SSO info for experts

User Guide: Configuring Single Sign-On (SSO) in CETA iCFM

This user guide will walk you through the process of configuring Single Sign-On (SSO) for CETA iCFM using Azure Active Directory, Okta, or JumpCloud as the identity provider.

Accessing the SSO Configuration Page

1. Log in to CETA iCFM with an administrator account.
2. Click on the main menu and select Admin Options.
3. From the Admin Options, select SSO Configuration.

Within the SSO Configuration page, you will see menu options for Azure, Okta, and JumpCloud. Selecting one of these options will display a panel on the right-hand side with input fields for the selected identity provider.

Configuring Azure Active Directory SSO

Step 1: Create a New Application in the Azure Portal

1. Log in to the Azure Portal:

   • Go to https://portal.azure.com and sign in with your Azure credentials.

2. Register a New Application:

   • Under Manage, select App registrations. Alternatively, try this link: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade
   • Click +New registration.
   • Enter "CETA Cloud" as the name of the application.
   • For Supported account types, select the appropriate option (typically Accounts in this organizational directory only).
   • Under Redirect URI, select Web from the dropdown and enter the callback URL for your CETA iCFM instance, e.g., https://{client-name}.cetacloud.tv/login/azure/callback.
   • Optionally, return and add another Redirect URI if using Artist Access, e.g., https://{client-name}.cetacloud.tv/artistaccess/auth/azure/callback.
   • Click Register.

Step 2: Obtain the Client ID, Client Secret, and Tenant ID

1. Copy the Application (client) ID:

   • After registration, you'll be redirected to the application’s Overview page. Copy the Application (client) ID.

2. Generate a Client Secret:

   • In the left-hand menu, under Manage, select Certificates & secrets.
   • Under Client secrets, click New client secret.
   • Enter a description (e.g., "CETA Cloud Secret") and select an expiration period that fits your security policy.
   • Click Add. Once generated, copy the Value of the client secret. This is the only time you’ll be able to see it.

3. Copy the Directory (tenant) ID:

   • Navigate back to the Overview page. Copy the Directory (tenant) ID.

Step 3: Check and Configure API Permissions

1. Navigate to API Permissions:

   • In the left-hand menu, select API Permissions.

2. Add Required Permissions (to 'Configured Permissions' list):

   • Click Add a permission.
   • Choose Microsoft Graph.
   • Select Delegated permissions.
   • Ensure the following permissions are added:
     • email:             View users' email address
     • openid:           Sign users in
     • profile:         View users' basic profile
     • User.Read:     Sign in and read user profile

3. Grant Admin Consent:

   • After adding permissions, click Grant admin consent for {your organization}. Confirm the action when prompted.
   • Ensure that the status for each permission shows as Granted.

Step 4: Configure CETA iCFM with Azure Active Directory

1. Go to SSO Configuration in CETA iCFM:

   • In your CETA iCFM instance, navigate to the SSO Configuration page.

2. Select Azure:

   • Choose Azure as your SSO provider.

3. Enter the Azure Details:

   • Input the Tenant ID, Client ID, and Client Secret obtained from the Azure Portal.

4. Save the Configuration:

   • Click Save to complete the Azure Active Directory SSO setup.

Configuring Okta SSO

1. Create a new OIDC application in the Okta Developer Console:

   • Log in to the Okta Developer Console.
   • Navigate to Applications > Add Application.
   • Select Web as the platform and click Next.
   • Enter "CETA Cloud" as the name for the application.
   • Enter the Base URI (e.g., https://client-name.cetacloud.tv).
   • Enter the Login redirect URI (e.g., https://client-name.cetacloud.tv/login/okta/callback).
   • Click Done.

2. Obtain the Client ID, Client Secret, and Okta Site URL:

   • In the newly created application, go to the General tab. Copy the Client ID and Client Secret.
   • Go to the Dashboard in the Okta Developer Console. Copy the Org URL.

3. Configure CETA iCFM with Okta:

   • In the SSO Configuration page in CETA iCFM, select Okta.
   • Enter the Client ID, Client Secret, and Okta Site URL obtained from the Okta Developer Console.
   • Click Save to complete the Okta SSO configuration.

Configuring JumpCloud SSO

1. Create a new OIDC application in JumpCloud:

   • Log in to the JumpCloud Admin Portal.
   • Navigate to Applications > + Add New.
   • Select Custom OIDC App.
   • Enter "CETA Cloud" as the name for the application.
   • Enter the Redirect URI (e.g., https://client-name.cetacloud.tv/login/jumpcloud/callback).
   • Click Activate.

2. Obtain the Client ID and Client Secret:

   • In the newly created application, go to the Settings tab. Copy the Client ID and Client Secret.

3. Configure CETA iCFM with JumpCloud:

   • In the SSO Configuration page in CETA iCFM, select JumpCloud.
   • Enter the Client ID and Client Secret obtained from the JumpCloud Admin Portal.
   • Click Save to complete the JumpCloud SSO configuration.

Now you have successfully configured Single Sign-On for CETA iCFM using your preferred identity provider. Users can now log in to CETA iCFM using their Azure Active Directory, Okta, or JumpCloud credentials.