Skip to main content

Orchestrate SAML Single Sign-On Set up Guide

Daniel Gonçalves
  • Updated

Introduction

This guide explains how to configure SAML 2.0 Single Sign-On (SSO) for Orchestrate, enabling secure authentication through an external identity provider.

It covers both the Orchestrate setup and the required configuration steps for providers like Microsoft Entra ID and ADFS.

By following this guide, you can establish a trusted federation and streamline user access management.

 

Prerequisites

This feature is only supported from Orchestrate 1.0.1 onwards.

Use must have a third-party Identity Provider for single sign-on.

 

In this article

Configure SAML authentication in Orchestrate

Configuring Your SAML 2.0 Identity Provider solution to work with Orchestrate

Configure Microsoft Entra ID as an Identity Provider for Single Sign-on

Configure Orchestrate as a trusted relying party

Configure claim rules for the Orchestrate relying party

Grant the user access to Orchestrate

Signature verification for SAML requests

Configure ADFS as an Identity Provider for Single Sign-on

Configure Orchestrate as a trusted relying party

Configure claim rules for the Orchestrate relying party

Configure signature verification for SAML requests

Optional: configure authority_id claim rules

Set up an Active Directory User and map to an Orchestrate user role

Assign the user to the Active Directory User Group

Configure authority_id claim rule with Token-Groups – Unqualified Names attribute

 

Summary

Configure SAML authentication in Orchestrate

To set up SAML 2.0 based federation, it is required to configure Orchestrate and the identity provider to trust each other. This section describes the configuration to enable this trust environment for the Orchestrate side.

  1. Sign in to Orchestrate with an Administrator user account
  2. Navigate to the SAML Authentication tab:  Organization > Details > SAML Authentication
  3. In the SAML Authentication tab, toggle the checkbox under Enable SAML Authentication
  1. In the Entity ID textbox, input the entity ID of the identity provider 
  2. In the SAML Request Binding dropdown box, select the binding protocol for the Single Sign-On URL
  3. In the Single Sign-On URL textbox, input the endpoint URL of the single sign-on service provided by the identity provider
  4. Under X.509 signing certificate, click Choose File and upload the public certificate from the identity provider
  5. Under Sign request, toggle the checkbox if you expect the SAML request is signed by Orchestrate. After enabling this setting, download the certificate provided by Orchestrate and configure it in the identity provider.

 

Configuring Your SAML 2.0 Identity Provider solution to work with Orchestrate

After setting up SAML authentication in the previous section, the identity provider (IdP) used for authentication will be known to Orchestrate. The next step is to configure Orchestrate as a service provider in your IdP. 

To allow Orchestrate to know about a user after the identity is verified by IdP, claims are required to be configured in your IdP such that the identity information is included in the authentication response. A list of the available claims used by Orchestrate is shown below.

  • Name ID (Required) - This is an identifier of the user who is being authenticated.
  • user_loginname (Required) - This is the Orchestrate login username of the user who is being authenticated. It must be in email address format.
  • authority_id (To be supported in future release) - This is a list of Orchestrate user roles to be granted to the user who is being authenticated. 

Orchestrate manages user access control to resources through the use of user roles. User roles can be configured for users under Manage Users in the Orchestrate web application. After enabling Orchestrate SAML Single Sign-On, user roles can also be granted by the authority_id attribute.

Before this is supported, please make sure a user account is created and assigned with the user role properly in the Orchestrate web application.

 

Configure Microsoft Entra ID as an Identity Provider for Single Sign-on

This section provides instructions on how to integrate Microsoft Entra ID with Orchestrate using SAML-based single-sign-on (SSO).

Configure Orchestrate as a trusted relying party

To begin, we first configure Azure to trust Orchestrate as a relying party.

  1. Sign in to the Azure portal by using a Microsoft account
  2. Select Microsoft Entra ID service
  3. On the left panel, select Enterprise Applications
  4. To add an application, select New Application
  5. In the Browse Azure AD Gallery page, select Create your own application
  6. The Create your own application pane opens. Input a name and select Integrate any other application you don’t find in the gallery (Non-gallery)
  7. Click Create 
  8. Once the app is created, the Enterprise Application page shows. On the left panel, select Single sign-on
  9. On the Select a single sign-on method pane, select SAML
  1. In the Set up Single Sign-On with SAML page, select the Edit button for Basic SAML Configuration
  1. The Basic SAML Configuration pane opens. 
  2. Click the Save button at the top of the pane

 

Configure claim rules for the Orchestrate relying party

Next, add the claim rules for the relying party trust so that the attributes that Orchestrate requires are added to the SAML authentication response. Orchestrate requires two claims: Name ID and user_loginname.

  1. On the Set up Single Sign-On with SAML page, select the Edit button for Attributes & Claims
  1. Skip configuring the claim Name ID, because it is added as a Unique User Identifier by Azure AD automatically
  2. On the Attributes & Claims page, select the Add new claim button
  3. On the Manage Claim pane, create a claim for user_loginname with the following settings:
    • Name: user_loginname
    • Source: Attribute 
    • Source attribute: user.mail
  1. Click the Save button 

 

Grant the user access to Orchestrate

Next, enable users to use Azure Single Sign-On by granting access to Orchestrate

  1. In the Azure portal, select Enterprise Applications, and then select All applications.
  2. In the applications list, select Amino Orchestrate
  3. On the left panel, select Users and groups
  4. Select the Add user/group button
  5. In the Add Assignment page, select the user in the Users list. Click the Select button at the bottom of the pane.
  6. Click the Assign button 

 

Signature verification for SAML requests

Azure AD does not validate signed authentication requests if a signature is present. There is no effect to enable Sign Request in the Orchestrate SAML Authentication page.

 

Configure ADFS as an Identity Provider for Single Sign-on

This section provides instructions on how to integrate Active Directory Federation Services (ADFS) instances with Orchestrate using SAML-based single-sign-on (SSO).

 

Configure Orchestrate as a trusted relying party

To begin, we first configure the ADFS server to trust Orchestrate as a relying party.

  1. Sign in to the ADFS server
  2. Open the Server Manager and select AD FS Management from Tools
  3. In the left console tree, right-click Relying Party Trusts and then click Add Relying Party Trust...
  4. In the Add Relying Party Trust Wizard, select the option Claims aware and click Start
  1. In the Select Data Source tab, select the option Enter data about the relying party manually
  1. In the Specify Display Name tab, specify the display name for the application.
  2. In the Configure Certificate tab, leave the certificate settings at their defaults.
  3. In the Configure URL tab, select the box Enable support for the SAML 2.0 WebSSO protocol and enter the SAML service endpoint: 
    https://orchestrate-auth.amino.tv/login/saml2/sso

  1. In the Configure Identifiers tab, insert

    https://orchestrate.amino.tv

    and click Add

  2. In the Choose Access Control Policy tab, select Permit all users to access this relying party, then click Next and review your settings.
  3. In the Ready to Add Trust tab, click Next if the information is correct.
  4. In the Finish tab, toggle Configure claims issuance policy for this application, and click Close to complete.

 

Configure claim rules for the Orchestrate relying party

Next, add the claim rules for the relying party trust so that the attributes that Orchestrate requires are added to the SAML authentication response. Orchestrate requires two claims: Name ID and user_loginname.

  1. Right-click the relying party for Orchestrate and then click Edit Claim Issuance Policy...
  2. In the Edit Claim Issuance Policy dialog box, click Add Rule... to create a claim rule for Name ID
  3. Select Transform an Incoming Claim and then click Next. 
  4. Configure the rule with the following settings:
    • Claim rule name: NameID
    • Incoming claim type: UPN
    • Outgoing claim type: Name ID
    • Outgoing name ID format: Persistent Identifier
  1. Click Finish
  2. Next, click Add Rule... to create a claim rule for user_loginname
  3. Select send LDAP Attributes as Claims and then click Next. Create a rule with the following settings:
    • Claim rule name: user_loginname
    • Attribute store: Active Directory
    • LDAP Attribute: E-Mail-Addresses
    • Outgoing Claim Type: user_loginname
  1. Click Finish
  2. In the Edit Claim Issuance Policy dialog box, click Apply and OK to complete 

 

Configure signature verification for SAML requests

Next, configure the signature verification certificate which will allow verification of signatures in SAML requests. The certificate can be downloaded from Manage Domain > SAML Authentication in Orchestrate.

  1. Right-click the relying party for Orchestrate and then click Properties
  2. In Signature tab, click Add
  1. Upload the signature verification certificate provided by Orchestrate
  1. Click Apply and OK to complete

 

Optional: configure authority_id claim rules 

After completing the above sections, SSO should now work with Orchestrate. This section is an optional step that will allow granting Orchestrate User roles to users through setting up claims in IdP.

There are several ways to retrieve a user’s group membership and transform the membership into a claim. The following is an example of how to set up Active Directory user groups and map them to an Orchestrate user role using the standard ADFS attribute, Token-Groups – Unqualified Names, to provide all group names as Orchestrate user roles in the authority_id claim.

 
Set up an Active Directory User and map it to an Orchestrate user role.
  1. In your Windows Server, open Active Directory User and Computers
  2. Right-click Users and select New > Group
  1. Create a group mapped to Orchestrate user role with following settings:

    • Group name: <Orchestrate user role authority id> 

      < Orchestrate user role authority id > can be found in the Appendix: Authority Id List. The following is using 102(SYSTEM Operator) as an example. 

  1. Click OK to complete

 

Assign the user to the Active Directory User Group 
  1. Open Active Directory User and Computers
  2. Right-click a user and select Properties
  1. In Member Of tab, then click Add... 
  1. In the Enter the object name to select textbox, input the name of the Group mapped to the Orchestrate user role. Click Check Names to verify, and the group name will be underlined. Click OK to confirm.
  1. In the Member Of tab, a new group name will be added.
  1. Click Apply and OK to complete.

 

Configure authority_id claim rule with Token-Groups – Unqualified Names attribute
  1. Right-click the relying party for Orchestrate and then click Edit Claim Issuance Policy...
  2. In the Edit Claim Issuance Policy dialog box, click Add Rule... to create a claim rule for authority
  3. Select Send LDAP Attributes as Claims and then click Next. 
  1. Configure the rule with the following settings:
    • Claim rule name: authority_id
    • Attribute store: Active Directory
    • LDAP Attribute: Token-Groups – Unqualified Names

    • Outgoing Claim Type: authority_id 

  2. Click Finish
  3. In the Edit Claim Issuance Policy dialog box, click Apply and OK to complete

 

References

None

 

Related to

Related articles