Please note, this feature is only available on a certain pricing tier.
1. What is Single Sign-On (SSO) and SAML2 protocols?
Single Sign-On (SSO) is a way to improve the security of your organization by enabling your employees to use a single set of login credentials across many applications and services. For example, when an employee leaves and is off-boarded on your central identity system, then their access is automatically removed from all other applications as well.
SAML 2 (Security Assertion Markup Language 2) is an XML-based protocol used in Single Sign-On (SSO) systems to exchange authentication and authorization data between Identity Providers (IdPs) and Service Providers (SPs). It allows for the exchange of security assertions (SAML tokens) that contain information about the user's identity, attributes, and access permissions, and supports a variety of authentication methods, including username and password, digital certificates, and multi-factor authentication. SAML 2 also includes features such as metadata exchange, single logout, and name identifier mapping, which make it a robust and flexible standard for implementing SSO across a wide range of web applications and systems.
References:
2. Which identity providers do we currently support?
ScreenCloud uses secure services like auth0 and we currently support the following Identity providers:
LDAP SSO
If the Identity provider used by your organization is not on this list there’s a huge chance you can use it as well if it supports SAML 2 protocol.
3. How do I get SSO for my account?
SSO is an extra add-on feature for your ScreenCloud account that comes automatically for the Enterprise plan. For more information on pricing costs for SSO, please reach out to us here to connect with a member of our team.
Once you have a subscription plan that provides this service, you can set up SSO on your own in your account and for your team within ScreenCloud Studio. Please review the instructions below to learn how to do this. In case of issues, we have also provided steps on how to use log sessions to debug the problems that may arise with your configuration setup.
4. SSO Configuration Basics
Before we dive into your account’s SSO setup, let’s first explain some key terms.
Service Provider (SP)
In the case of this setup, ScreenCloud is the SP.
Identity Provider (IdP)
This is the trusted provider that lets you use single sign-on (SSO) to access other websites. For example Microsoft Azure and Okta.
IdP Metadata XML
This is the metadata XML File that you collect from your SAML 2.0 Identity Provider. It is a document that contains detailed requirements on the protocol and message formatting that your SAML 2.0 identity provider must implement to federate with a service provider such as ScreenCloud to enable sign-on. When you upload this file to your Single Sign-on (SSO) configuration under the option Upload IdP Metadata XML, your configuration details should automatically be fulfilled.
Connect with your IDP and review their support documentation to learn how to retrieve this file.
5. Configuring Your SSO
Most of your SSO configuration setup is automatically set once you upload your IdP’s metadata XML, but for certain SAML 2.0 IdPs, additional information will need to be added. Below is the complete field of configuration options you will find as you set up your SSO connection with ScreenCloud, and what they mean.
5.1. Single Sign-on (SSO) configuration from IdP
Section 1: Configure Single Sign-on (SSO)
Connection Name
"Connection Name" is an identifying field for an SSO connection, once submitted it cannot be edited.
Section 2: Slug Name
Slug Name
Slug name will be used for your members to log in. This field can only contain alphanumeric characters with lowercase letters and does not allow special characters.
Upload IdP Metadata XML (Optional)
If you have an IDP metadataXML file, you can upload it here and the relevant details will be filled out for you.
Section 3: Identity Provider
Identity Provider Sign-In URL
The URL provided by your Identity Provider for authenticating users to access ScreenCloud.
X509 Signing Certificate
Server public key encoded in PEM or CER format.
Sign out URL (Optional)
URL provided by your Identity Provider to redirect users to when they sign out.
Section 4: Attribute Mapping
Our system will automatically try to map the values from your Identity Provider to the following attributes. If you experience problems, you can map the following attributes to the correct fields manually.
User ID
Name
Email
Section 5: Other Settings
Debug mode
This an option you can turn on or off. You can turn this on to log extra information in the logs for troubleshooting. We recommend having this off by default.
Sign request
This an option you can turn on or off. You can turn this on to sign the SAML authentication request digitally.
Sign request algorithm
Select the algorithm used, RSA-SHA256 or RSA-SHA1, to create the digital signature. This may be automatically fulfilled by your IdP metadata XML.
Sign request algorithm digest.
Select the algorithm used, SHA256 or SHA1, to create the hash of the digital signature. The most common is RSA-SHA256. This may be automatically fulfilled by your IdP metadata XML.
Protocol binding
Select the protocol of the SAML binding request. Please check with your Identity Provider if it is HTTP-POST or HTTP-REDIRECT. This may be automatically fulfilled by your IdP metadata XML.
Enable user enroll (JIT)
This an option you can turn on or off. Turn this on to automatically create a ScreenCloud user when authenticated in your Identity Provider.
Force SSO - Please reach out to [email protected] to set this up
This an option you can turn on or off. Force login via SSO guarantees that all of your users log in via SSO, ensuring you reap the security benefits for the whole organization.
5.2. ScreenCloud Single Sign-on URLs for IdP
The outcome of your SSO configuration setup will be the below 3 URLs:
Assertion Consumer Service (ACS) URL
The URL that you enter into your IDP’s SAML configuration
Audience URL (EntityID)
Sign-On URL
6. How to set up Microsoft Azure SSO with ScreenCloud
Please head to How to setup ScreenCloud Single Sign-On with Microsoft Azure for help with this step.
7. How to set up Okta SSO with ScreenCloud
Before we start, you should have your Okta account’s metadata and information for a SAML app integration. Review the guides from Okta’s Help Center to learn how to obtain this:
7.1. Head to the Single Sign-On tab under your Organization page. This tab will only be visible if SSO has been enabled for your account.
7.2. Begin by creating your connection name, which will most likely be your organization name. Please note that there can be no spaces, and it is recommended that you use all lowercase letters. Please note: This cannot be edited once submitted
7.3. Once you click Continue, you’ll be greeted by additional fields that you can fill in.
7.4. The next field that should be filled in is the Slug Name, which is the identifier for your organization in the SSO URLs that are generated.
7.5. Once this is created, you can then upload your IdP metadata XML file, which will automatically fill in the additional fields for you.
7.6. Under Identity Provider you’ll see that your setup’s IdP URL and certificate file (.crt) are attached.
7.7. Your Attribute Mapping fields will need to be filled in manually because Okta doesn’t have an explicit username and email with their SAML assertion.
You can insert the below information under your Attribute Mapping fields:
User ID
userprincipalname
Name
Email
7.8. Under Other Settings, you’ll also see your algorithms and protocols have been set. In this section, we recommend that you enable Debug mode so that logs can be created in case of any issues with the setup. For the other toggle options, please feel free to select them according to your preferences. Please note that Force SSO requires that you reach out to support to help set this up.
7.9. Click Save.
7.10. Once your configuration details are implemented, you’ll have your 3 ScreenCloud SSO configuration URLs which you can provide to your IDP to make the SSO connection.
8. How to debug with SSO log sessions
Once your setup is complete, you can review your SSO logs to check if your connections are successful.
A Success Exchange notification will appear if your connections are working.
However, a Failed Login notification will appear for failed login attempts.
For example, if you see the error Invalid thumbprint issue, this means there is a mismatched certificate or an incorrect algorithm selected.
As self-service SSO with ScreenCloud was just released, the error message list is currently in progress. Please reach out to support at [email protected] for any unfamiliar error codes that you need help with.
9. How to log in to ScreenCloud with SSO
Please review the guide on How to use Single Sign-On (SSO) to log in to your ScreenCloud Account for help with this.
10. FAQ
My SSO setup wasn’t successful, and I’m seeing Failed logs under my SSO logs.
Please refer to the section How to debug with SSO log sessions to understand the error messages and their meaning. If you do not see your error message here, please contact Support.
Can I set up an Identity Provider (IdP) domain with the self-service SSO setup?
No, but you can reach out to the ScreenCloud support team at [email protected] with your request. Simply provide your domain, and our team will then check, approve the domain, and add it to your SSO setup. Due to security reasons, the IDP domains can only be applied by our team.
What is JIT and why should I have this enabled?
With JIT (Just-in-Time provisioning), user accounts are created automatically on the SP side when the user first logs in using SSO. JIT is useful in situations where many users only need to access the SP occasionally or where it is difficult to pre-provision user accounts in advance, such as with external partners or customers. JIT eliminates the need for manual account creation and management, making the SSO process more efficient and streamlined. ScreenCloud does not charge per user account so it is safe to enable automatic enrollment if you prefer.
What is Force SSO and why do I need to reach out to support to request this?
With Force SSO enabled for your organization, users will no longer be able to use a username and password to authenticate. They can only access their account with their SSO login. This option is not made available in the Self-Service setup to prevent users from locking themselves out. To have this feature enabled, please reach out to Support.
Do you support System for Cross-Domain Identity Management (SCIM)?
No. Unfortunately, this setup is not available at this time.
Why is the Identity Provider Initiated (IdP-initiated) flow not provided?
No. We’ve chosen not to allow the IdP-initiated flow due to it being less secure than the SP-initiated flow.
I uploaded a new certificate, but I can't save the changes to my SSO settings. How can I add a new certificate?
Please reach out to our support team and provide the necessary file. The team will then help make the changes for you.