Here we will guide you through the steps of using Okta as your IDP to configure your SAML2 SSO. Before starting the integration, you will need to contact StreamShark support to enable SSO on your account.
StreamShark supports SSO integration with both Video Player and Admin Portal, you will need to create 2 separate apps to handle each function. The setup process is very similar to each other, and we will use the Video Player app setup as an example here to demonstrate the steps.
Set up Video Player SSO app
Once your account has SSO enabled, you can navigate to https://app.streamshark.io/
1. Head into your Okta account, in the Admin section under Application, click "Create New App".
2. In the popup, select Web for platform, and choose SAML 2.0 as Sign on Method, then click Create.
3. In General Settings page, give the app a name, for instance, StreamShark Player, optionally upload a logo (which we have provided one in the attachment), choose the visibility as needed, and click Next.
4. In Configuring SAML page, you will need those values from StreamShark portal to fill in here.
* Copy SP ACS URL into Okta Single sign on URL: https://play.streamshark.io/saml2/acs?c=xxx, tick the box of Use this for Recipient URL and Destination URL.
* Copy SP Entity ID into Okta Audience URI (SP Entity ID): https://play.streamshark.io/saml2/metadata?c=xxx
* Leave the Default RelayState blank
* Choose EmailAddress for Name ID Format
* Choose Email for Application username
In the Attributes section, add
* Name: firstName, Value: user.firstName
* Name: lastName, Value: user.lastName
5. Finish the Feedback tab and finish the setup on Okta side.
6. You will now be able to see a "View Setup Instruction" button under the Sign On tab in your newly created app. Click the button, it will redirect you to a page include the values that needed to put into StreamShark web portal.
* Copy Okta Identity Provider Single Sign-On URL to StreamShark SingleSignOnService URL, the value looks like https://xxx.okta.com/app/streamsharkorgxxxxx_streamsharkplayerdemo_1/xxxxx/sso/saml
* Copy Okta Identify Provider Issuer to StreamShark Entity ID, the value looks like http://www.okta.com/xxxxxx
* Download X.509 Certificate, rename it to okta.pem, and upload it into StreamShark X.509 Certificate
* Enter firstName into First name attribute key, enter lastName into Last name attribute key, and enter ssGroups into Groups attribute key.
* Leave Your organisation's authorization groups empty.
7. Click Save after the setup, and click Test button to verify if the setup is all correct. You will see a screen like this if the setup is all good, then click Enable to finish the setup.
Set up Admin Portal SSO app
You will need to go through a similar process if need to setup SSO integration with Admin Portal access. Please NOTE that all the settings for the Admin Portal app, however, should come out of the Portal SSO tab.
In particular, the SP ACS URL and Entity ID looks very similar to the Player app, but the domain as well as the parameters passing are different.
* Copy SP ACS URL from StreamShark portal to Okta Single sign on URL
* Tick the checkbox "Use this for Recipient URL and Destination URL"
* Copy SP Entity ID from StreamShark portal to Okta Audience URI (SP Entity ID)
* Choose EmailAddress for Name ID format and Email for Application username
Add Groups Support For Player Access
In many scenarios, you may wish your stream can only be accessible to certain groups of people within your organization, such as All hands for Engineering team, or Q&A for sales team etc. This is where the groups access support can be helpful here. Here I will list the steps to how to configure groups access with Okta.
1. Make sure you have assigned groups to the users on Okta, if not you can start the assignment from here as shown below.
2. Navigate into application settings page on Okta, add group attribute in Group Attribute Statement. There are different ways to filter out groups that you'd like to pass to us. Here we use "Starts With" so there will be 3 groups in the above screenshots passing.
3. Now head to StreamShark admin portal, at the bottom of your SSO Settings, enter ssGroups as the Group attribute key, add type in all the possible groups that will pass to us. In this case, we enter all 3 groups that start with StreamShark: StreamShark-Engineering, StreamShark-Marketing, StreamShark-Board.
4. After configuring the settings, go through the Save and Test again. In the popup showing success result, it will include your groups' information if setup is correct.
5. Once the setting is enabled, the groups added here will now be available under your Event setup Privacy Settings section. You can either choose Default which allows all everyone assigned this app to access the player, or you can choose specific groups.
Extra setting for Session Timeout Length
The standard way to set the session timeout length is on the IdP side, where a value called "sessionExpiration" will be passed to SP to indicate when the current login session would expire. However, this approach currently is not supported from Okta side with SSO logins, and instead a default 2 hours is always given.
To workaround this, we introduced a custom attribute which can be passed in from Okta app settings, which will tell us how long we consider this session is active from our side without further checking.
The key we use here is "sessionTimeoutSeconds", and the value is the how many seconds the session will expire. For instance, in the above screenshot, apart from the usual first name and last name attribute, we have the new attribute added with a value of 86400 seconds, which is 1 day.