Question:
Our company uses Azure SSO. How do I configure it on the SnapStream Cloud?
Answer:
Pre-requisites:
- You must have a “Premium” tier enabled on your Azure AD account to utilize SAML 2.0
- You’ll need to enable the Graph API in Azure AD
- Log in to your SnapStream server as an administrator and navigate to Admin -> Security
-> Config. Set “External Authentication” to SAML 2.0 and leave this tab open.
- Open the Azure Portal and choose “Azure Active Directory” from the left-hand sidebar
and choose “Enterprise Applications” -> “New Application” and choose “Non-Gallery
Application”, give it a name (I’m partial to “SnapStream SAML” in this example) and press “Add”. - You’ll be dropped on the new app’s Overview page. Choose “Single sign-on” from the
menu and then choose the SAML card from the screen that follows. - Copy the Azure AD Identifier from Box #4 and paste it into the Identifier (Entity ID) box #1
- Go back to the SnapStream tab you had open and copy the ACS URL. Paste the ACS URL into the Reply URL in Azure AD and click Save.
- Click the edit pencil in box #2 to edit the user attributes and claims and click the pencil to
edit the Name identifier value. Set the source attribute to user.mail and set the name
identifier format to “Email address” and save. Your User Attributes & Claims should look
like this.
- Your setup should be similar to this. You will also need to download the Federation Metadata XML
- Go to Azure Active Directory -> App Registrations (Preview) -> -> Manifest In the Manifest editor, look for the line that reads “groupMembershipClaims”: null, - we have two options here. Changing that null to “SecurityGroup” will allow the end-user to use their AD security groups in SnapStream. Changing the value to “All” will allow security groups and distribution lists to both be used. In most cases, using “SecurityGroup” is going to be our best option.
- We’re now done configuring SAML from within Azure AD. The one thing left to do is to copy the
Object IDs used to identify groups within Azure - we’ll need these when establishing mappings
between groups in SnapStream - In the Azure Portal, go to Azure Active Directory -> Groups and open each group that the end
user would like to see reflected within SnapStream.
With the group opened, make a note of the group name and its associated Object ID
- With that information written down, go back to the SnapStream tab you’d left open in an earlier
step. It should conveniently be sitting at Admin -> Security -> Config.
Use the browse button to import the Federation Metadata.xml that you’d downloaded earlier. It
will populate the endpoint, issuer & certificate fields for you. Save this page. - The final remaining step is to map groups within SnapStream to the user’s groups in AD. Using
your list of group names and object IDs, open each group that you’d like to map and paste the
object id string from its corresponding AD group into the “Linked SAML Groups” field.
Additional Notes:
- Requires a SnapStream Admin account
Applies to Version:
SnapStream Cloud 9.x and higher