About participant authentication

You can optionally require participants who are attempting to access an individual Virtual Meeting Room (VMR) or Virtual Auditorium in your deployment to verify their identity using Single Sign On (SSO) before joining the meeting. To do this, first you set up one or more Identity Providers, which are third-party services (such as ADFS, Azure AD or Okta) with which users authenticate using SSO. Then, you configure individual VMRs to require that Hosts, Guests, or both authenticate with the Identity Provider in order to access that VMR.

The use of participant authentication provides an additional, optional layer of security to prevent unauthorized access to meetings, and can also verify the display name used by participants. Authentication is supported for participants joining via the latest versions of the Pexip Infinity Connect clients (i.e. the Infinity Connect web app from v27 onwards, and the desktop and mobile clients from v1.9 onwards). Participants joining from other devices (such SIP or H.323 endpoints) can optionally be permitted to join if they are locally registered (i.e. registered to the same Pexip Infinity deployment as the VMR they are attempting to access).

Authentication and PINs

VMRs and Virtual Auditoriums that require authentication can optionally use Host and Guest PINs.

For Infinity Connect clients:

  • If PINs are configured:
    • participants will need to enter the PIN before authenticating
    • the PIN that they enter will determine whether they are a Host or a Guest, which will then determine whether or not they need to authenticate, and if so, the Identity Providers to be used
    • A participant who has joined as a Guest can subsequently be escalated to a Host without authentication.
  • If PINs are not configured, all users will be treated as Hosts when authenticating.

For all other devices:

  • If PINs are configured, and the device is locally registered, and Other participants is set to Allowed if trusted, the participant will need to enter a PIN before joining the meeting.
  • If PINs are not configured, and the device is locally registered, and Other participants is set to Allowed if trusted, the participant will join the meeting automatically as a Host.
  • In all other cases, the participant will be held in a waiting room and must wait to be admitted to the meeting by a Host. They will not be asked for a PIN and will join as a Guest.

Infinity Connect clients

The latest versions of the Infinity Connect clients support participant authentication. These are:

  • Infinity Connect web app from v27 and later
  • Infinity Connect desktop client from v1.9 and later
  • Infinity Connect mobile clients for iOS and Android from v1.9 and later.

Participants using older versions of the Infinity Connect clients will not be able to join a VMR with participant authentication enabled. When attempting to join they will instead receive a message saying that their client does not support SSO-protected meetings, and suggesting they upgrade their client.

Participants using other versions of the Infinity Connect clients can still join VMRs if:

  • the VMR does not require participant authentication
  • the VMR requires participant authentication for Hosts only, and the participant is joining as a Guest
  • the VMR requires participant authentication for Guests only, and the participant is joining as a Host.

Note that all references to Infinity Connect client support also includes bespoke WebRTC clients using the Pexip client APIs.

Joining a SSO-protected VMR

To join a Virtual Meeting Room or Virtual Auditorium with participant authentication enabled, using an Infinity Connect client:

  1. Access the VMR in the usual way (e.g. by entering the room name, or via a Virtual Reception)
  2. Enter the PIN (if required).
  3. You are now asked to sign in with your Identity Provider:

    If your organization uses more than one Identity Provider, you'll see them all listed; chose the one you wish to authenticate with:

    The name that appears on each button in the pop-up is the Name for the Identity Provider that is configured on Pexip Infinity.

  4. If this is the first time you have used this Identity Provider, you will be redirected to the Identity Provider where you must enter your username and password. Otherwise, if you've already authenticated with the Identity Provider when accessing this or any other VMR, the authentication will happen automatically using your previous credentials.

    Occasionally (at a period determined by the Identity Provider) your authentication session will expire and you will need to re-enter your user name and password.

  5. After successfully authenticating, you will go straight into the meeting.

Other devices

If authentication is enabled for a VMR or Virtual Auditorium, you can also determine how to treat participants attempting to join from devices other than Infinity Connect clients, such as SIP or H.323 endpoints. You do this via the Other participants setting, where you have options to either put all such devices into a waiting room, or allow these devices to bypass the waiting room, but only if they are locally registered (i.e. registered to a Conferencing Node in the same deployment as the VMR or VA they are attempting to access).

Note that although Infinity Connect clients can be registered, the Other participants setting does not apply to them.

For each Virtual Meeting Room or Virtual Auditorium:

  • if Other participants is set to Allowed if trusted:
    • registered devices join the meeting directly (although they will still need to enter a Host or Guest PIN if required)
    • unregistered devices are placed in the waiting room;
  • if Other participants is set to Disallow all:
    • both registered and unregistered devices are placed in the waiting room.

From the waiting room, participants must wait to be admitted to the conference by a meeting Host. Upon admission, they will not be asked for a PIN and will join as a Guest.

Transferring participants

It is possible to transfer participants from another VMR into a VMR that requires authentication.

For participants using a supported Infinity Connect client:

  • Participants using an Infinity Connect client can be transferred into a VMR that requires authentication only if the original VMR also required authentication and used the same Identity Provider as the destination VMR; the participant will not need to re-authenticate in order to join the destination VMR. If the original VMR did not require authentication, or the destination VMR uses a different identity provider, the transfer will not be initiated and the participant will remain in the original VMR.
  • Participants using an Infinity Connect client can be transferred from a VMR that requires authentication into a VMR that does not require authentication. From there, a participant can be transferred into a third VMR that requires authentication only if that VMR uses the same Identity Provider as the original VMR; the participant will not need to re-authenticate in order to join the third VMR. Otherwise, the transfer will not be initiated and the participant will remain in the second VMR.

For other devices, when a participant using a locally registered endpoint is transferred, if Other participants is set to Allowed if trusted the participant will join the meeting directly (although they will still need to enter a Host or Guest PIN if required). In all other cases, for both registered and unregistered devices, the transfer will fail and the participant will remain in the original VMR.

Authentication and VMR Scheduling for Exchange

You can optionally require participant authentication for meetings scheduled using Pexip's VMR Scheduling for Exchange feature. For more information, see PINs and authentication.

Display names

Each Identity Provider offers a given set of attributes for a user (such as their display name, given name, surname and email address).

For Virtual Meeting Rooms and Virtual Auditoriums that require participant authentication, the name shown for each participant (in the participant list, and as a text overlay when Show names of participants is enabled) will depend on what is configured in the Display Name Attribute Name setting for the associated Identity Provider, as follows:

  • By default, the NameId attribute is used. This is the user's unique ID; what it contains will depend on the Identity Provider.
  • To use an attribute other than NameId, enter it here. Note that the format used will vary depending on the Identity Provider.
  • To let participants enter their own name, ensure this field is blank.

When the display name is based on information provided by the Identity Provider, it cannot be changed (for example, by the participant, the meeting Host, or via the Client API).

When is SSO not required?

In all cases, devices can join a meeting protected by SSO without needing to authenticate if:

Supported Identity Providers

The participant authentication feature uses SAML 2.0 technology, a widely-used standard industry protocol. This release of Pexip Infinity supports the following SAML Identity Providers:

  • ADFS
  • Azure AD
  • Okta

We have provided step-by-step guides for configuring ADFS, Azure AD and Okta. For guidance configuring other Identity Providers, please contact your Pexip authorized support representative.

Process for enabling Identity Providers

When setting up an Identity Provider, some configuration needs to be generated on Pexip Infinity and then added to the Identity Provider, and vice versa.

To make the setup easier, we have provided the ability to download a configuration file from Pexip Infinity which can be uploaded to the Identity Provider. You can also subsequently import configuration from the Identity Provider to Pexip Infinity.

In summary, the process is as follows:

  1. On Pexip Infinity, create the Identity Provider record and download the configuration. For full details see Adding Pexip Infinity service configuration.
  2. On the Identity Provider, create a new service and upload the Pexip Infinity configuration to it. For full details see Configuring individual Identity Providers.
  3. Return to Pexip Infinity and either import the configuration file from the Identity Provider, or complete the configuration manually. For full details, see Adding the Identity Provider configuration to Pexip Infinity.
  4. On Pexip Infinity, add the Identity Provider to one or more Identity Provider Groups. For full details see Creating Identity Provider groups.
  5. Configure individual Virtual Meeting Rooms and Virtual Auditoriums to use one of the Identity Provider Groups for participant authentication. For details, see Participant authentication.

    If your deployment uses Pexip's VMR Scheduling for Exchange feature, you can also require participant authentication for single-use VMRs — for more information, see PINs and authentication.

Adding Identity Providers to Pexip Infinity

An Identity Provider is the third-party service (such as ADFS, Azure AD or Okta) with which users authenticate using Single Sign On (SSO) in order to access a VMR or Virtual Auditorium.

About ACS URLs

When configuring an Identity Provider, you must list one or more Assertion Consumer Service (ACS) URLs that are valid for that provider. ACS URLs are used in the authentication process to identify the source of a request, and also as an address to which the response to the request is returned. ACS URLs must include the FQDN of the webapp as part of the URL.

If users in your deployment are able to access the webapp from more than one FQDN, then you must configure each Identity Provider (both on Pexip Infinity and on the Identity Provider itself) with the same number of corresponding ACS URLs. To help you, we have included an option to automatically add ACS URLs for every FQDN used by each Conferencing Node in your deployment. (Note that if you use this option, you will still need to add the individual ACS URLs to your Identity Provider configuration.) You can also add additional ACS URLs manually from within the Advanced ACS options section.

Adding Pexip Infinity service configuration

The configuration for the Identity Provider is in two sections on Pexip Infinity.

Firstly, go to Users & Devices > Identity Providers and select Add Identity Provider. Complete the Service configuration section, as follows:

Option Description
Service configuration
Name

The name used to refer to this Identity Provider.

This name will be visible to end users, so you should use a name that will help users differentiate between Identity Providers without compromising security.

Description An optional description of the Identity Provider.

UUID

A unique identifier for this Identity Provider configuration. A value is automatically assigned and there is normally no need to modify it.
Certificate Certificate used by Pexip Infinity when communicating with the Identity Provider.
Private key Private key used by Pexip Infinity when communicating with the Identity Provider.
ACS URL

A URL that can be used in the authentication process with this Identity Provider.

This should be in the format:
https://<webapp_FQDN>/api/v1/samlconsumer/<uuid>
where
<webapp_FQDN> is the FQDN from which the web app is accessed, and
<uuid> is the UUID shown in the field above.

You should provide one ACS URL for every web app FQDN used in your deployment; further ACS URLs can be added from the Advanced ACS options section below.

For more information, see About ACS URLs.

SAML 2.0 Entity ID for this service An identifier for the service on Pexip Infinity. We recommend that you use the FQDN from which the web app is accessed, for consistency.
Signature algorithm Signature algorithm used to sign SAML authentication request messages and service metadata
Digest algorithm Digest algorithm used to sign SAML authentication request messages and service metadata
Advanced ACS options
Create ACS URLs from Conferencing Node FQDNs

Automatically generate allowed ACS URLs from the configured FQDNs for each Conferencing Node.

For more information, see About ACS URLs.

Additional ACS URL

Enter any additional ACS URLs valid for use with this Identity Provider.

For more information, see About ACS URLs.

Download service metadata

(Available once saved)

This option allows you to download the configuration in a format that can be imported by the Identity Provider.

Select Save.

Configuring the Identity Provider

The next step is to create a new service on the Identity Provider and configure it with details of Pexip Infinity.

If the Identity Provider supports it, you can export the configuration from Pexip Infinity and upload it to the Identity Provider. To do this:

  1. On Pexip Infinity go to Users & Devices > Identity Providers and select the Identity Provider you have just created.
  2. At the bottom of the page select Download service metadata.
  3. Download the file and import it to the Identity Provider.

For full step-by-step instructions on configuring the main supported Identity Providers, see Configuring individual Identity Providers.

Adding the Identity Provider configuration to Pexip Infinity

After you have configured the Identity Provider, you must add its configuration to Pexip Infinity. Some Identity Providers will have provided the option to download a configuration file in XML format; you have the option to upload this to Pexip Infinity.

To complete the configuration, on Pexip Infinity, go back to Users & Devices > Identity Providers and select the Identity Provider. Under the Identity Provider configuration section, complete the following fields (the individual Identity Provider configuration instructions explain where to find this information for each Identity Provider):

Option Description
Identity Provider configuration
Upload file If you have downloaded configuration from the Identity Provider in XML format, this allows you to add it to Pexip Infinity in order to automatically populate the fields below.

Identity Provider Public Key

The public key used to verify assertions signed by this Identity Provider.
Identity Provider SSO URL The URL to which users are sent when authenticating with this Identity Provider.
SAML 2.0 Entity ID for the Identity Provider The Entity ID for this SAML Identity Provider integration.
Display Name Attribute Name

The SAML 2.0 attribute name from which the user's Display Name will be extracted. By default the NameID value is used. If this field is blank, participants will be able to enter their own display name.

Note that the format used will vary depending on the Identity Provider.

Select Save.

Creating Identity Provider groups

Each Identity Provider must belong to at least one Identity Provider group in order to be used.

  • An Identity Provider group can contain just a single Identity Provider — for example, if you use only one Identity Provider in your deployment, or if you wish to restrict access to certain VMRs to participants who have authenticated with a particular Identity Provider.
  • A group can contain more than one Identity Provider — for example, you may have more than one Identity Provider in use within your enterprise, and you wish users from some or all of them to be able to access the same SSO-protected VMRs.
  • An Identity Provider can belong to more than one Identity Provider group. For example, you might have one Identity Provider group that contains all the Identity Providers in your enterprise, and other Identity Provider groups that contain subsets of those Identity Providers, or just a single Identity Provider.

To create an Identity Provider group, go to Users & Devices > Identity Providers and complete the following fields:

Option Description
Name The name used to refer to this Identity Provider Group.
Description An optional description of the Identity Provider Group.
Identity Providers From the list of configured Identity Providers, select one or more Identity Providers to add to this Identity Provider Group.