What is Single Sign-On?

Single Sign-On (SSO) is a way for you to make use of an existing system to allow access to your video site.

The idea is that whenever an unknown user visits your videosite, they are sent to your system for authentication and sent back to us with a valid login token that allows them to freely browse your site. If the user does not have access to your authentication system (such as Active Directory) they will not have access to your video site either.

SSO Integration Options

TwentyThree offers the following options for integrating Single Sign-On:

• SAML: The Security Assertion Markup Lanaguage is an open standard for exchanging authentication and authorization data between parties. It is widely supported by different platforms and services, notably Active Directory through Federation Services (ADFS). You can read a step-by-step guide to setting it up in our help center.
• OKTA: OKTA is an identity platform for managing access between multiple platforms and identity providers (such as Active Directory, Google, Facebook, etc). TwentyThree is a registered provider, allowing simple setup through their site.
• Custom: Implement your own solution for authenticating users.

Custom SSO Integration

TwentyThree supports custom integration with any external system with a bit of development and the use of our API.

The first step is to set up an application with privileged credentials and authorise these through OAuth – instructions can be found here. The next step is to set up a page on your own site that handles user authentication. Your page should do the following:

1. Authenticate the user against your system.
2. Retrieve an access token from /api/session/get-token.
3. Redirect the user to /api/session/redeem-token with the given token.

For step 1, the traditional solution is to authenticate them against a known user database or internal identity provider. However, you are free to grant users access based on whatever logic you implement. This might include a required e-mail signup or by having the user pay for access.

In your video site backend, go to Settings → Access and enable "Single sign-on or Paywall" and enter the URL for the page you created above.

Once setup, any user trying to access your video site will be redirected to the URL you entered along with the query string return_url=<path>, where <path> is the relative URL they were trying to visit. You can use this URL in step #2 to redirect the user back to the exact page they were trying to visit.

Example

The videossite access is set to Single sign-on or Paywall and the Remote login URL is set to http://mynormalsite.com/sso-login.php.

1. The user attempts to access http://videosite.23video.com/cool-video
2. They are redirected to http://mynormalsite.com/sso-login.php?return_url=/cool-video
3. The page requests a token from the API and redirects the user to http://videosite.23video.com/api/session/redeem-token?session_token=abcdef123456
4. The user is granted access and redirected to http://videosite.23video.com/cool-video

Visitor or Administrator Access

By default, single sign-on only authenticates users to access the frontend of the video site. There is an option found in Settings → Access that allows you to enable SSO for back-end login as well.

This feature works by comparing the email provided in the call to /api/session/get-token with e-mails of the existing users. If a match is found, the user is logged in as that specific user in the backend rather than as an anonymous visitor.

Warning: Make sure that you do not use any shared e-mails and that the single sign-on page has been thoroughly tested, as this feature can grant full administrator rights to users logged in through SSO!