Setting up PingOne SSO with SnapStream

Question:

How do you setup Ping/PingOne SSO on a SnapStream system?

Answer:

See below for full configuration details:

Step 1 - Obtaining the ACS URL from your SnapStream DVR.

1. Log in to SnapStream DVR using an administrator account.
2. After you’ve logged into SnapStream we’ll pull the ACS URL from the SnapStream. To do that:
3. Browse to Admin > Security > Config
4. Change the value for the “External Authentication” dropdown menu to “SAML 2.0”

Scroll to the bottom of the page, and copy the “SAML ACS URL” you will need this to configure your PingOne Application for SnapStream.

Step 2 - Adding a new Application to your PingOne account.

1. Login to your PingOne Account, and browse to Applications.
2. Click the Add Application drop-down menu, and select “New SAML Application”
3. On the first page that appears, fill out the required fields for Application Name, Application Description, and Category. Click “Continue to Next Step”
   
4. On the second page, there are several actions that need to be taken as follows
5. Find the “SAML Metadata” field and click “Download” you will need this XML file for your SnapStream SSO configuration.
6. Be sure that SAML v2.0 is selected, and not SAML v1.1
7. Paste the ACS in the “Assertion Consumer Service” field.
8. The Entity ID is required, put a filler in here for the time being, I like to use https://pingone.com/idp/snapstream. Once we save the Application, and return to it to edit, a legit entity ID will be available.
9. Click Continue to Next Step button at the bottom of the page.
   
   

Step 3 - Adding Attributes

You’ll need to add two attributes:

1. Start by editing the application attribute field to read “User.Email” this is case sensitive.
2. Change the Identity Bridge Attribute to “Email (Work)” if you start typing, autofill will allow you to choose the correct option.
3. For the second application attribute, you’ll name it “Group.Name”
4. Click the Advanced button, to create an Advanced Attribute Option.
5. In the window that appears, you’ll need to fill in three fields:
   • IDP Attribute Name: “memberOf”
   • Function “FilterByRegularExpression”
   • Expression: .* (period, asterisk)
6. Click Save.
7. Click “Continue to Next Step”

Step 4 - Group Access.

Your organization should have groups preconfigured. When added here, you can configure them to be used with SnapStream User Groups. In our example, we'll be using the “Users@directory” group.

1. Click the “Add” button for any groups that you would like to add to this application. You’ll notice that any groups you’ve added/selected will have their buttons change over to a “Remove” button.

Click the Continue to Next Step button.

Step 5. Review Setup

This page allows you to see your PingOne configuration. I would screenshot this, and click Finish.

Step 6. Configuring SnapStream.

1. Jump back to your SnapStream DVR, and browse to Admin > Security > Config
2. Select SAML 2.0 if it’s not already selected.
3. Click the Browse button, and upload the XML file you downloaded from PingOne. This will upload the configuration necessary to get this working.
4. Once you have the XML uploaded copy the “SAML Issuer” you’ll need this for one last thing in PingOne.
5. Click Save at the bottom of the page

Step 7 - Associating PingOne groups to SnapStream User Groups
You’ll also need to associate PingOne groups with your SnapStream User groups:

1. Browse to Admin > Security > Groups
2. Edit a group that you would like to associate with a PingOne user group.
3. Click in the “Linked SAML Groups” field, and start typing the name of your user group, you should get an autofill choice, click it and it should be added. You’ll see that it’s added when it appears as a blue block.

Click Save at the bottom of the page.

Step 8 - Changing the EntityID in PingOne to reflect the one we have in SnapStream.

Once you have the XML uploaded to SnapStream, and you’ve copied the SAML Issuer from the SnapStream, you’ll need to edit the EntityID for your SnapStream application in PingOne. It should look something like this: https://pingone.com/idp/cd-644581160.snapstream

To make these changes:

1. Login to PingOne and browse to Applications.
2. Edit the SnapStream application you created by clicking the black triangle to the right of the entry.
3. On the page that appears, click the edit button.
4. Click Continue to Next Step.
5. On the next page, you should find the Application Configuration page, find the EntityID, and paste in the one that you copied from your SnapStream.
6. Click Continue to Next Step three more times, then click Finish.
   
7. To test PingOne SSO, log out of your SnapStream DVR and attempt to reach your SnapStream system. Click “Login via SSO” which should bring you to the PingOne login page.

Additional Notes:

• Be sure to be using PingOne as your SSO provider. Ping will not work.
• The PingOne EntityID must be obtained from the SnapStream security configuration page after the PingOne XML has been uploaded to SnapStream. This means you’ll have to log back into PingOne and edit the application to reflect the correct EntityID once the SnapStream side has been configured. It’s important to note that if this step is not taken, PingOne SSO will not work with SnapStream.
• If you need assistance with getting this configured or tested, please reach out to SnapStream Support.

Applies to Version:

Applies to SnapStream version 9.0 or newer.