Implementing Single Sign-On (SSO)

Implementing Single Sign-On (SSO)

Implementing Single Sign-On (SSO)

Eagle Eye Cloud VMS



2023-05-16   Revision 1.0



Target Audience


This Application Note is intended for Resellers of the Eagle Eye Cloud VMS whose customers wish to utilize the convenience and security offered by single sign-on, as well as those End Users wishing to set it up for themselves. Note that SSO is included with both Professional and Enterprise editions.



Introduction


Eagle Eye Networks allows users to log in using single sign-on via an identity provider that  supports SAML v2.0 (Security Assertion Markup Language). This document provides the information required to set up the Identity Provider (IdP) for single sign-on (SSO) with the Eagle Eye Networks Cloud VMS. Common systems used for SSO are Microsoft Azure Active Directory, Okta, and Google Cloud Platform. Users can login with their corporate emails, which offers the following benefits: 

  • Easier login experience for the user. 

  • Increased security because there are fewer passwords to remember. 

  • Higher productivity because people spend less time logging in to their system. 

  • Easier IT administration. If an employee departs the company, access can be revoked for multiple applications at once.




Prerequisites


In order to configure SSO, the following requirements should be met: 

  • You must be a Professional or Enterprise Edition user as SSO support is only available in the Professional and Enterprise Editions of the Eagle Eye Cloud VMS.

  • You must enable Branding. To do this, log in to your Reseller account, then click your profile name and Account Settings. If Branding has already been enabled, it will be the default tab shown in Account Settings. If you do not see the Branding tab, please contact your sales engineer to have this enabled.

  • Single sign-on options must have been enabled for you by Eagle Eye Networks. Contact your sales engineer if you need to have this enabled. 

The person configuring SSO in the VMS must have the following knowledge and access: 

  • Basic knowledge of SAML 2.0.

  • Access to the Eagle Eye Networks Cloud VMS account with administrator privileges.

  • Administrator access to the desired Identity Provider (IdP).


Limitations


  • SSO in the Eagle Eye Cloud VMS is limited to being set at either the Reseller level or the End User account level. It cannot be set up at both. So, if a Reseller sets up SSO for a specific end user account, they cannot use SSO for their own Reseller account.

  • If you choose to enable SSO at the End User account level, login must be initiated within the identity provider (Azure, Okta, etc.).

  • The mobile app does not support SSO at this time so it cannot be used if SSO is enabled.





Configuration Limitations


As mentioned above, SSO configuration can be done at either the Reseller account level or the End User account level. Both methods are detailed in the section below.

Reseller Account

  1. Enable Branding

To enable SSO, the Reseller must first enable branding by going to Account Settings, then Branding as shown below to enable branding.


The sub domain field will be used to then create a unique URL which will be used for SSO. For example, if the sub domain used is “security” then the unique URL will be security.eagleeyenetworks.com. The other required fields are Company Name, Small Logo, and Large Logo. After setting up the brand details, click Save.

  1. Enable Identity Provider

Once branding is configured and the page is refreshed, a tab labeled Security is available in Account Settings. Using the Identity Provider tab under this, an Identity provider can be set up.

You will use this tab to select “Use my own Identity Provider to sign in (single sign-on)”. In this option there will be one IdP to set up for all End User accounts. As the Reseller, you are responsible for setting up the SSO, and users will use the same identity provider. 

  1. Configure Identity Provider

Jump to Configure Identity Provider via SAML to continue with the setup.

End User Account

  1. Enable Branding

Enable branding using the same procedure covered in Step 1 of the Reseller Account. Once that is completed, continue to Step 2 of this section.

  1. Enable Identity Provider

Once branding is configured and the page is refreshed, a tab labeled Security is available in Account Settings. Use the Identity Provider tab to set up an Identity provider.

You will use this tab to select “Allow ONLY End User Accounts to enable SSO.” Setup must then be continued in the end user account. Click Save changes, then log out.

  1. Log in to the End User Account and Enable SSO

Log in to the Eagle Eye Cloud VMS End User Account and navigate to Account Settings → Security → Identity Provider. Enable SSO by selecting “Use my own identity provider to sign in.” The settings required to activate SSO will appear after selecting that option.

When setting up the IdP, there is an additional option to “Create user if one does not exist.” If this is enabled, anyone authenticated by the IdP will automatically have a VMS account created without permissions.

 Configure Identity Provider via SAML

Now that SSO has been enabled either at the Reseller or End User Account level, the remaining steps are identical. You need to set up the identity provider and VMS to work together and these basic concepts are covered in this section. Some specific examples of IdPs will then be covered in the following section.

To set up the identity provider, there are configurations that need to be shared between the service provider (Eagle Eye Networks) and the account IdP. Below is the Eagle Eye Networks SAML information that needs to be added in the IdP:


Field

Value

Identifier

eagleeyenetworks.com

Reply URL
(Assertion Consumer Service URL)

https://<brandsubdomain>.eagleeyenetworks.com/g/aaa/sso/SAML2/Authenticate

Logout URL

https://login.eagleeyenetworks.com/g/aaa/sso/SAML2/LogOut

Below are the required claims that are needed in the assertion:


Field

Value

Required

NameId

User email

Yes

firstName

User first name

No

lastName

User last name

No

Once this is added in the IdP, you will also need to save the IdP secrets in the Eagle Eye Cloud VMS Identity provider settings (Account Settings → Security → Identity Provider). The IdP will provide the following information that you need to enter into the appropriate fields here:


Field

Description

Single Sign-On URL

The URL to which Eagle Eye Networks will redirect the user to login

Issuer

The unique name for the identity provider

X.509 Certificate

The certificate to set up secure communication

After saving the changes, SSO is successfully configured. 


Microsoft Azure Setup

Create a New Application

  1. Log in to the Azure Portal at https://portal.azure.com.

  2. Click Azure Active Directory.

  3. Click the + Add dropdown and then Enterprise application.

  1. Then select + Create your own application.

Afbeelding met tekst Automatisch gegenereerde beschrijving

  1. Enter an application name, such as “Eagle Eye Cloud VMS Login,” select the option to Integrate any other application you don’t find in the gallery (Non-gallery), and click Create.

  2. Find “set up single sign-on” and click Get Started.

  1. Choose SAML as the SSO method.

  2. Use the SAML configuration values provided in the “Configure Identity Provider via SAML” section.

  3. Enter the following values in the “User Attributes & Claims”:

    1. Please note that some user attributes will be created by default so these need to be deleted.

Claim Name

Claim Value

Unique User Identifier (Name ID)

user.mail [nameid-format:emailAddress]

firstName

user.givenname

lastName

user.surname

  1. Enter the following values in the “SAML Signing Certificate” section:

    1. Signing Option – Sign SAML assertion

    2. Signing Algorithm – SHA-1

  2. The “Set up <application name>” section then provides you with the values you need to configure the Eagle Eye Cloud VMS, and the SAML Signing Certificate section provides you with the certificate needed in the VMS. The table below shows how the values relate:

Azure Value

VMS Entry

Login URL

Single sign-on URL

Azure AD Identifier

Issuer

Certificate (Base64) (Download)

X.509 Certificate (Choose File)

Set Up Users

  1. On the new application’s Azure landing page, click Users and groups.

  1. Click  + Add user/group.

  2. Choose the users you want to add to the SSO application, then click Select to confirm.

  3. As an optional step, customize the logo being utilized by going to Properties and browsing for a file. If you skip this type, the Microsoft Azure logo will be the default logo.




 Okta Setup

  1. Log in to Okta as an admin and click Create App Integration.

  1. Choose SAML 2.0

  2. Give your App a name and a logo.

  1. Fill in the details as shown in the table below:


General Settings

Single sign-on URL

https://<brand>.eagleeyenetworks.com/g/aaa/sso/SAML2/Authenticate

or

https://<custom domain>/g/aaa/sso/SAML2/Authenticate


Where <brand> and <custom domain> are specific to your VMS account.

Audience URI (SP Entity ID)

https://<brand>.eagleeyenetworks.com/saml/metadata

or

https://<customdomain>.eagleeyenetworks.com/saml/metadata

Default RelayState

<leave blank>

Name ID format

EmailAddress

Application username

Email

  1. Click the link to show the Advanced Settings, then populate them as shown below:

Advanced Settings

Response

Signed

Assertion Signature

Signed

Signature Algorithm

RSA-SHA1

Digest Algorithm

SHA1

Assertion Encryption


Enable Single Logout

Unchecked

Authentication context class

X.509 Certificate

Honor Force Authentication

Yes

SAML Issuer ID

http://www.okta.com/${org.externalKey}

  1. Add the following attributes to the Attribute Statements:

Attribute Statements

firstName

user.firstName

lastName

user.lastName


  1. Locate the SAML Signing Certificates section and click View SAML setup instructions to find the information that you need to add to the VMS.

  2. Add the information to the VMS WebApp as described above.

  3. Return to Okta and go to Applications.

  4. Click Assign Users to App.

  5. Select the users you want to assign to the app (enabling SSO for them), then click Next and confirm. SSO should now be working for your users.

  6. You can test the app by logging in to Okta as a user and clicking the tile to log into the VMS.





For support please email: support@een.com 

or give us a call at: 512-473-0501

Eagle Eye Knowledge Base

US: +1-512-473-0501 

EU: 31 (0) 20 26 10 460

ASIA PACIFIC: 81-3-686-5527

#1 In Cloud Media Video Surveillance Worldwide

Copyright Eagle Eye Networks. All rights reserved.



    • Related Articles

    • DMP Integration

      DMP Integration Digital Monitoring Products is a commercial security provider and partner of Eagle Eye. DMP offers the ability to integrate Eagle Eye and view cameras through Virtualkeypad.com or the Virtual Keypad app. Below are instructions for ...

    • Bad Signal Protection

      What is Bad Signal Protection? Bad Signal Protection protects your Eagle Eye unit’s analog card from bad or degraded signals being provided by an analog camera. This can be due to a bad camera, cable, power supply, connectors, or environmental ...

    • Message endpoints port change

      Important information for all integration partners that have a connection to our messaging system:   We have aligned all our message end-points into one unified end-point, which is reachable through messages.cameramanager.com: ...

    • Analog Camera/Encoder FAQ & Troubleshooting Guide

      Analog Camera/Encoder FAQ & Troubleshooting Guide An analog/HD analog to digital encoder allows analog cameras to interface with an EEN Bridge/CMVR over a standard RJ45 ethernet cable. When using analog cameras, the quality of the electricity on site ...

    • Reseller Starter Guide

      Reseller Starter Guide Welcome to Eagle Eye Networks, the number one in cloud based video surveillance worldwide. Here are a few tips and guides to help you get started. Accounts From your Reseller Dashboard you have the ability to create SubAccounts ...