Using Identity Providers

Identity Providers are third-party services (such as AD FS, Microsoft Entra ID or Okta) that store and manage digital identities, and with which users authenticate using SSO. Pexip Infinity supports Identity Provider SSO authentication for participant access to VMRs, and for client application registration.

This topic covers:

About Single Sign-on

Single Sign-On (SSO) is an increasingly common feature of web services and business tools that enables users to authenticate and log into a third-party service or web page, using the same login credentials as the other systems they already use.

SSO is a particularly popular feature for enterprise customers, but it can also offer benefits to smaller and medium sized customers. The main benefits are:

  • Convenience and security: the ability to securely log into multiple tools with the same login credentials.
  • Reduced tech support costs and greater efficiency with only one password to remember.
  • Faster, simpler user administration.

Using SSO with Pexip Infinity

You can require Identity Provider SSO authentication for either or both of the following:

  • For participants who are attempting to access a specific VMR in your deployment, to verify their identity before joining the meeting. The SSO service can also be used to provide a verified display name for meeting participants. For more information, see About participant authentication.

  • For client applications (such as the upcoming Connect desktop app) to register their device to Pexip Infinity. For more information, see Enable registration using SAML/OIDC SSO.

Supported Identity Providers

Pexip Infinity supports two widely-used standard industry protocols:

  • SAML 2.0
  • OpenID Connect (OIDC)

We have provided step-by-step guides for configuring the following SAML Identity Providers:

  • ADFS
  • Microsoft Entra ID (formerly called Azure AD)
  • Okta

For guidance on configuring other Identity Providers, please contact your Pexip authorized support representative.

Process for enabling Identity Providers

When setting up an Identity Provider, some configuration needs to be generated on Pexip Infinity and then added to the Identity Provider, and vice versa.

To make the setup easier, for SAML Identity Providers we have provided the ability to download a configuration file from Pexip Infinity which can be uploaded to the Identity Provider. You can also subsequently import some configuration from SAML and OIDC Identity Providers to Pexip Infinity.

In summary, the process is as follows:

  1. On Pexip Infinity, create the Identity Provider record and download the configuration. For full details see Adding Pexip Infinity service configuration.
  2. On the Identity Provider, create a new service and upload the Pexip Infinity configuration to it. For full details see Configuring individual SAML Identity Providers.
  3. Return to Pexip Infinity and either import the configuration file from the Identity Provider, or complete the configuration manually. For full details, see Adding the Identity Provider configuration to Pexip Infinity.
  4. On Pexip Infinity, add the Identity Provider to one or more Identity Provider Groups. For full details see Creating Identity Provider groups.

After the Identity Provider configuration is complete, you can then:

Adding Identity Providers to Pexip Infinity

About redirect URLs

When configuring an Identity Provider, you must list one or more Redirect URLs that are valid for that provider. Redirect URLs are used in the authentication process to identify the source of a request, and also as an address to which the response to the request is returned. Redirect URLs must include the FQDN of the webapp as part of the URL.

If users in your deployment are able to access the web app from more than one FQDN, then you must configure each Identity Provider (both on Pexip Infinity and on the Identity Provider itself) with the same number of corresponding Redirect URLs. To help you, we have included an option to automatically add redirect URLs for every node FQDN used in your deployment. (Note that if you use this option, you still need to add the individual redirect URLs to your Identity Provider configuration.) You can also add additional redirect URLs manually from within the Advanced options section (available for both SAML and OpenID Connect).

About pop-up windows

By default, the authentication process for users attempting to join a Virtual Meeting Room takes place via a separate pop-up window. If your environment does not allow or support pop-ups, you can Disable pop-up windows on a per-Identity Provider basis. When this option is selected, a Webapp3 user's current browser session is redirected away from the web app in order to perform the authentication process, and then automatically returned to the web app. (This option is not supported for Webapp2 — for these users, the browser will still attempt to open a pop-up window.)

If you are using the pop-up-free authentication flow for users attempting to join a meeting and you are either:

  • hosting the web app externally, (i.e. on something other than a Conferencing Node), or
  • accessing the web app from a URL that is not a Configured FQDN for any Conferencing Node (for example, when using DNS A records to access the web app)

you must add the host's address / the URL (as applicable) to the "allow list" of External Web App Hosts (Web App > External Web App Hosts).

Adding Pexip Infinity service configuration

The configuration for the Identity Provider is in two sections on Pexip Infinity.

Firstly, go to Users & Devices > Identity Providers and select Add Identity Provider. Complete the Service configuration section, as follows:

Option Description
Service configuration
Name

The name used to refer to this Identity Provider.

This name will be visible to end users, so you should use a name that will help users differentiate between Identity Providers without compromising security.

Description An optional description of the Identity Provider.

UUID

A unique identifier for this Identity Provider configuration. A value is automatically assigned and there is normally no need to modify it.
Identity Provider protocol

Select the protocol used by this Identity Provider:

  • SAML: the IdP uses SAML 2.0
  • OpenID Connect: the IdP uses OpenID Connect

The remaining configuration fields depend on the option selected here.

SAML options (available when an Identity Provider type of SAML is selected)
Certificate Certificate used by Pexip Infinity when communicating with the Identity Provider.
Private key Private key used by Pexip Infinity when communicating with the Identity Provider.
Redirect URL

An Assertion Consumer Service (ACS) URL that can be used in the authentication process with this Identity Provider.

This should be in the format:

https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>

where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID shown in the field above.

You should provide one Redirect URL for every web app FQDN used in your deployment; Additional redirect URLs can be added from the Advanced options section below.

For more information, see About redirect URLs.

SAML 2.0 Entity ID for this service An identifier for the service on Pexip Infinity. We recommend that you use the FQDN from which the web app is accessed, for consistency.
Signature algorithm Signature algorithm used to sign SAML authentication request messages and service metadata
Digest algorithm Digest algorithm used to sign SAML authentication request messages and service metadata
OpenID Connect options (available when an Identity Provider type of OpenID Connect is selected)
OpenID Connect flow Select the flow used by the OpenID Connect Identity Provider.
OpenID Connect client identifier The client identifier provided by the OpenID Connect Identity Provider.
OpenID Connect client secret The client secret provided by the OpenID Connect Identity Provider.
Redirect URL

A URL that can be used in the authentication process with this Identity Provider.

This should be in the format:

https://<webapp_FQDN>/api/v1/oidcconsumer/<uuid>

where <webapp_FQDN> is the FQDN from which the web app is accessed, and <uuid> is the UUID shown in the field above.

You should provide one Redirect URL for every web app FQDN used in your deployment; Additional redirect URLs can be added from the Advanced options section below.

For more information, see About redirect URLs.

Advanced options (available for both SAML and OpenID Connect):
Create redirect URLs from Conferencing Node FQDNs Automatically generate allowed redirect URLs from the configured FQDNs for each Conferencing Node.
Additional redirect URL Enter any additional redirect URLs valid for use with this Identity Provider.
Attributes

Identity Provider attributes are custom attributes that are associated with an Identity Provider and that have been created to support a specific business need (for example whether somebody is a member of a particular group of people).

The attributes you assign here are made available to any local or external participant policy, when the participant uses this provider for authentication. These attributes can then be used in the participant policy decision-making process (for example whether to accept or reject a call, or assign a specific role).

Managing the available attributes

To create a new attribute, select and then enter the Name and Description of the attribute in the popup form that appears.

The Name entered here must match the associated name in your Identity Provider configuration.

You can also go to Users & Devices > Identity Provider Attributes to directly create, modify or delete any attributes.

Assigning an attribute

Select from the list of Available Attributes the set of attributes to associated with this Identity Provider and then use the right arrow to move the selected attribute into the Chosen Attributes list.

Disable pop-up windows By default, the authentication process for users attempting to join a Virtual Meeting Room takes place via a separate pop-up window. If your environment does not allow or support pop-ups, select this option. For more information, see About pop-up windows.
Advanced options available for SAML only:
Download service metadata

(Available when saved)

This option allows you to download the configuration in a format that can be imported by the Identity Provider.

Advanced options available for OpenID Connect only:
OpenID Connect Token Endpoint authentication type The authentication method used by Pexip Infinity to authenticate when using the token endpoint.
OpenID Connect JWT signature scheme The algorithm used by the Identity Provider to sign the contents of the token.
OpenID Connect UserInfo Endpoint URL You can optionally enter here the URL of an OpenID Connect UserInfo Endpoint if you wish to use the UserInfo Endpoint (rather than the JWT) to retrieve information about the user such as their display name.
eIDAS authentication

The eIDAS level to use in requests and responses.

This should not be changed from the default Disabled unless advised by Pexip support.

Additional OpenID Connect scopes Space-separated list of additional scopes to request from the OpenID Connect Identity Provider.

Configuring the Identity Provider

The next step is to create a new service on the Identity Provider and configure it with details of Pexip Infinity.

All Identity Providers can be configured manually, but some SAML Identity Providers also allow you to upload configuration that has been exported from Pexip Infinity. To do this:

  1. On Pexip Infinity go to Users & Devices > Identity Providers and select the SAML Identity Provider you have just created.
  2. At the bottom of the page select Download service metadata.
  3. Download the file and import it to the Identity Provider.

For full step-by-step instructions on configuring the main supported Identity Providers, see Configuring individual SAML Identity Providers.

Adding the Identity Provider configuration to Pexip Infinity

After you have configured the Identity Provider, you must add its configuration to Pexip Infinity. Some Identity Providers will have provided the option to download a configuration file in XML format (for SAML) or JSON (for OpenID Connect); you have the option to upload this to Pexip Infinity. Note that this will not include the configuration for the display name; this must be done manually.

To complete the configuration, on Pexip Infinity, go back to Users & Devices > Identity Providers and select the Identity Provider. Under the Identity Provider configuration section, complete the following fields (the individual Identity Provider configuration instructions explain where to find this information for each Identity Provider).

Note that the available fields differ between SAML Identity Providers and OpenID Connect Identity Providers:

SAML Identity Provider configuration

Option Description
Identity Provider configuration
Upload file

If you have downloaded configuration from the Identity Provider in XML format, this allows you to import it to Pexip Infinity in order to automatically populate the fields below.

Identity Provider Public Key

The public key used to verify assertions signed by this Identity Provider.
Identity Provider SSO URL The URL to which users are sent when authenticating with this Identity Provider. Custom query string parameters may be appended, e.g. https://<url>?foo=bar.
Identity for the Identity Provider

The identifier for this Identity Provider integration.

For SAML IdPs this is the Entity ID.

Display Name Attribute Name

The SAML 2.0 attribute name from which the user's display name will be extracted. By default the NameID value is used. If this field is blank, participants will be able to enter their own display name.

Note that the format used will vary depending on the Identity Provider.

Registration Alias Attribute Name

The SAML 2.0 attribute name from which the user's registration alias will be extracted.

This field is required if the Identity Provider is being used for device registration.

The alias returned must match the alias being registered, otherwise registration will not be permitted.

OpenID Connect Identity Provider configuration

Option Description
Identity Provider configuration
Upload file

If you have downloaded configuration from the Identity Provider as a JSON discovery document, this allows you to import it to Pexip Infinity in order to automatically populate the fields below.

Identity Provider SSO URL The URL to which users are sent when authenticating with this Identity Provider. Custom query string parameters may be appended, e.g. https://<url>?foo=bar.
OpenID Connect Token Endpoint URL OpenID Connect Token Endpoint URL used for exchanging codes for tokens in the Authorization Code Flow. Not required when using the Implicit Flow.
OpenID Connect JSON Web Key Set URL Download location for your Identity Provider's JSON Web Key Set (JWKS) to enable signature verification. Not required when using HS256 signatures.
Identity for the Identity Provider

The identifier for this Identity Provider integration.

For OpenID Connect IdPs this is the Issuer for returned JWTs.

Display Name Claim Name

The claim name from which the user's display name will be extracted. This can come from either the JWT, or data from the UserInfo endpoint (if one is configured).

By default the name value is used. If this field is blank, participants will be able to enter their own display name.

Note that the format used will vary depending on the Identity Provider.

Registration Alias Claim Name

The claim name from which the user's registration alias will be extracted.

This field is required if the Identity Provider is being used for device registration.

The alias returned must match the alias being registered, otherwise registration will not be permitted.

Creating Identity Provider groups

Each Identity Provider must belong to at least one Identity Provider group in order to be used.

  • An Identity Provider group can contain just a single Identity Provider — for example, if you use only one Identity Provider in your deployment, or if you wish to restrict access to certain VMRs to participants who have authenticated with a particular Identity Provider.
  • A group can contain more than one Identity Provider — for example, you may have more than one Identity Provider in use within your enterprise, and you wish users from some or all of them to be able to access the same SSO-protected VMRs.
  • An Identity Provider can belong to more than one Identity Provider group. For example, you might have one Identity Provider group that contains all the Identity Providers in your enterprise, and other Identity Provider groups that contain subsets of those Identity Providers, or just a single Identity Provider.

To create an Identity Provider group, go to Users & Devices > Identity Providers and complete the following fields:

Option Description
Name The name used to refer to this Identity Provider Group.
Description An optional description of the Identity Provider Group.
Identity Providers From the list of configured Identity Providers, select one or more Identity Providers to add to this Identity Provider Group.