinity.

  1. From Okta, select Applications > Applications > Create App Integration. At the Create a new app integration screen, select SAML 2.0:

  2. Give the app a name and select Next:

  3. Under the SAML settings section:

    :

    enter the following:

    Okta option

    		 Infinity Identity Provider option Notes
    Single sign on URL Redirect URL

    This should be in the format:

    https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>

    where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID.

    Audience URI (SP Entity ID) SAML 2.0 Entity ID for this service We recommend that you use the same FQDN from which the web app is accessed.

    All other fields can be left as the defaults, or edited according to your deployment.

  4. If you wish to enable assertion encryption, or change the signing algorithms, open the Advanced Settings:

  5. By default, the SAML assertion contains the NameID element, which is used to extract the display name of the participant. However, you can add custom attributes in the Attribute Statements section and then configure Pexip Infinity to use these instead:

    Okta option

    		 Infinity Identity Provider option Notes
    Attribute statements name Display Name Attribute Name  
  6. Select Next and then Finish.
  7. From the Settings page, select View Setup Instructions:

  8. Enter the information provided by Okta into the Pexip Infinity Identity Provider configuration:

    Okta option

    		 Infinity Identity Provider option Notes
    Identity Provider Single Sign-On URL Identity Provider SSO URL  
    Identity Provider Issuer Identity for the Identity Provider  
    X.509 Certificate Identity Provider Public Key  

  9. From the Assignments tab, select Assign > Assign to People and select the users you wish to allow access: