Integrating HMP with Single Sign-On (SSO) Environments
You can integrate Haivision Media Platform with an Active Directory-based Single Sign-On (SSO) environment, specifically Active Directory Federation Services (AD FS) and Azure AD. This feature is designed to provide authentication and identity management simplification and centralization.
Single Sign-On enables users to move between services securely and uninterrupted without specifying their credentials each time. After your users sign into their directory server, they are automatically granted access to HMP.
HMP's browser-based SSO implementation supports the following standard identity protocols: Security Assertion Markup Language (SAML2), WS-Federation, and OAuth2.
- WS-Fed and SAML2 work for Windows Server 2008+ / AD FS 2.0+ and Azure,
- OAuth2 works for Windows Server 2012 R2 / AD FS 3.0+ and Azure.
With Azure AD, you must use a Windows Server with Azure AD Connect for Directory Services configuration. The current HMP release does not support SSO for users created directly on Azure AD, and must be able to query a traditional Active Directory system for user and group details after being authorized by Azure AD.
When a user authenticates using single sign-on, HMP takes the User Principal Name (UPN) from the token that it receives from the identity provider and creates a user session for the HMP user with that associated UPN. For AD FS, the Relying Party Trust that HMP is configured to use should pass through the UPN as a claim.
To integrate Haivision Media Platform with an SSO environment:
- On the Directory Services pane, verify that the Directory Service button is toggled to On.
- Scroll down the Directory Services pane and toggle the Single Sign-On button to On.
Select the Sign-In Protocol for your system, either: OAuth2, WS-Fed, or SAML2.
Note
- Azure AD and AD FS 2.0+ support authentication using WS-Fed and SAML2.
- Azure AD and AD FS 3.0+ (Windows Server 2012 R2) support authentication using OAuth2.
An example OAuth2 screenshot is shown below:
- Enter values in the remaining fields. See Single Sign-On (SSO) Settings.
- Click Save Settings to save the connection.