Setup Screencast-O-Matic with ADFS SSO (SAML) for your organization
Active Directory Federation Services (ADFS) can provide your users with single sign-on (SSO) access via Security Assertion Markup Language 2.0 Standard (SAML) to your Screencast-O-Matic Team Plan. When Team users first authenticate via SAML and you have configured SAML to create users, we setup their dedicated hosting account as part of the Team Plan.
- Your organization must be using a dedicated ADFS instance
- You will need administrative permissions to your ADFS instance
- You must be using a Screencast-O-Matic Team Plan
- You will need administrative permissions for your Team Plan
Get SAML Setup Information from Screencast-O-Matic
Once you have your ADFS server setup, your Team Plan admin may choose to optionally require login via SAML from the Screencast-O-Matic Admin Account Authentication Settings.
1.Login as Team Admin and click your user icon, then Settings.
2. On the left sidebar, click Authentication.
3. Under "SAML Authentication" move the slider to On which requires your users to login via SAML.
Once enabled, you will find the additional settings one will need to setup communication between Screencast-O-Matic and the ADFS identity provider.
4. In the text box, specify a unique access URL. This URL will be used by your Team the first time they authenticate into Screencast-O-Matic. When visiting this URL, the user will be re-directed to your organization network login for sign-in or if they are already logged into your network they will be automatically signed into Screencast-O-Matic.
note: "myuniqueurl" shown below will be a name you create for your access page.
5. If you intend to have your users enjoy the advanced features provided in hosting (branded player, content sharing, channel carousel, stock media, etc.) then you need to check "Create users on Screencast-O-Matic". The first time a user from your organization logs in via SAML, their hosting account will be set up so they can manage and share content.
Setting up users
6. Download the metadata XML from the settings area.
5. Save this XML for a later step. Next, we will get ADFS setup before coming back to this settings window to upload the IDP identify file.
Setup ADFS Identity provider
This article covers an ADFS instance setup for single sign-on. Refer to this article if you are using Azure.
6. To update your ADFS metadata complete these steps. You will likely require admin privileges for your ADFS instance to perform these steps.
- Log in to the ADFS Management Console.
- In the left sidebar, click ADFS 2.0 > Trust Relationships.
- Click on Relying Party Trusts.
- Click Update from Federation Metadata.
- Right click on the relying party trust, then click Properties.
Monitoring, and paste the following url into the
Relying party's federation metadata URL field: https://screencast-o-matic.com/saml/metadata.xml
- Place checkmarks in the options for Monitor relying party and Automatically update relying party.
- Click OK.
- Select the same relying party trust item that you just configured. In the right sidebar, click Update from Federation Metadata.
- Ignore the message regarding ADFS2.0 support if this appears. Click OK.
- Finally click on Update to complete updating the federation metadata with the Screencast-O-Matic metadata file.
Upload the Identify Provider File to Screencast-O-Matic
7. With ADFS setup, we need to find the IDP file / Federation Metadata XML and upload this to the Screencast-O-Matic Admin Account Authentication Settings.
Typically, this file is found here:
Download this file, and head back to the Screencast-O-Matic Admin Account Authentication Settings.
8. Under SAML User Access, click the Choose File button under Upload IDP Metadata File section.
9. Once uploaded, the file will be validated and you should see a message "Metadata matches". You can click Test Login and you should see the normal login prompt for your organization.
10. Click the Save button to commit the IDP Metadata and you are done.
11. Click the “Test Login” link to make sure the login works for an actual user.
Is First and Last name required to setup with Screencast-O-Matic SAML authentication? Can we just use the Name ID?
First and Last name is required as SAML requires setting up a user in our system.
Getting the first name and last name (given name and surname) to auto-populate in Screencast-O-Matic.
If the name is not auto-populating, try mapping the LDAP attributes like this.
Surname -> urn:oid:22.214.171.124
Given-Name -> urn:oid:126.96.36.199
How often are user credentials revalidated?
With SAML enabled, users will be required to re-login after a month of usage.
Helpful Reference Links