Eagle Eye Application Note - AN022 

Configuring SSO in the Eagle Eye Cloud VMS Enhanced Web Interface

2025-08-27   Revision 03.00

This guide is intended for Eagle Eye Cloud VMS users, particularly those using the Enhanced Web Interface, who want to leverage the convenience and security of single sign-on (SSO) with common or custom Identity Providers (IdPs). Resellers can also configure SSO for their end users. Users of all VMS editions can log in with Microsoft or Google as an IdP, but Standard Edition users are limited to the following domains:

Professional and Enterprise Edition users can log in via the IdP buttons even without SSO configured. Administrators will always have the ability to log in directly.

• What is Single Sign On - SSO?

• Prerequisites

• Configuring Google IdP via SSO

• Configuring Microsoft IdP via SSO

• Configuring Okta IdP for Eagle Eye SSO

• Obtaining a redirectUri from Okta

• Configuring SP-initiated SSO settings for Okta 

• SP initiated the SSO flow

• IdP initiated SSO flow

• Configuring automated user provisioning for Okta

• Configuring Azure Active Directory as the IdP

• Configuring a new application in Azure AD

• Configuring SP-initiated SSO settings for Azure Active Directory

• SP-initiated SSO flow

• IdP-initiated SSO flow

• Setting up IdP-initiated SSO flow

• Troubleshooting

• Known errors

• SSO Configurations

SSO (Single Sign-On) enables you to log in to multiple applications or services using a single set of login credentials. Instead of needing a separate username and password for each service, SSO allows you to use a single identity to access all services. It simplifies login and increases security because you're managing fewer passwords.

Personal SSO (Google/Microsoft):

• Personal accounts like Google and Microsoft work as Identity Providers (IdPs) for SSO.

• You use the same account you have for Gmail or Outlook, for example, to log in to other apps that support SSO.

• It’s mainly used for individual services, personal accounts, or smaller setups, where using a Google or Microsoft login adds convenience.

Corporate SSO (Okta/Azure):

• Corporate SSO solutions, such as Okta or Microsoft Azure Active Directory (Azure AD), are designed specifically for businesses.

• They enable companies to manage employee logins to various internal systems, apps, and cloud services from a single, centralized location.

• Okta and Azure AD offer more control, security, and integration options. Companies can enforce policies like multi-factor authentication (MFA) and easily manage who has access to which services.

• These systems are designed for large organizations where security, compliance, and scalability are crucial.

Key Differences:

• Personal SSO (Google/Microsoft): Great for convenience, more for individuals or small-scale users.

• Corporate SSO (Okta/Azure): Designed for businesses, providing higher security, access control, and scalability for large teams.

Before setting up SSO, you will need the following items. Some of these items depend on the method being used, such as Google, Okta, or Microsoft. 

• Administrator privileges within the Eagle Eye Cloud VMS.

• Obtain your Eagle Eye account ID (Account number) via
  Admin > Account settings > General
  
  

• <registration-id> is the Eagle Eye Account ID.

• <domain-branding> can be eagleeyenetworks.com, mobotixcloud.com, etc.

• <webapp-url> can be https://webapp.eagleeyenetworks.com (Based on the domain branding, you can use different values for this and ensure they are URL-encoded).

• Obtain the redirectUri for the account: https://auth.eagleeyenetworks.com/login/oauth2/code/

• If you do not have an account in Azure AD, register for a free account at https://azure.micrsoft.com

• If you do not have an account in Okta, register for a free account at https://www.okta.com

1.  Go to Admin > Account Settings > Identity Provider and select Google.
   

2. Leave the 'Login Only via Single Sign-on' checkbox unchecked to allow non-administrator users the option to log on with a direct password or by clicking 'Continue with Google' to log in via SSO.
   

3. Check the Login only via Single-Sign-On box to prohibit non-administrator users from logging into the VMS with a direct password. By entering a non-administrator username and clicking Next, the user is automatically redirected to the Google IdP for authentication. Additionally, users can log in using the Continue with Google button in the login interface.
   

1. Go to Admin > Account Settings > Identity Provider and select Microsoft.

2. Leave the Login only via Single Sign-On box unchecked to allow non-administrator users the option to log in with a direct password. They will also have the option to log in by clicking the Continue with Microsoft button in the login interface. 
   

3. Check the Login only via Single-Sign-On box to prohibit non-administrator users from logging into the VMS with a direct password. By entering a non-administrator username and clicking Next, the user is automatically redirected to the Microsoft IdP for authentication. Additionally, users can log in using the Continue with Microsoft button in the login interface. 
   

Obtaining a redirectUrl from Okta

1. Open your Okta administrator dashboard and select Applications> Applications from the left navigation menu. Click Create App Integration.

2. On the Create a New App Integration screen, select OIDC for Sign-in Method and Web Application for Application Type. Click Next.
   

3. On the New Web App Integration screen, enter the name for your app integration and the URL for the sign-in redirect URL: https://auth.eagleeyenetworks.com/login/oauth2/code/ 
   

4. The Application Integration Information appears on the next screen. The Client ID and Client Secret Information needed for configuring the VMS Cloud appear here.
   

5. On the Assignments tab, choose the people who can use this login option for the Cloud VMS.
   

6. To use IdP-initiated login, make the following configurations on the Application > General tab.
   

In the Initiate Login URL box, enter: https://auth.eagleeyenetworks.com/sso?issuer={registrationId}&target_link_uri={webapp_url}

The registrationId is your Eagle Eye account ID. Your login URL will be: https://auth.eagleeyenetworks.com/sso?issuer=00000011&target_link_uri=https%3A//webapp.eagleeyenetworks.com

Configuring SP-initiated SSO settings for Okta 

Note: Okta does not have a login link in the Cloud VMS.

The Okta settings are shown below:

Update the Client ID and Client Secret with the values from the Okta application created. For the Issuer URL, you can use the actual Okta domain https://<your-okta-domain>. (Do not include “/” at the end.).

SP initiated the SSO flow

Log in to the application, 

1. Provide a non-administrator user account at the identifier's first page. 

2. Login with Okta and provide consent. 

IdP initiated SSO flow:

1. Go to "https://<your-okta-domain>/app/UserHome"

2. Log in with a user who exists in your Eagle Eye Networks account and has the same email address.

3. Click on the Application you created to be redirected to the application.

Configuring automated user provisioning for Okta

1. Check the Add New Users if they Do Not Already Exist box in the Identity Provider Integration via Single Sign-on screen in the Cloud VMS interface. 
   

2. Log in to the application. Go to "https://<your-okta-domain>/app/UserHome"

3. Log in with a user who does not exist in your EEN account using the same email address.

4. Click the Application you created, and you will be redirected to the application, where it will be auto-provisioned.
   

Configuring a new application in Azure AD

1. Log in to the Azure console (https://portal.azure.com/#home) and navigate to Manage Microsoft Entra ID (previously known as Azure ID).

2. Go to App Registrations in the left panel and create a new registration.

3. Provide the following information under the Register an Application wizard:

1. Name the application.

2. Set the Supported Account Type to Accounts in this Organizational Directory Only.
   

3. Use the redirect URI as obtained in the Prerequisites.

4. New installations should have a redirect url (without the accountId): https://auth.eagleeyenetworks.com/login/oauth2/code/
   

4. On the Application Overview screen, create a client credential using the
   Add a Certificate or Secret option. 

5. Click New Client Secret.
   

6. Enter a description of the secret and an expiration date.
   

7. Copy the Value field to a text file and save it.

8. Navigate to the API Permissions on the left panel and select Add a Permission.

9. Add Email and OpenID permissions.
   

10. Navigate to Token Configuration from the left panel and click Add Optional Claim.

11. In the Add Optional Claim wizard, select Adding verified_primary_email is optional.
    

12. You can also update the consent page using the "Branding & Properties" tab in the left panel.

13. Assign users to the application. Navigate to ”Home > Manage Microsoft Entra ID > Enterprise Applications” and select your application. Go to "Assign Users and Groups" and assign users as shown below to the application. 
    

Configuring SP-initiated SSO settings for Azure Active Directory

Use the instructions in this section to configure the organizational Microsoft SSO.

1. Update the "Client ID" (Application (client) ID) and "Client Secret" with values you got from the Azure AD application created in Prerequisites. 

2. You can find the <tenant-id> on the Overview page.

SP-initiated SSO flow

You should now be able to log in to the application.

1. Provide a non-administrator user account at the identifier home page.

2. Log in with Azure AD and provide consent.

Note: Ensure that the same user is created on the Azure AD side.

IdP-initiated SSO flow:

1. Update the homepage URL in the Branding & Properties section of the application as follows:

2. Navigate to the Enterprise Application tab and select your application. In the left panel, select Manage > Properties. Set Visible to Users to Yes.
   

Setting up IdP-initiated SSO flow

1. Go to: https://myapplications.microsoft.com?tenantId=<tenant-id>

2. Log in with a user who exists in your Eagle Eye Networks account and has the same email address.

3. Click the Application you created, and you will be redirected to the application.

Configuring auto user provisioning for Azure AD

1. Check the 'Add New Users if They Do Not Already Exist' box in the Identity Provider Integration via Single Sign-on screen in the Cloud VMS interface and click Save.
   

IdP-initiated SSO with auto user provisioning flow

1. Log in to the application. Go to https://myapplications.microsoft.com?tenantId=<tenant-id>

2. Log in with a user who exists in your Eagle Eye Networks account and has the same email address.

3. Click the Application you created, and you will be redirected to the application.
   

Troubleshooting SSO

Several error messages may occur when setting up SSO. Below is an overview of the most common ones. If you encounter any new or different errors, please report them to support@een.com so we can add them to this document for future reference.

Known errors:

1. Microsoft Error: A different configured IDP is set for this user, and the user can only be authenticated by the configured IDP.
   
   Solution: Users are trying to use the 'Continue with Microsoft' button when they should log in via https://myapplications.microsoft.com. This button is only for personal accounts.
   

2. Microsoft Error: Newly created app doesn’t show on my application page:

1. Make sure the user is added to the enterprise application.

2. Make sure to make the application visible:
   

1. Microsoft Error: Newly created users see No permissions to preview.
   

1. New users don’t have any default permissions added; these need to be granted by the admin from within the Enhanced Web Interface.
   

1. Microsoft Error: Authentication failed due to a configuration issue with your Single Sign-On (SSO). Please contact your administrator!
   

1. Please verify the Client ID and the Client Secret entered on the Enhanced Web Interface.
   

1. Microsoft Error: Unable to log in, tenant identifier is invalid:
   
   

1. Please verify that the Tenant ID is entered correctly with a valid ID

1. Microsoft Error: The email ID received from the Identity Provider (IDP) is invalid:
   

1. A user is not configured with a valid email address on the Azure portal.
   

1. Microsoft Error: Illegal operation detected! Wrong registrationId.
   

1. A user attempting to sign in is already listed under a different account within our VMS.

2. Create a separate account or remove the old one to log in.
   

8. Microsoft Error: HTTP ERROR 500:
   

1. Verify the redirectURI: it should resemble this, where the issues are the account ID and the target_link_uri is webapp.eagleeyenetworks.com or <branding>.webapp.eagleeyenetworks.com

9. Okta Error: 403 Access forbidden
   

1. Verify if settings are correct in our Enhanced Web Interface:

1. Make sure Okta is selected as the Identity provider

2. Client id

3. Client Secret

4. Issuer URL (example Okta url: https://<subdomain>.okta.com)
   

9. Okta Error: 404 Page not found:
   

1. Verify the issuer URL; this is probably wrong:

1. https://trial-7462771.okta.com/ < correct one (example)

2. https://trial-7462771-admin.okta.com/ < wrong one (example
   ^ This is a link to the Okta admin panel instead of the Okta user dashboard.
   
   

10. Unable to authenticate the user:

1. Unable to authenticate the user.

1. Redirect URI is wrong:
   https://auth.eagleeyenetworks.com/sso?issuer=00170929&target_link_uri=webapp.eagleeyenetworks.com
   Instead of:
   https://auth.eagleeyenetworks.com/sso?issuer=00170929&target_link_uri=https%3A//webapp.eagleeyenetworks.com

2. Make sure the target link is formatted correctly with https%3A// instead of https://
   

This overview shows all possible SSO configurations and the available options that accompany them:

For support please email: support@een.com 

or give us a call at: 512-473-0501

Eagle Eye Knowledge Base

US: +1-512-473-0501 

EU: 31 (0) 20 26 10 461

ASIA PACIFIC: +81-(3)-6869-5477

#1 In Cloud Media Video Surveillance Worldwide

Copyright Eagle Eye Networks. All rights reserved.