Yes. Screenly offers SAML support.
Please note that SAML support at Screenly is currently in alpha testing status.
SAML stands for "Security Assertion Markup Language" and allows users to transfer identity information between an identity provider (IdP) and a service provider (SP).
Please see below for more information on how to configure Screenly to work with SAML. As of August 3, 2021, Screenly SAML support only works with AuthO. OKTA support is coming in the near future.
Screenly configuration
There are several settings to configure on the Screenly API.
The SOCIAL_AUTH_SAML_SP_ENTITY_ID is the SAML entity_id and identifier of the SP for the IdP. This information is usually a domain URL, such as screenlyapp.com
To generate keys, use the following commang:
openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.key
This will generate SOCIAL_AUTH_SAML_SP_PUBLIC_CERT and SOCIAL_AUTH_SAML_SP_PRIVATE_KEY.
Owner configuration
You download metadata for testing here, and you can find production metadata here.
Configuring entityId and AssertionConsumerService:Location metadata is usually all an owner needs to do to configure the IdP.
The owner then must configure IP application with SP metadata. Auth0 requires only two fields that can be extracted from the metadata. However, these requirements can vary by provider.
The next step is for the owner to configure SP with IP metadata and attr mapping. To do so, the owner must open his or her Screenly Web Console and go to /manage/account/personal and visit the SAML single sign-on section.
When creating or update SAML configuration, please note that SAML configuration is stored on the auth server. Teams can have only one SAML configuration.
Step by step example for Auth0
Please see the steps for using Auth0 below.
Step One: Register at Auth0
Step Two: Create new web application
Step Three: Open SAML settings
Step Four: Set SP metadata in the auth0 SAML settings. The Callback URL is: https://screenlyapp.com/sso/complete/saml/?idp={domain}>&RelayState={domain}
<Domain> is an owner team domain. Please find the code below:
{
"audience": "screenlyapp.com",
"recipient": "https://screenlyapp.com/sso/complete/saml/"
}
Step Five: Get Auth0 IDP settings. The issues is the entity_ID and the Identity Provider Login URL is the single sign-on URL. The certificate is the Identity Provider Metadata. You can copy it from the generated file.
Step Six: Configure the Screenly web console. Fill in the corresponding fields in your online Screenly account. For Auth0, the email identifier and name identifier should be:
Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
Once configuration is complete, copy the URL and send it to the user. Please note that at the moment, users are not auto added to the SAML team. This feature is coming in a future release.
This should be the end of configuration - click Copy URL and send it to the user.
What is the user authorization process with SAML?
First, the owner sends the SAML login url. This is necessary to invite a new user.
Next, the user redirects to the IdP authorization screen.
The next step is for the user to complete authorization. When the user completes IdP authorization, the IdP redirects the user back to Screenly with the IdP's response.
The user can then register as a new user or, if the user already exists, the user can merge his or her account. This process is the same registration process as SSO.
That's it!
The user is now authenticated. Screenly treats the user as a usual Screenly users and redirects the user to the dashboard page.
If you have any questions, feel free to reach out to Screenly Support! You can submit a support ticket here.