How to Implement SSO With Active Directory (ADFS) For Your Video Website

SproutVideo websites support Single Sign-On (SSO) using the SAML 2.0 protocol, and can be setup with Active Directory, as well as other SSO Identity Providers that are compatible.

With SSO enabled, your viewers will have to be authenticated by your Identity Provider before they will be able to login and access your video content. When a viewer navigates to your video website URL, they are redirected to your Identity Provider for authentication, then, once verified, they are redirected automatically to your video site.

SSO only applies to videos on your video website. Embedded videos not on your video website are not protected by SSO.

NOTE: SSO is only available on the Forest plan.

Getting Started

You must have an existing Identity Provider, like Active Directory, in order to enable SSO for your video website.

This guide is for Active Directory only. If you need help with another Identity Provider, please contact support.

Add a Relying Party Trust

In Your ADFS Server, add a Relying Party Trust by navigating to Relying Party Trusts under Trust Relationships, clicking on ‘Add Relying Party Trust,’ and clicking Start to launch the Relying Party Trust Wizard.

Enter Data Manually

Select the option to ‘Enter data about the relying party manually’ and click Next:

Pick a Display Name

Enter the Display Name you’d like to use for your SproutVideo website. This can be your SproutVideo website URL, or another name that you can easily remember. Click Next to proceed.

Select ADFS Profile

Select the option to use the ‘ADFS Profile’ and click Next.

Do Not Select a Token Encryption Option

You do not need a token encryption certificate, so do not select any of the options, and click Next.

Locate Your SSO Settings in Your SproutVideo Account

To enable SSO, you’ll need some information located in your SproutVideo account, and to adjust some settings. Select the ‘Site Editor’ button at the top of the page, and select ‘Advanced.’ Scroll down until you find the SSO options. You can enable SSO for your site by toggling the ‘Enable SSO’ switch, and you’ll need to complete each field with the corresponding information from your Identity Provider (see below). Click ‘Save Changes to Settings’ at the top of the page when you are done. Note your Assertion Consumer Service (ACS) URL is based on your SproutVideo website URL.

Enable SAML 2.0 WebSSO Protocol

Check the box to enable the SAML 2.0 WebSSO Protocol. Then, enter your ACS URL in the following format, replacing “example” with your custom video website details: https://example.vids.io/saml/consume

Add Your SproutVideo Subdomain as the Relying Party Trust Identifier

Enter your SproutVideo subdomain or CNAME if enabled, usually something like “example.vids.io” but without the quotation marks, in the Relying Party Trust Identifier field, being sure to omit the “https://” part of the URL, and click Next.

Permit All Users to Access This Relying Party

Select the option to permit all users to access this relying party, and click Next.

Review Settings and Exit

Review your settings and click Next, then close the wizard.

Change the Secure Hash Algorithm to SHA-1

Right click on the new Relying Party Trust and select Properties. Then, select the Advanced tab. There, change the Secure Hash Algorithm to “SHA-1”, then click OK.

Edit Your Claim Rules

Right click on the new Relying Party Trust, select Edit Claim Rules, and click on ‘Add Rule.’

Edit Your Claim Rule Attributes

Right click on your relying party trust, then click ‘Edit Claim Rules’ and click ‘Add Rule.’ Select ‘Send LDAP Attributes as Claims,’ then click ‘Next.’ Select ‘Send LDAP as the Claim Type’ and enter ‘Get Attributes’ as the Claim rule name. Select ‘Active Directory’ as your Attribute store, ‘E-Mail-Addresses’ as the LDAP Attribute and ‘E-Mail Address’ as the Outgoing Claim Type. Select ‘Display-Name’ as the LDAP Attribute and “Name” as the Outgoing Claim Type. Click on Finish.

Edit Another Claim Rule

Right click on the new ‘Relying Party Trust,’ select ‘Edit Claim Rules,’ and click on ‘Add Rule.’ Select ‘Transform an Incoming Claim,’ then click ‘Next.’ On the next screen, enter ‘Name ID Transform’ as the Claim Rule Name, select ‘E-Mail Address’ as the Incoming claim type and select ‘Name ID’ as the Outgoing claim type, then select ‘Email’ as the Outgoing name ID format. Click ‘Finish,’ then click ‘OK.’

Enter Your SAML SSO URL in Your SproutVideo SSO Settings

Under ‘Site Editor’ > ‘Advanced’ > ‘SSO,’ you’ll find the field where you need to enter your SAML SSO URL. Typically, it’s formatted as the URL to your ADFS service with /adfs/ls/ appended to it, but yours might be different, so be sure to double check.

Enter Your Certificate Fingerprint in SproutVideo SSO Settings

From the ADFS console, navigate to ‘Service,’ then ‘Certificates,’ and right click on your ‘Token-Signing Certificate.’ Click on ‘View Certificate’ and go to the ‘Details’ tab, select the certificate thumbprint, and copy it. Paste the thumbprint into the ‘Certificate Fingerprint’ field in your SproutVideo account in your SSO settings under the Video Site tab.