When setting up federated authentication with Mediaocean, your IDP must support the SAML 2.0 (Security Assertion Markup Language) federation protocol.
To configure Mediaocean's service provider as a trusted party on your IDP so that your users have access to Mediaocean’s federated authentication, you need to add our SP as a trusted party on your IDP. The following information is provided to assist you in this task:
- Federated identity provider (IDP)
- Service provider (SP) software
- SAML claim attributes
- IDP metadata
- SP metadata
- Single logout (SLO)
- Mediaocean application URLs
Federated identity provider
Once Mediaocean’s service provider (SP) is added as a trusted party to your organization’s IDP, you can provide your user attributes to Mediaocean’s federated authentication service, enabling your users to sign in to Mediaocean applications using their own credentials and federated single sign on (SSO).
Service provider (SP) Federated
Mediaocean’s SP software
Mediaocean uses service provider-initiated federation with Ping Federate as the SP and SAML 2.0 (Security Assertion Markup Language) as the protocol. This must be added as a trusted party on your IDP.
Mediaocean’s SP instances
Mediaocean hosts three location-based SP instances:
- Americas and Europe
Your IDP must be configured with the region-specific Mediaocean SP. The same IDP may need to be configured to work with multiple Mediaocean SPs. The information about the SP is included in the SP metadata we give you. If you require any additional help with this, contact your Mediaocean Business Solutions Consultant.
Demo (test) SP instances
If you have access to a demo instance for any Mediaocean application, you have to set up the SP trust relationship for the application’s demo instance as well as the production one.
SAML claim attributes
Through your IDP, you must provide Mediaocean with the following user attributes during the SAML exchange:
- First name
- Last name
- Email address
You must provide your Mediaocean Business Solutions Consultant with one of the following so that we have access to your SAML assertion claim attributes and your IDP certificate details:
- Your IDP’s SAML metadata XML file
- URL for your IDP’s SAML metadata XML file so that Mediaocean can access it.
SAML assertion claim attributes
Mediaocean's Engineering Support Team need the assertion claim attributes listed in the SAML claim attributes section of this article so that they can map them in our SP software. For examples of some specific IDP configurations, see the article, Example IDP configurations.
Your IDP certificate provides trust anchors that are involved in the verification of signatures for the SAML assertions and in establishing trust in the messages being exchanged.
Certificates expire after a set period. To renew your certificate without any service disruption, you must contact your Mediaocean Business Solutions Consultant at least 30 days before your current certificate expires. If your certificate expires, your users will not be able to sign in to Mediaocean applications. A reminder to renew your certificate is emailed to you 45 days and then 30 days before your certificate expires. Mediaocean doesn’t currently offer clients a self-renewal process for certificates.
Mediaocean currently emails you the data you require to configure Mediaocean as a trusted party on your IDP.
The metadata details can differ depending on which Mediaocean SP instance you are using, but the following are some of the key attributes that may be included:
- Mediaocean’s SP entity ID: This uniquely identifies Mediaocean as the service provider. For example, idp.mediaocean-com.
- Assertion consumer service (ACS) URL: This is the location that your IDP redirects to with its authentication response. For example, https://idp.mediaocean.com/sp/ACS.saml2.
- SP certificate: (optional): If your IDP requires a signing certificate to prove that messages are coming from Mediaocean’s SP, you can request this through your IDP metadata. If you request a certificate, Mediaocean provides it as part of the SP metadata once our setup is completed.
Single logout (SLO)
We don’t currently support SLO.