Configuring SSO for the Dashboard requires you to work with Synamedia Support to configure a connection to the customer account.
Configuring SSO for the Dashboard also enables SSO for the following public Synamedia sites:
Synamedia Developer portal (https://developer.synamedia.com/)
Synamedia Docs (https://docs.account.synamedia.com/)
Utilizing Single Sign-On (SSO) enables users to access Synamedia Dashboards by authenticating through the customer's Identity Provider (IdP). This streamlines the login process, enhances security, and improves user experience by eliminating the need to remember and manage multiple passwords.
Deactivating users in the customer's IdP will also deactivate them from the Synamedia account.
When an authorized user goes to log in to the Dashboard, they enter their email address for a registered domain (for example user@example.com) into the Synamedia Login page, and then are redirected to their organization IdP to complete authentication.
Adding an SSO connection will restrict Account Members from logging in using the default authentication method.
Configuring SSO for the Dashboard requires a series of steps shared between you and Synamedia Support.
Open a ticket with Synamedia Support to share your IdP’s configuration data so they can set up the SSO configuration. Include the following information when you submit your ticket:
Email domain(s) you’d like to associate with the SSO configuration
Authentication protocol (SAML, OIDC)
Additional IdP-specific information as described bellow
The additional configuration steps required depend on the IdP and authentication protocol you’d like to use
Create a new Enterprise Application and provide Synamedia's Support with the following:
ClientID and ClientSecret
Active Directory Domain name
The Microsoft identity platform version that your IdP is using (Azure AD v1 / Microsoft identity platform v2)
Your company email domain name (for example: acme.com) (Multiple domain names can be configured)
Register an application (client) with the IdP with the following properties:
Callback URL: https://auth.synamedia.com/login/callback
Provide Synamedia Support with the following:
Application (client) ID
Issuer URL or OIDC metadata endpoint (for example, https://{idpDomain}/[...]/.well-known/openid-configuration)
Your company email domain name (for example: acme.com) (Multiple domain names can be configured)
Provide Synamedia Support with the following:
The sign-in URL (for example: https://{idpDomain}/login).
The sign-out URL (for example: https://{idpDomain}/logout).
a X509 Signing certificate (SAML server public key encoded in PEM or CER format).
The SAML Request Binding Type (Either HTTP-Redirect or HTTP-Post)
Your company email domain name (for example: acme.com) (Multiple domain names can be configured)
Synamedia Support will provide you with the following:
Entity ID
Callback URL
Certificate for the SAML Provider, which will receive the signed assertion to validate the signature.
The Synamedia Support team uses the configuration data you provide to complete initial setup of the SSO connection.
The SSO connection will not be enabled at this point.
When initial setup of the SSO connection is complete, the Synamedia Support team will want to test the SSO connection to ensure the configuration data was correct.
Testing the connection must be preformed by Synamedia support along side with a customer user that can verify the login.
Important: During the test users will not be able to login to Synamedia sites, so it is essential to notify the users about this test and possibly schedule it to a time that will have the least impact.
This step can be skipped if there are no customer active users
Once the connection was tested and verified the connection can be enabled.
Before enabling the connection you should let all the existing users know about the upcoming change and the consequences. Synamedia Support have an email template that can be sent out to the users. The main things to know are:
All the exiting users will receive an invitation to re-signup to the Synamedia Cloud Portal via SSO.
The invitation will preserve the same roles and permissions that the user already had.
Existing users that belong to the configured SSO email domain will not be able to login until they accept and re-signup with the new invitation.
Once you are ready, let Synamedia Support know and schedule a time that works for you to finally enable the connection.
