Signiant Support

Understanding SAML for Media Shuttle Print


Media Shuttle allows user authentication by two methods:

  • Through Media Shuttle itself
  • Through Single Sign-On (SSO) using SAML 2.0 (Security Assertion Markup Language)

Either or both of these options can be configured for any portal.

SAML allows you to authenticate portal members using services such as Microsoft Active Directory Federation Services or other third-party providers such as Okta or OneLogin.

The main benefits of using SAML are:

  • Improved password policy enforcement: You can maintain and set your own password policies.
  • Reduced password risk in SaaS products: No passwords are stored by Media Shuttle.
  • Automated expiry of credentials: When you remove a member from your directory service or third-party identity provider, they immediately lose access to Media Shuttle.
  • Simplified onboarding: New members can be added automatically to Media Shuttle.

Service Provider/Identity Provider

A trust relationship is established between Media Shuttle and the SAML authentication service. In this trust relationship, Media Shuttle is known as the Service Provider (SP) or Relaying Party, and the SAML authentication service is known as the Identity Provider (IdP) or Claims Provider.

Configuration Options

SAML can be configured at the Account level or Portal level. At the Account level, all existing portals, as well as any new portals, are configured using the same settings. At the Portal level, individual portals can be configured differently.

Administrators can also require SAML authentication for members from specific email domains, while all other domains are authenticated through Media Shuttle or a second SAML identity provider.

For configuration instructions, see Configuring SAML for Media Shuttle.

End User Experience

When logging into a Media Shuttle portal with SAML enabled, members will see a prompt to enter their email address, or a link to sign in using SAML.

Note: You can customize the SAML sign-in link through your Security settings.

If the portal is configured for authentication through Media Shuttle only, the portal member is directed to enter their password.

If the portal is configured only for SAML authentication through one identity provider, the portal member is directed to that identity provider.

If the portal uses authentication through two SAML identity providers, the portal member enters their email address and is then directed to the relevant identity provider.

If the portal is configured for both Media Shuttle and SAML authentication, the portal member enters their email address. Depending on the email domain, the portal member is either directed to enter their password or directed to the identity provider.

After successful SAML authentication, the user is directed back to the Media Shuttle portal. The user is linked to Media Shuttle by the URL returned by the identity provider.

Portal Authentication Flow

portal authentication flowchart

References

SAML 2.0 Web Browser SSO Profile
http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile

SAML Standards
https://docs.oasis-open.org/security/saml/v2.0/

Active Directory Federation Services
https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services