Interaction Between HMP and an ADFS System

The following diagram shows how an HMP server configured to use SSO interacts with an AD FS system to allow a user to log in with their Active Directory credentials.

1. The user browses to the URL for Haivision Media Platform.
2. If the user is not logged in (i.e. the web browser has no current security token), HMP returns a claim redirecting the browser to the appropriate AD FS authentication server. This is a simple redirect from HMP to the AD FS Relying Party Trust callback endpoint. There is no exchange of any information about the user.
3. The AD FS Authentication Server displays a login page in the user's web browser.
4. The user logs into the AD FS Authentication Server with his/her Active Directory credentials.
5. The AD FS Authentication Server communicates with a domain controller to verify the user's credentials, and then processes the claim rules associated with HMP. It returns a security token to the web browser that contains the response to the original claim (the user's UPN).
6. The web browser passes the security token to HMP.
7. HMP validates the token, then sends a new security token to the web browser. This token defines the user's access privileges on HMP.

At this point, the user is logged into HMP and may use its services until he/she logs out or the session expires.

Note

When users access HMP, but have already authenticated to the SSO Authentication Server and hold a valid security token, that validation is checked (after step 2) and the user is simply passed into the HMP environment with their access rights without requiring additional authentication.