Administrators can setup a secure connection between the Video Platform – referred to as the Service Provider, or SP - and ADFS – referred to as the Identity Provider, or IDP - using the SAML 2.0 protocol. Once properly configured, the SP and IDP will communicate using SAML 2.0 requests/responses in order to authenticate and login users. Both the SP and IDP must be configured to complete this process.
ADFS (IDP) Configuration
There are three distinct parts to the ADFS configuration:
- Creating a Relying Party Trust (RPT) with the Video Platform.
- Add Claim Rules to the RPT so that SAML responses contain the correct information about the user.
- Adjusting the hash algorithm of the RPT. Ensure that all 3 parts are completed so that configuration is done properly.
For some steps 'Organization', is to be replaced by the wildcard DNS of the institution associated with the Video Platform. As an example, for “https://hudson.yuja.com”, would be replaced by “hudson”.
Creating a Relying Party Trust
- On the ADFS server, open the application ADFS Management. In the left panel, under Trust Relationships, click on Relying Party Trusts.
- In the Actions tab, click on Add Relying Party Trust. In the Add Relying Party Trust Wizard window, click Start.
- Select Enter data about the relying party manually. Follow the steps below to configure the RPT.
- Enter a display name for the RPT (e.g. “YuJa”). Click Next.
- Select ADFS Profile and click Next.
- On the Configure Certificate step, click Next. Do not encrypt claims sent to YuJa.
- Select Enable support for the SAML 2.0 WebSSO protocol. For the Relying party SAML 2.0 SSO Service URL enter: “https://<YOUR_YUJA_DOMAIN>.yuja.com/D/SamlReceiveResponse”, without the quotations. Click Next.
- For the Relying party trust identifier, enter: “https://<YOUR_YUJA_DOMAIN>.yuja.com”, without the quotations. Click Add, then click Next.
- Select I do not want to configure multi-factor authentication settings for this relying party trust at this time. Click Next.
- Select Permit all users to access this relying party. Click Next.
- Review the settings to make sure everything is correct, then click Next.
- Make sure to have Open the Edit Claim Rules dialog for this relying party trust when the wizard closes selected, then click Close.
Adding Claim Rules
- To create/edit claim rules, first click on the RPT. On the right panel, click Edit Claim Rules.
- In the Edit Claim Rules window, click Add Rule.
- Select Send LDAP Attributes as Claims and click Next.
- Enter a Claim rule name.
- Select Active Directory as the Attribute Store.
- Create four claim mappings. The fifth one, yujaUserIDmapping is optional and is used to replace the user's YuJa ID with the yujaUserIDmapping field.
LDAP Attribute Outgoing Claim Type E-Mail-Addresses E-mail Address Given-Name Given Name Surname Surname <An attribute relating to the role of a user> Role <An attribute relating to the role of a user> yujaUserIDmapping The Role Claim is used to determine if users are provisioned as students (the default) or are given enhanced privileges (Instructor/IT Manager). The suggested values for this field are IT Manager and Instructor (for users you wish to have IT Manager/Instructor privileges respectively), but you can use existing/custom values.
- Click Finish.
- Now, create a second claim rule. Click Add Rule. Select Transfer Incoming Claim. Click Next.
- Enter a Claim rule name. For Incoming claim type, select E-Mail Address. This is assuming that each user in the ADFS system has an e-mail address associated with them. If this is not the case, select Given Name instead.
- For Outgoing claim type, select NameID. For Outgoing name ID format, select Email. Click Finish.
- Click OK in the Edit Claim Rules window.
Adjusting the Hash Algorithm
- Double-click on your RPT. Go to the Advanced tab.
- In the dropdown, select SHA-1.
- Click OK.
Signing the Authentication Request and Encrypting the SAML Assertion Response
The Video Platform supports signing the SAML authentication request and encrypting the SAML assertion response. Both require the YuJa SAML Certificate.
- Add the YuJa SAML Certificate found here to your trusted root certificate store.
If you are using Microsoft ADFS as your SAML provider, you can access the certificate installation wizard from the encryption configuration panel after you added the YuJa SAML Certificate. Click here for more information.
Video Platform (SP) Configuration
Configuration of the SP involves integrating the ADFS server as an IDP, with the Video Platform as an SP. The only resource needed to help configure the Video Platform is the IDP metadata of the ADFS server. This can be downloaded by navigating to: https://adfshelp.microsoft.com/MetadataExplorer/GetFederationMetadata. The .xml metadata file contains all the necessary information for configuration on the Video Platform side. Once downloaded, follow the steps below on how to extract the parameters from the metadata to integrate ADFS with the Video Platform.
For instructions on building SP Metadata click here.
- Navigate to your organization’s Video Platform domain (i.e. https://<Organization>.yuja.com).
- Login as an Administrator and navigate to the Admin Panel from the Main Menu. Select the Integrations tab.
- Under Select an API to configure, select SSO - ADFS (SAML).
- Enter the information shown in the following tables to configure the appropriate attributes:
Attribute Required? Description ADFS SSO URL Yes The URL used for SSO. This is where YuJa will send AuthnRequest tokens. -Found in the IDP metadata as the “Location” attribute. Note that for YuJa, an HTTP-Redirect binding is used.
For example: “https:///adfs/ls/”
Name ID Format Yes The format to be used by the SP and IDP when communicating about a subject. Found in the IDP metadata as the value of that tag. Note that, if available, emailAddress should be prioritized and used.
For example: urn:oasis:names:tc:SAML:1.1:nameid- format:emailAddress
Remote Logout URL Currently not supported Leave this value blank ADFS Signing Certificate Fingerprint Yes The unique fingerprint of the IDP’s certificate is used when signing SAML responses. The thumbprint is not explicitly located in the metadata, but the certificate is used to sign either the SAMLResponse or the Assertion. See How to derive the fingerprint of a certificate in the Additional Tools section of this document for more details.
For example: 7j2mka9cfe2d09j23eefe21442f6a49d1222391f
Given Name Attribute No The name of the attribute in the SAML response describes the user's given name (i.e. first name). Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate for given name.
The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Family Name Attribute No The name of the attribute in the SAML response describes the user's family name (i.e. last name, surname). Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate for family name.
The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Email Attribute No The name of the attribute in the SAML response describes the user's email address. Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate email address.
The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Role Attribute No The name of the attribute in the SAML response describes the user's role. Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate for the role.
The value should be: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
IT Manager No A comma-separated list of values can be used. If the value received in the Role Attribute matches any of these values, the user will be provisioned as an IT manager.
For example: IT Manager
Instructor No A comma-separated list of values can be used. If the value received in the Role Attribute matches any of these values, the user will be provisioned as an instructor.
For example: Instructor or, Teacher, TA
Automatically sync data on user login No If checked, whenever a user logs in via ADFS their basic information will be updated based on the data received in the SAML response token - Check the box next to Enable Authentication Request Signing to enable signing the authentication request. Note that this requires adding the YuJa SAML Certificate to your trusted root certificate store.
- Click OK in the confirmation dialog popup. If required, you can update the configuration settings if you made a mistake. Simply click Save to keep the changes.
- To test if the configuration is correct, click Test SAML Login. This should open a new tab and navigate to your ADFS server, prompting a login. Enter valid login credentials and Login. You should be redirected back to YuJa, signed in as a new user. Logging in as a new user may log the original account out. Log out of the newly created account and log back in as an Administrator. Then navigate back to Admin Panel → Integrations → SSO – ADFS (SAML).
- Once you have verified that the SAML SSO works, you can choose to activate the new authentication scheme for your organization. To do so, click Activate, then click OK in the confirmation dialog.
Important: Only activate the new authentication scheme after successfully performing a test login when you are ready to make it available for all users in your organization
Cross Integration with LTI
If your organization has enabled both LMS Integration via LTI and also SSO access, then you have the choice to link the two integrations. We generally recommend this because it means that irrespective of whether your user's login via their LMS or their SSO, they will be presented with the same Video Platform account information. In contrast, if Cross Integration with LTI is not set up, a user who uses both their LMS and SSO with the Video Platform will be provisioned with two separate accounts which in many cases isn’t ideal.
- Configure your LMS to pass a custom LTI parameter to the YuJa tool called lis_person_sourcedid which contains the cross-matching SSO value. This can be an email, employee ID, or other fields. You may need to consult your LMS platform’s product documentation on how to set custom LTI parameters. The Video Platform will make use of this feature to link the two login methods to the same account.
- Obtain the specific attribute name used in the SAML Response token whose value corresponds to the unique identifier used by the LTI provider (in Step 1 above). For example, if the unique identifier is the user's email address, then the linkage attribute might be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. A complete list of the possible attribute names can be found in the ADFS metadata file, in the Attribute tags.
- Enter this value into the Linkage Attribute field. This textbox will only appear if your organization has enabled LTI access.
- Click Save, Now, when logging in for the first time via ADFS (SAML), the Video Platform will search for a link with an LTI account using the value of the linkage attribute. If found, the SAML account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. All logins past the first one will continue to link to the Video Platform account created or found on the first login
How to Derive the Fingerprint of a Certificate
The fingerprint of the IDP’s certificate is used for additional security purposes when the SP is verifying a SAML response from the IDP. To derive the certificate’s fingerprint, follow the instructions below:
- In the ADFS IDP metadata, extract the X509 certificate. This should be located under:
<IDPSSODescriptor>--<KeyDescriptor use="signing">--<KeyInfo>--<X509Data>--<X509Certificate> - Once you have the certificate, go to the following website: https://www.samltool.com/fingerprint.php.
- Paste the certificate in the X509 cert textbox.
- Make sure sha1 is selected as the Algorithm.
- Click Calculate Fingerprint.
- Copy the Fingerprint value generated. This is the value used in the database. Note: The fingerprint should be an array of 20 bytes for sha1.