SAML2 idP for Quickchannel Console
The Quickchannel Console supports single sign-on with SAML2 for accessing Quickchannel Console. Quickchannel also supports access restrictions for watching videos using this integration. This article covers the process of how to set up a connection between your SAML2 Identity Provider and the Quickchannel Console.
In order to set up single sign-on with SAML2 for the Console, you need to be Administrator on the Quickchannel account you are connecting to.
Setting up SAML2
Open the Settings top menu in Console, choose Connections in the side menu and finally open the Single Sign-On tab.
Quickchannel's Authentication API acts as a Service Provider (SP). You will be able to use your Identity Provider (IdP) with Quickchannel's SP to facilitate Single Sign On.
Service Provider configuration is done using SAML2 IdP metadata. Either by retrieving it from a URL or by entering it as text. This is controlled via the options Retrieve IdP metadata from URL and IdP metadata as text.
The Retrieve IdP metadata from URL requires your SAML2 IdP to have a publicly accessible URL.
The IdP metadata as text option is for copy/pasting the XML text. This could be useful for on-premise installations.
Domain is the email domain that this IdP authenticates. Currently this is restricted to the same email domain as the currently logged in user.
Finally, Attribute mapping is for extracting user information from the signed SAML2 assertion attribute values returned by your IdP. When looking for matching attributes, both Name and FriendlyName are to be considered.
The name of the user's email attribute. This attribute is required. | |
UUID | The name of the user's GUID or UUID attribute. This is used for tracking users that change email. This attribute is optional and can be left blank. |
Name | The name of the user's name attribute. This attribute is optional and can be left blank. |
Role | The name of the user's Quickchannel access role attribute. This is only required for the users that should have access to Quickchannel Console. The attribute value for a user can be either set to a single value or a mapping between accountid and Quickchannel access role. A Quickchannel access role is one of the following: administrator, publisher, user, producer, readonly. 1. If single value is set, the same value will be used on all Quickchannel accounts that the federation has been enabled on. 2. Mappings are of the form accountid:role. Multiple values are supported either as SAML multi-valued attributes or as a comma concatenated single value: accountid1:role1,accountid2:role2. |
Groups | The name of the user's groups attribute. This is only required for restricting media playback using SSO and the signed in users group membership. This can be a multi-valued attribute. |
Technical SP Details
Quickchannel's SAML2 Service Provider supports the Web Browser SSO Profile using SP redirect request; IdP POST response. SAML2 assertions must be signed by the IdP using SHA-256 digest.
If you need the SP Metadata for configuring your IdP it is only accessible after creating the SAML2 connection (after clicking Save in the above screenshot).
Logging In
Now that your SAML2 IdP is connected to your Quickchannel Account, your users can login using either the normal Quickchannel login page (only entering their email address) or by visiting the linked SSO URL.
Groups Restrictions
If configured correctly the groups are automatically synced from your SAML2 IdP via the SAML2 Assertion's groups claim to Quickchannel. This automatically happens when a user logs in using SSO for both Quickchannel Console and the security restriction SSO challenge. It is also possible to pre-populate the groups:
Limitations
It is possible to have one SAML2-connection per e-mail domain name.