English Español Français
Go to YuJa
  1. YuJa Help Center
  2. Lumina Video Platform
  3. Admin Panel
  4. SSO Platform Integration

Integrating Lumina with ADFS (SAML)

Avatar
YuJa
  • Updated

As an admin, you can configure ADFS (Service Identity) as a SSO system to allow users to log in to Lumina (Service Provider) using the SAML 2.0 protocol. With this setup, users can log in to Lumina, be redirected to ADFS to authenticate, and then be redirected to Lumina as authenticated users.

Configuring ADFS 

The ADFS configuration involves three key steps:

  • Create a Relying Party Trust (RPT) with Lumina.
  • Add Claim Rules to the RPT to ensure SAML responses include the user correct information.
  • Adjust RPT hash algorithm to match system requirements. 

For some steps 'Organization', is to be replaced by the wildcard DNS of the institution associated with Lumina. As an example, for “https://hudson.yuja.com”, would be replaced by “hudson”.

Creating a Relying Party Trust

  1. On the ADFS server, open the application ADFS Management.
  2. In the left panel, in the Trust Relationships section, click Relying Party Trusts
  3. In the Actions tab, click Add Relying Party Trust
  4. In the Add Relying Party Trust Wizard window, click Start.
  5. Select Enter data about the relying party manually. Follow the steps below to configure the RPT.
  6. Enter a display name for the RPT (e.g. “YuJa”).
  7. Click Next.
  8. Select ADFS Profile and click Next.
  9. In the Configure Certificate step, click Next. Do not encrypt claims sent to YuJa.
  10. Select Enable support for the SAML 2.0 WebSSO protocol.
  11. In the Relying party SAML 2.0 SSO Service URL field, enter https://<YOUR_YUJA_DOMAIN>.yuja.com/D/SamlReceiveResponse.
  12. Click Next.
  13. In the Relying party trust identifier field, enter https://<YOUR_YUJA_DOMAIN>.yuja.com.
  14. Click Add, and then click Next
  15. Select the I do not want to configure multi-factor authentication settings for this relying party trust at this time checkbox, and then click Next.
  16. Select Permit all users to access this relying party, and then click Next.
  17. Review the settings, and then click Next.
  18. Select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes option, and then click Close.

Adding Claim Rules

  1. Click the RPT. 
  2. In the right panel, click Edit Claim Rules.
  3. In the Edit Claim Rules window, click Add Rule.
  4. Select Send LDAP Attributes as Claims, and then click Next.
  5. Enter a Claim rule name.
  6. Select Active Directory as the Attribute Store.
  7. Create four claim mappings. The fifth one, yujaUserIDmapping is optional and is used to replace the user's YuJa ID with the yujaUserIDmapping field.  

     

    LDAP Attribute Outgoing Claim Type
    E-Mail-Addresses E-mail Address
    Given-Name Given Name
    Surname Surname
    <An attribute relating to the role of a user> Role
    <An attribute relating to the role of a user> yujaUserIDmapping

    The Role Claim is used to determine if users are provisioned as students (the default) or are given enhanced privileges (Instructor/IT Manager). The suggested values for this field are IT Manager and Instructor (for users you wish to have IT Manager/Instructor privileges respectively), but you can use existing/custom values.

  8. Click Finish.
  9. To create a second claim rule, click Add Rule. 
  10. Select Transfer Incoming Claim and then click Next.
  11. Enter a Claim rule name.
  12. For Incoming claim type, select E-Mail Address if each user in the ADFS system has an e-mail address associated with them. If this is not the case, select Given Name instead.
  13. For Outgoing claim type, select NameID
  14. For Outgoing name ID format, select Email
  15. Click Finish.
  16. Click OK.

Adjusting the Hash Algorithm

  1. Double-click on your RPT.
  2. Select the Advanced tab.
  3. In the drop-down menu, select SHA-1.
  4. Click OK.

Signing the Authentication Request and Encrypting the SAML Assertion Response

Lumina supports signing the SAML authentication request and encrypting the SAML assertion response. Both require the YuJa SAML Certificate.

  1. Go to your trusted root certificate.
  2. Add the YuJa SAML Certificate found here.
If you are using Microsoft ADFS as your SAML provider, you can access the certificate installation wizard from the encryption configuration panel after you added the YuJa SAML Certificate. Learn more about installing the trusted root certificate

Configuring Lumina

As an admin, you can configure Lumina by integrating your ADTF server as an Identity Provider. The only resource is the IDP metadata from the ADFS server. You can download the metadata file (XML) by going to: https://adfshelp.microsoft.com/MetadataExplorer/GetFederationMetadata. This metadata file contains all the information needed to complete the configuration in Lumina. Once downloaded, follow the steps to extract the required parameters and integrate ADFS with Lumina.

Learn more about Building SP Metadata. 

Lumina ADFS (SAML) integration
  1. Log in to Lumina as an admin. 
  2. Click the Main Menu button > Admin Panel.
  3. In the sidebar, select Integrations.
  4. In the Select an API to configure field, select SSO - ADFS (SAML). 
  5. Enter the information:
    Attribute Required? Description
    ADFS SSO URL Yes

    The URL used for SSO. This is where YuJa will send AuthnRequest tokens. -Found in the IDP metadata as the “Location” attribute. Note that for YuJa, an HTTP-Redirect binding is used.

    For example: “https:///adfs/ls/”
    Name ID Format Yes

    The format to be used by the SP and IDP when communicating about a subject. Found in the IDP metadata as the value of that tag. Note that, if available, emailAddress should be prioritized and used.

    For example: urn:oasis:names:tc:SAML:1.1:nameid- format:emailAddress
    Remote Logout URL Currently not supported Leave this value blank
    ADFS Signing Certificate Fingerprint Yes

    The unique fingerprint of the IDP’s certificate is used when signing SAML responses. The thumbprint is not explicitly located in the metadata, but the certificate is used to sign either the SAMLResponse or the Assertion. See How to derive the fingerprint of a certificate in the Additional Tools section of this document for more details.

    For example: 7j2mka9cfe2d09j23eefe21442f6a49d1222391f
    Given Name Attribute No

    The name of the attribute in the SAML response describes the user's given name (i.e. first name). Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate for given name.

    The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
    Family Name Attribute No

    The name of the attribute in the SAML response describes the user's family name (i.e. last name, surname). Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate for family name.

    The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
    Email Attribute No

    The name of the attribute in the SAML response describes the user's email address. Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate email address. 

    The value should be: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
    Role Attribute No

    The name of the attribute in the SAML response describes the user's role. Found in the IDP metadata. There is a section in the .XML file which should contain a list of tags. Enter the value for the “Name” key, under the appropriate for the role.  

    The value should be: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
    IT Manager No

    A comma-separated list of values can be used. If the value received in the Role Attribute matches any of these values, the user will be provisioned as an IT manager.

    For example: IT Manager
    Instructor No

    A comma-separated list of values can be used. If the value received in the Role Attribute matches any of these values, the user will be provisioned as an instructor.

    For example: Instructor or, Teacher, TA
    Automatically sync data on user login No If checked, whenever a user logs in via ADFS their basic information will be updated based on the data received in the SAML response token
  6. Select the Enable Authentication Request Signing checkbox to enable signing the authentication request.
    Note: This requires adding YuJa SAML Certificate to your trusted root certificate store.
  7. Click OK. If you made a mistake, you can update the configuration settings.
  8. Click Save to keep the changes.
  9. To test if the configuration is correct, click Test SAML Login. This will open a new tab and navigate to your ADFS server, prompting a login. Enter valid login credentials and Login. You will be redirected back to YuJa, signed in as a new user. Logging in as a new user may log the original account out. Log out of the newly created account and log back in as an admin. Then go to Admin Panel > Integrations > SSO > ADFS (SAML).
  10. To activate the new authentication scheme for your organization, click Activate.
  11. Click OK.

    Important: Only activate the new authentication scheme after successfully performing a test login when you are ready to make it available for all users in your organization

Enabling Cross Integration with LTI

If your organization has enabled both LMS Integration via LTI and SSO access, you can choose to link the two. We recommend enabling this cross-integration to ensure users access the same Lumina account, whether they log in through the LMS or via SSO. Without this setup, users who access Lumina through both systems may be provisioned with two separate accounts.

  1. Configure your LMS to pass a custom LTI parameter to the YuJa tool called lis_person_sourcedid which contains the cross-matching SSO value. This can be an email, employee ID, or other fields. You may need to consult your LMS’s product documentation on how to set custom LTI parameters. Lumina will make use of this feature to link the two login methods to the same account.
  2. Obtain the specific attribute name used in the SAML Response token whose value corresponds to the unique identifier used by the LTI provider (in Step 1 above). For example, if the unique identifier is the user's email address, then the linkage attribute might be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. A complete list of the possible attribute names can be found in the ADFS metadata file, in the Attribute tags. 
  3. Enter this value into the Linkage Attribute field. This text field will only appear if your organization has enabled LTI access.
  4. Click Save. Now, when logging in for the first time via ADFS (SAML), Lumina will search for a link with an LTI account using the value of the linkage attribute. If found, the SAML account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. All logins past the first one will continue to link to the Lumina account created or found on the first login.

Deriving the Fingerprint of a Certificate

As an admin, you can use the fingerprint of the IDP’s certificate to enhance security purposes when Lumina verifies a SAML response from ADFS. 

  1. In the ADFS IDP metadata, extract the X509 certificate. This is located under:
    <IDPSSODescriptor>--<KeyDescriptor use="signing">--<KeyInfo>--<X509Data>--<X509Certificate>
  2. Go to the website: https://www.samltool.com/fingerprint.php.
  3. In the X509 cert field, paste the certificate. 
  4. Select sha1 as the Algorithm.
  5. Click Calculate Fingerprint.
  6. Copy the generated Fingerprint value. This is the value used in the database.
    Note: The fingerprint should be an array of 20 bytes for sha1.

Related articles

Contact Support