Using SAML with TelemetryTV
The TelemetryTV web app allows you to use SAML (Security Assertion Markup Language) for authenticating a user's identity through an external iDP (Identity Provider) to login to a Service Provider (TelemetryTV).
What is SAML?
SAML is an XML based communication tool for sharing and authenticating user identity between organizations which allows users to login using third party application credentials to verify an authorized identity. This is often done by using an Email address to validate a user's identity to login to third party app such as TelemetryTV. SAML allows an Identity Provider (iDP) to authenticate user access to a Service Provider. As such, a third party service provides the Identity Provider (IDp) with an attribute such as an email which then allows you to login to your Service Provider TelemetryTV.
How does it Work?
SAML functions as an open standard protocol Schema in which two distinct applications share semantic terms for attributes and their relationships in a ‘handshake’ in which an Identity Provider attributes are authenticated by a Service Provider to allow the user authorized access to the latter. This involves attributes which verify respective identification details between the two applications as well as an encrypted certificate.
How do I configure SAML to work with the TelemetryTV app?
Inside the Service Provider (TelemetryTV App) you will configure SAML credentials such as the Entity ID, Sign-in URL and Certificate which are taken from your iDP (i.e. Azure / Okta) and Team Name (which is established by the user and then assigned in both the iDP and SP).
The guide below illustrated how to configure SAML on both the Identity Provider and within the Service Provider (TelemetryTV App)
Service Provider Configuration
Open https://app.telemetrytv.com and go to Settings -> Single Sign-On as shown in the screenshot fig 1.1
Force SAML: Toggling this option ON will force users of your account to login using SAML only. Administrators of your account will still be able to login directly to TelemetryTV without SAML.
Team Name: This is used to describe what is frequently termed the 'Audience Restriction' or 'Identifier' (Entity ID) depending on what Identity Provider SAML platform you are using. This is typically assigned a value to represent the group of users or 'team' with this term then being shared in your SAML identity provider so that our app knows which group is signing in. This is arbitrarily created by the user
Entity ID: The Entity ID attribute is taken from your iDP provider and authenticates the application identity. Often this the domain of your IDP, or similar, followed by a unique identifier ie. http://www.okta.com/abcdefg123456.
Sign in URL: This is the URL provided by your iDP that captures your login credentials (see example 1.2). Your TelemetryTV Service Provider will redirect here for your Identity Provider to authenticate both the user and application credentials in the SAML request. If you are already logged in to your iDP, it may go directly to the app if cookies have been stored in the browser.
Certificate: Here you will insert an X.509 Certificate which is a public key that you have taken from your Identity Service Provider
Fig 1.2 Example of an Okta Sign-in URL in page
Identity Provider SAML Configuration
The following Service Provider attributes will be configured on your Identity Provider side.
Reply URL (Assertion Consumer Service URL): https://user-api.telemetrytv.com/accounts/saml/response
Sign On URL: https://app.telemetrytv.com/start/enterprise
Team Name: This attribute will need to be shared with your Identity Provider where it may be referred to as the 'Audience Restriction' or 'Identifier' (Entity ID)
NameID Format: This will be assigned the value of "email" or "user.email"
Note: It's important that the email credentials in TelemetryTV match those of the user assigned in your Identity Service Provider in order for this to work!