Overview

SAML is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. This integration provides single sign on for SAML and Panopto, allowing you to use your SAML credentials to authenticate in Panopto.

 

Prerequisites

• Panopto supports both IdP and SP initiated requests. 
• SAML 2.0 is the version of SAML that this integration supports.
• SAML responses must be sent to Panopto via the HTTP Post Binding.
• Signed SAML responses and/or Assertions are supported, but at least one of these must be signed.
• Panopto can sign it's authentication requests (optional).
• Panopto supports encrypted assertions (optional).
• Panopto can support either SHA-1 or SHA-256 signatures.

 

1. Adding SAML as a Provider for Panopto

1.1.  To add SAML as a provider in Panopto, log in to your Panopto server using an administrator account. 

1.2.  Once logged in, expand the System menu and click Identity Providers (See Figure 1).

Figure 1


1.3.  Click the Add Provider link.

1.4.  Select SAML20. From here you can either upload your IDP's metadata file or manually enter the settings for your SAML provider and click Save when complete (Fig. 2).

Figure 2
 

2. Configuration Settings Explained:

Provider Type:	Specifies that you are adding a SAML20 provider to your Panopto site.
Instance Name:	The name of the Identity Provider. This value will also prefix User accounts that are associated with this provider (ex. SAML\username).
Friendly Description:	This can be anything you'd like; it is just describing your provider. This is how the Identity Provider will be displayed in the sign-in dropdown.
Bounce Page URL:	This URL should point to your SAML Identity Provider's AssertionConsumerService Redirect Endpoint (ex. http://samlserver.com/SAML/SSOincoming.aspx or https://adfs.panopto.com/adfs/ls/)
Authn Request Cert Name:	If you do not require Panopto to sign their authentication requests leave this blank. If you would like to use signed authentication requests then set this value to "PanoptoCloudSAML2016" and follow the instructions under the "Panopto Signed Authentication Requests" section below.
Assertion Encryption Cert Name:	Friendly name of a locally installed cert, with private key, with which to decrypt SAML assertion encrypted by ID provider. Leave blank if ID provider does not encrypt assertion.
Panopto Entity ID:	Case-sensitive string of text used by your Identity Provider to uniquely identify Panopto as a Service Provider. This value is equivalent to "EntityID" if you have the PanoptoSPMetadata
Issuer:	Value used to uniquely identify your Identity Provider to Panopto. This value is equivalent to the "EntityID" in your Identity Provider's metadata
Server Clock Skew Tolerance (seconds):	Specifies the largest acceptable clock skew that would still result in successful authentication. This value defaults to 60 seconds and can be changed should the SAML server clock differ from the Panopto server clock
Public Key:	The X509 Signing certificate from your SAML Identity Provider. If your Identity Provider allows you to retrieve its metadata via URL then you can enter that URL here and the key will update automatically.
Attribute Mappings:	This setting is used to map attribute claims sent via the SAML Assertion to fields in the Panopto system. Possible fields to map in Panopto are ID, FirstName, LastName, Email, SupplementalData, GroupMembership. *These mappings are optional. The only requirement is that a username is sent. If the ID attribute is not mapped then Panopto will use whatever is sent via the Assertion "NameID" field for Username Example attribute mappings: "FirstName=first_name;LastName=last_name;Email=user_email;SupplementalData=alternateID". The ID, SupplementalData, and GroupMembership fields have special meaning/handling: The ID of the user (usually a username) is normally included in a special part of the SAML packet called the "Identity" assertion. The SupplementalData mapping provides a way for the SAML provider to store an extra piece of data for each user in their User profile in Panopto. The GroupMembership attribute specifies the name of the attribute whose values are ids of external groups. (Note: When a user logs in with SAML they are added to groups that are included in the SAML Assertion. If groups listed in the Assertion do not exist in Panopto they are ignored. Only groups from the same ID Provider are included (regular native Panopto groups are not). This is sometimes referred to as JIT provisioning, but for Panopto it only includes creating users and group memberships to pre-existing groups.
Federated Sign-out URL and Sign out of provider on Panoto sign-out:	If configured, when you log out of Panopto you are also logged-out of your SAML Identity Provider.
Parent folder name:	You can choose a folder to associate with this provider.
Sign out of provider on Panopto sign-out:	Allows you to access, view and create whatever attribute is mapped to GroupMembership to a group in Panopto.
Automatically create groups:	When a user signs in, automatically create groups in Panopto for each group specified in the SAML Assertion for the user. Do not enable this feature if you need to maintain tight control over the groups exposed to Panopto.
Restrict access to Panopto based on the user's group membership:	When enabled, new users can only access Panopto if they are a member of a whitelisted user group. Once enabled you can also specify a web page for which to redirect users should they not be whitelisted. *This setting is not retroactive- If a user has received a SAML\ Panopto account prior to whitelisting a group then they will still have access to Panopto regardless of whether they are part of the whitelisted group or not.
Bounce page blocks iframes:	If your SAML Identity Provider prevents authentication from taking-place within an iframe then we recommend enabling this option so that the User is instead presented with a link which opens SAML authentication in a new window
Default Sign-in Option:	Specifies whether this Identity Provider should appear as the default sign-in option
Pass RelayState via RPID (only used for old ADFS):	Check this box if your ADFS server needs RelayState to be passed as a nested parameter of RPID (Relying Party Identifier). Panopto recognizes this option is needed when ADFS 2.0 server is configured to enable IDP initiated web-based single sign-on (SSO) and RPID parameter is enabled. Panopto recommends leaving this option disabled and only enabling it should you not be redirected correctly upon successful SSO. **If you have "Pass RelayState via RPID (only used for old ADFS)" enabled then you will likely want to update the Bounce Page URL to 'https://[ADFSSERVERName]/adfs/ls/IdpInitiatedSignon.aspx'
Custom bounce page state parameter:	If your SAML Identity Provider requires a certain parameter be sent in order for successful SSO then you can enter such a parameter here (ex. returnurl)
Enable emails when sessions finish processing by default for newly created users:	By default, Users associated with this Identity Provider have "Email user when sessions finish processing" disabled. Enable this setting so that "Email user when sessions finish processing" is enabled by default for Users associated with this Identity Provider.
Personal folders for users:	This setting controls whether SAML-associated Panopto accounts receive Personal Folders by  default.
Unify user accounts from this provider:	Connect all of the accounts associated with this provider.
LTI Username parameter override:	Please contact Panopto Support prior to changing this setting. This allows you to control the username users receive when clicking Panopto LTI links in SAML.
Show this in Sign-in Dropdown:	Specifies whether to show this Identity Provider in the Sign-in dropdown for your Panopto site
Metadata XML file:	If you have your IDP's metadata file, upload it here to pre-populate the values on this page.

 

3. Adding Panopto to your SAML Provider:

3.1.  The endpoint (Assertion Consumer URL) that the SAML server must be able to resolve to is:https://panoptoserverURL/Panopto/Pages/Auth/Login.aspx

3.2.  The Entity ID of Panopto is whatever setting you entered in the Entity ID field. It is likely also: https://panoptoserverURL/Panopto/Pages/Auth/Login.aspx
 

4. Panopto Signed Authentication Requests

4.1.  If you would like Panopto to sign their authentication requests the Authn Request Cert Name setting above needs to be set to PanoptoCloudSAML2016.  

4.2.  Hosted customers must use the Panopto SAML certificate: Download SAML Certificate Here.

4.3.  Deployed customers must create a certificate and add it to the Panopto Web Server and make sure the user the Panopto WebServer Service is running as has access to the private key (see "Access to SAML Private Key" below ). Documentation on creating a self signed cert using OpenSSL.
 

5. Encrypting Assertions

5.1.  If you would like to encrypt SAML assertion sent to Panopto set Assertion Encryption Cert Name equal to PanoptoCloudSAML2016.

5.2.  Hosted customers must use the Panopto SAML certificate: Download SAML Certificate Here.

5.3.  Deployed customers must create a certificate and add it to the Panopto Web Server and make sure the user the Panopto WebServer Service is running as has access to the private key (see "Access to SAML Private Key" below ). Documentation on creating a self signed cert using OpenSSL.
 

6. Access to SAML Private Key

6.1.  Open Microsoft Management Console (MMC) from Start menu.

6.2.  Go to File -> Add or remove Snap-ins -> Select Certificates -> click on the Add button. This will open a dialog.

6.3.  Choose a computer account. Select the computer you want this snap-in to manage. Choose Local computer and click Finish. Then click OK.

6.4.  Choose Certificates -> Personal -> Certificates -> More Actions -> All Tasks -> Import. Note: The cert needs to have a friendly description that matches what is set in the Paonpto IDP page.

6.5.  Follow the wizard ensuring that the cert is imported to Personal store. Note: This needs to be done on all Web Servers.

6.6.  Right-click on the certificate, click All Tasks, then Manage private keys.

6.7.  Add the IIS worker processes impersonated account IUSER_MachineName or Network Service or any other account.
 

7. Obtaining Panopto Service Provider (SP) metadata for your Panopto site

7.1.  Download the Panopto SP Metadata here.

7.2.  Update the entityID field with the same Entity ID entered into Panopto.

7.3.  Update the AssertionConsumerServiceBinding with the URL of your Panopto site.
 

8. Additional SAML documentation

Configuring SSO with SimpleSAMLphp
Configuring SSO with Google Apps
ADFS to SAML Integration
SAML SET-UP WITH A ROLLING KEY URL
SAML Groups