Login
      Contents x
      Setting SSO
        • Print
        • PDF
        Contents

        Setting SSO

          • Print
          • PDF
          Article Summary

          Available in Classic and VPC

          SSO (Single Sign On) settings allows you to set integrated login connection which gives you access to both Media Connect Center and client company with one ID. Setting the SSO maintains the login status of the client company's enterprise information system in Media Connect Center as well. When SSO connection is complete, Media Connect Center login is available with the login information of the existing enterprise information system of the client company.
          Media Connect Center supports SSO with SP (Service Provider) methods. The SSO methods provided are as follows.

          OAuth

          You can set SSO based on OAuth 2.0.

          Operation order

          The following describes the SSO operation order based on OAuth 2.0.

          1. Use Media Connect Center
            • The user connects with URL from a web browser to use Media Connect Center
          2. Request to issue authorization code
            • If not logged in to Media Connect Center, then the request to issue an authorization code is sent to the client company's authentication system
          3. Run login page (if not logged in to the client company)
            • The login page customized for the client company's requirements is provided to the users
          4. Enter account information
            • The user enters login ID and password according to the client company's login policy
          5. Authorization code issued after the client company authentication
            • Authorization code issued after the client company authentication is processed with the account information entered by the user
            • If the user is already logged into the client company system, then Steps 3 and 4 are omitted and an authorization code is immediately issued
            • An authorization code is a single-use code that is used to return the access token and is eliminated
          6. Return (redirect) authorization code
            • The authorization code is redirected to redirect_uri of Media Connect Center authentication system among the requests received when the authorization code issuance requests were initially made
          7. Request access token with the authorization code
            • With the authorization code as the parameter, a request for access token is made to the client company's authentication system
          8. Return access token
            • The client company's authentication system validates the authorization code, and then issues and returns an access token
          9. Request user information with access token
            • With the access token as the parameter, a request for user information is made to the client company's authentication system
          10. Return user information
            • The client company's authentication system validates the access token, and returns the user's login email address information
          11. Issue Media Connect Center authentication token
            • Media Connect Center authentication system issues an authentication token for Media Connect Center based on the user information

          Setup method

          The following describes how to set up an OAuth 2.0-based SSO.

          1. From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
          2. Click the Products & Services > Media > Media Connect Center menus, in that order.
          3. Click the Developers menu.
          4. Click the Set SSO menu from Settings.
          5. Click the selectable item to change it to On.
          6. Click and select OAuth among the SSO methods.
          7. Enter information for configuration.
            mediaconnectcenter-ssosettings_01_en
            • Redirect URL: View the information, and click the [Copy] button to use
            • Required value
              • Web login URL: A page for the user to enter their account information to log in to Media Connect Center web. After processing the client company login, issue an authorization code and return to redirect_uri. Refer to [Web login URL (OAuth)](#web-login-url(oauth) and Issue authorization code for more detailed instruction of setup methods
              • Access token return API: Refer to Access token issuing API for more information
              • User info return API: Refer to User information return API for more information
            • Optional value
              • Application Login URL, Client ID, Client Secret, Scope, Logout URL, Logout Domain
          8. Click the [Apply] button.

          Web Login URL(OAuth)

          After processing the client company login, issue an authorization code and return to redirect_uri.

          Request URL
          Enter the request URL composed in the console's Web login URL field. Only Port 443 can be used according to the infrastructure security policy

          <Example> https://client company domain/client company login page

          mediaconnectcenter-ssosettings_02_en

          HTTP Method
          GET

          Request

          ParameterTypeRequirement statusDescription
          response_typeStringYClassification value for the authentication process, specifies which format of result value is to be received. A fixed string "code" is always used.
          client_idStringYClient ID value registered in the NAVER Cloud Platform console's Developers
          redirect_uriStringYURL to return the authorization code after the authentication is done, it is URL encoded
          stateStringYUnique value randomly created to prevent CSRF (Cross-Site Request Forgery) (included in the URL when returning the authorization code, and the state value is returned as parameter)
          loginIdStringNLogin ID entered by user

          Issue authorization code

          After the client company's SSO system authenticates and processes what is required for SSO, it issues an authorization code and redirects to the Media Connect Center authentication system.

          Request URL
          redirect_uri parameter value returned when the login page is requested by the Media Connect Center authentication system. It is subject to change depending on user environments and Media Connect Center policies, so the URL returned by redirect_url must be used

          <Example> https://Media Connect Center authentication system URL/authorizationURL

          HTTP Method
          GET/POST

          Request

          ParameterTypeRequirement statusDescription
          codeStringY (Success)A single-use only code that is used to issue authorization code or access token
          stateStringY (Success)Authentication value on the client side used to prevent CSRF. It's URL-encoded (the state value returned with the redirect_uri parameter)
          errorStringY (Failure)Error code returned in case of failure
          error_descriptionStringY (Failure)Explanation of the error code returned in case of failure

          Access token issuing API

          The client company's SSO system validates the authorization code, and issues and returns an access token.

          Request URL
          Enter the request URL composed in the Access token return API field. Only Port 443 can be used according to the infrastructure security policy

          <Example> https://client company domain/accessToken

          mediaconnectcenter-ssosettings_03_en

          HTTP Method
          POST

          Request

          ParameterTypeRequirement statusDescription
          grant_typeStringYThis is a classification value for the authentication process, and it specifies which format of result value is to be received. A fixed string called "authorization_code" is always used.
          client_idStringYClient ID value registered in the NAVER Cloud Platform console's Developers
          client_secretStringYClient secret value registered in the NAVER Cloud Platform console's Developers
          codeStringYAuthorization Code
          stateStringNAuthentication value used to prevent CSRF, is URL encoded

          Response

          PropertyTypeRequirement statusDescription
          access_tokenStringY (Success)Access Token
          token_typeStringY (Success)Access token's type. Fixed as "Bearer"
          expires_inStringY (Success)Access token's valid time (seconds). Actual application's login maintained time
          errorStringY (Failure)Error code returned in case of failure
          error_descriptionStringY (Failure)Explanation of the error code returned in case of failure

          User information return API

          The client company's SSO system validates the access token, and returns the user information.

          Request URL
          Enter the request URL composed in the User info return API field. Only Port 443 can be used according to the infrastructure security policy

          <Example> https://client company domain/user information

          mediaconnectcenter-ssosettings_04_en

          HTTP Method
          POST

          Request

          ParameterTypeRequirement statusDescription
          client_idStringYClient ID value registered in the NAVER Cloud Platform console's Developers
          client_secretStringYClient secret value registered in the NAVER Cloud Platform console's Developers
          access_tokenStringYAccess Token

          Response

          PropertyTypeRequirement statusDescription
          email_idStringY (Success)The member's work email login ID
          errorStringY (Failure)Error code returned in case of failure
          error_descriptionStringY (Failure)Explanation of the error code returned in case of failure

          SAML

          You can set SSO based on SAML 2.0.

          Operation order

          The following describes the SSO operation order based on SAML 2.0.

          1. Use Media Connect Center
            • The user connects with URL from a web browser to use Media Connect Center
          2. Create SAML request and redirect
            • If not logged in to Media Connect Center, then a SAML request is created and sent to the client company's authentication system
          3. If not logged in to the client company, then run the login page after validating the SAML request**
            • The client company's authentication system checks if the SAML request is valid
            • The login page customized for the client company's requirements is provided to the users
          4. Enter account information
            • The user enters login ID and password according to the client company's login policy
          5. Create SAML response after client company authentication
            • SAML response created after the client company authentication is processed with the account information entered by the user
            • If the user is already logged into the client company system, then Steps 3 and 4 are omitted and a SAML response is immediately created
            • SAML response is electronically signed with the pre-registered certificate on Media Connect Center
          6. Send (redirect) SAML response
            • Send the SAML response to the SAML request's ACS URL sent from Media Connect Center
          7. Issue Media Connect Center authentication token
            • The client company validates the SAML response with the pre-registered certificate to authenticate and confirm user information, and then issue an authentication token for Media Connect Center

          Setup method

          The following describes how to set up SSO based on SAML 2.0.

          1. From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
          2. Click the Products & Services > Media > Media Connect Center menus, in that order.
          3. Click the Developers menu.
          4. Click the Set SSO menu from Settings.
          5. Click the selectable item to change it to On.
          6. Click and select SAML among the SSO methods.
          7. Enter information for configuration.
            mediaconnectcenter-ssosettings_05_en
            • ACS URL: View the information, and click the [Copy] button to use
            • Entity ID: View the information, and click the [Copy] button to use
            • Required value
              • Web login URL: A page for the user to enter their account information to log in to Media Connect Center web. Refer to [Web login URL (SAML)](#web-login-url(saml) andValidate SAML request for more detailed instruction of setup methods
            • Optional value
              • Application Login URL, Logout URL, Logout Domain
          8. Click [Attach files] button from Register files to register the certificate file to use for the SAML electronic signature.
            • Media Connect Center uses the registered certificate to validate a SAML response received via ACS URL
          9. Select a file and register.
          10. Click the [Apply] button.

          Web Login URL(SAML)

          After validating the SAML request and processing the client company login, create the SAML response and return to ACS URL.

          Request URL
          Enter the request URL composed in the console's Web login URL field. Only Port 80 or 443 can be used according to the infrastructure security policy

          <Example> https://client company domain/client company login page

          mediaconnectcenter-ssosettings_06_en

          HTTP Method
          GET

          Request

          ParameterTypeRequirement statusDescription
          SAMLRequestStringYString according to the SAML 2.0 request detail (Encoded value using Deflate + Base64)
          RelayStateStringYURL to retry in case the authentication fails

          Validate SAML request

          A SAML request is encoded using Deflate + Base64.

          SAML request details

          <?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  AssertionConsumerServiceURL="{ACS URL}"
  ID="{ID issued by Media Connect Center authentication system}"
  IssueInstant="{Request creation date and time}"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  ProviderName="ncloudmediaconnectcenter.com"
  Version="2.0">
  <saml2:Issuer
      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncloudmediaconnectcenter.com</saml2:Issuer>
  <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>

          SAML request's items are as follows.

          ItemDescription
          AuthnRequest AssertionConsumerServiceURLURL to relay a SAML response (ACS URL)
          AuthnRequest IDID issued by Media Connect Center authentication system, is used when creating a SAML response
          AuthnRequest IssueInstantSAML request creation date
          AuthnRequest ProtocolBindingIt is sent as "HTTP--POST," so a SAML response must be sent using the POST method
          AuthnRequest ProviderNameName of a service provider, sending it as ncloudmediaconnectcenter.com
          IssuerID issued by the service provider, is used when creating a SAML response

          SAML request example

          <?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  AssertionConsumerServiceURL="https://Company ID.ncloudmediaconnectcenter.com/...."
  ID="bemkplgpdoemkhjmncgmbcdibglpngclfombpmed"
  IssueInstant="2018-02-14T03:33:49.999Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  ProviderName="ncloudmediaconnectcenter.com"
  Version="2.0">
  <saml2:Issuer
      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncloudmediaconnectcenter.com</saml2:Issuer>
  <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>

          LDAP

          You can set SSO based on LDAP.

          Setup method

          The following describes how to set up an LDAP-based SSO.

          1. From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
          2. Click the Products & Services > Media > Media Connect Center menus, in that order.
          3. Click the Developers menu.
          4. Click the Set SSO menu from Settings.
          5. Click the selectable item to change it to On.
          6. Click and select LDAP among the SSO methods.
          7. Enter information for configuration.
            mediaconnectcenter-ssosettings_07_en
            • Required value
              • LDAP URL, URL, Domain Access User Name, Domain Access User, Password, Domain Base, User Class Name, User ID attribute
          8. Select a file and register.
          9. Click the [Apply] button.

          Log out

          There are two types of logouts: Media Connect Center logout and client company logout.

          Media Connect Center logout

          Used when logging out from Media Connect Center after logging out from the client company's enterprise information system. When Media Connect Center receives a logout request, it logs out the logged-in Media Connect Center account and redirects it to the redirect_uri it has received.

          Request URL
          Since redirect_uri is managed with white_url, enter the request URL composed in the console's Logout Domain field

          <Example> https://Company ID.ncloudmediaconnectcenter.com/authn/logoutProcess
          • OAuth
            mediaconnectcenter-ssosettings_08_en
          • SAML
            mediaconnectcenter-ssosettings_10_en

          HTTP Method
          GET/POST

          Request

          ParameterTypeRequirement statusDescription
          redirect_uriStringYIt is URL encoded as the URL to be redirected after logging out from Media Connect Center

          Response
          Redirect to redirect_uri

          Client company logout

          Used when logging out from the client company's enterprise information system after logging out from Media Connect Center.

          Request URL
          Enter the request URL composed in the console's logout URL field. Only Port 443 can be used according to the infrastructure security policy

          <Example> https://client company domain/logout
          • OAuth
            mediaconnectcenter-ssosettings_09_en
          • SAML
            mediaconnectcenter-ssosettings_11_en

          HTTP Method
          GET

          Request

          ParameterTypeRequirement statusDescription
          redirect_uriStringNThis is the URL encoded to be redirected after the logout is processed from the client company system
          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout