SSO settings

Prev Next

Available in Classic and VPC

In Single Sign On (SSO) settings, you can configure integrated SSO login to allow both Media Connect Center and the client to access using the same ID across. When SSO is configured, the login status of the client's company information system is maintained as the same state in Media Connect Center. After SSO integration is complete, you can log in to Media Connect Center using the existing login account information of the client's company information system.
Media Connect Center supports SSO using the Service Provider (SP) method. The supported SSO methods are as follows:

OAuth

You can configure SSO using OAuth 2.0.

Operation flow

The SSO operation flow based on OAuth 2.0 is as follows:

  1. Use Media Connect Center.
    • You can access the URL in a web browser to use Media Connect Center.
  2. Request the authorization code issuance.
    • If you are not logged in to Media Connect Center, request the issuance of an authorization code through the client's authorization system.
  3. If you are not logged in to the client system, open the login page.
    • A login page designed according to the client's requirements is provided.
  4. Enter the account information.
    • Enter your login ID and password according to the client's login policy.
  5. After client authorization is completed, an authorization code is issued.
    • After the client system authorization is completed using the entered account information, an authorization code is issued.
    • If you are already logged in to the client system, steps 3-4 are skipped and the authorization code is issued immediately.
    • The authorization code is a one-time code that is used and then expires when an access token is returned.
  6. Return authorization code (redirect).
    • Redirect the authorization code to the redirect_uri of the Media Connect Center authorization system in the initial request for issuing the authorization code.
  7. Request an access token using the authorization code.
    • Request an access token from the client's authorization system using the authorization code as a parameter.
  8. Return the access token.
    • After validating the authorization code in the client's authorization system, issue and return the access token.
  9. Request user information using the access token.
    • Request user information from the client's authorization system using the access token as a parameter.
  10. Return user information.
    • After validating the access token in the client's authorization system, return your login email address information.
  11. Issue Media Connect Center authorization token.
    • Issue the Media Connect Center authorization token in the Media Connect Center authorization system based on the user information.

How to configure

To configure SSO based on OAuth 2.0:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Media > Media Connect Center.
  2. Click the Developers menu.
  3. Click SSO settings in Settings.
  4. Click to change Enable setting to On.
  5. Click and select OAuth in the SSO method.
  6. Enter the information for settings.
    mediaconnectcenter-ssosettings_01_ko
    • Redirect URL: Check the information and click [Copy] when using it.
    • Required input values
      • Web Login URL: A page where you enter the account information to log in to the Media Connect Center web. After the client login is processed, issue the authorization code and return it to redirect_uri. For more information about how to set, see Web Login URL (OAuth) and Issue authorization code.
      • Access Token Return API: For more information about how to set, see Access token issuance API.
      • User Info Return API: For more information about how to set, see User information return API.
    • Optional input values
      • Application Login URL, Client ID, Client Secret, Scope, Logout URL, Logout Domain
  7. Click [Apply].

Web Login URL(OAuth)

After the client login is processed, issue the authorization code and return it to redirect_uri.

Request URL
Enter the prepared request URL in the Web Login URL field on the console. According to the infrastructure security policy, only port 443 can be used.

Example: https://client domain/client login page

mediaconnectcenter-ssosettings_02_ko

HTTP Method
GET

Request

Parameter Type Required Description
response_type String Y A parameter used in the authorization process that specifies the type of result to be received. It always uses the fixed value "code."
client_id String Y The client id value registered in Developers from the NAVER Cloud Platform console.
redirect_uri String Y The URL to which the authorization code is returned after authorization is completed. It is URL-encoded.
state String Y A unique value created arbitrarily to prevent Cross-Site Request Forgery (CSRF). When the authorization code is returned, the state value is included in the URL and returned as a parameter.
loginId String N The login ID you entered.

Issue the authorization code

Once client authorization and SSO processing are complete in the client's SSO system, an authorization code is issued and you are redirected to the Media Connect Center authorization system.

Request URL
The redirect_uri parameter value forwarded when requesting the login page from the Media Connect Center authorization system. The value may change depending on the user environment or the Media Connect Center policy, so you must use the URL provided in redirect_uri.

Example: https://Media Connect Center authorization system URL/authorizationURL

HTTP Method
GET/POST

Request

Parameter Type Required Description
code String Y (succeeded) A one-time code used to issue the authorization code access token.
state String Y (succeeded) An authorization value of the client side used to prevent CSRF. It is URL-encoded (the state value passed in the redirect_uri parameter).
error String Y (failed) An error code returned on failure.
error_description String Y (failed) Describes errors returned on failure.

Access token issuance APIs

After validating the authorization code in the client's SSO system, issue and return the access token.

Request URL
Enter the prepared request URL in the access token return API field. According to the infrastructure security policy, only port 443 can be used.

Example: https://client domain/accessToken

mediaconnectcenter-ssosettings_03_ko

HTTP Method
POST

Request

Parameter Type Required Description
grant_type String Y A parameter used in the authorization process that specifies the type of result to be received. It always uses the fixed value "authorization_code."
client_id String Y The client id value registered in Developers from the NAVER Cloud Platform console.
client_secret String Y The client secret value registered in Developers from the NAVER Cloud Platform console.
code String Y Authorization Code
state String N An authorization value of the client side used to prevent CSRF. It is URL-encoded.

Response

Properties Type Required Description
access_token String Y (succeeded) Access Token
token_type String Y (succeeded) Type of the access token. Fixed to "Bearer."
expires_in String Y (succeeded) Valid period of the access token (seconds). Login hold time of the actual application.
error String Y (failed) An error code returned on failure.
error_description String Y (failed) Describes errors returned on failure.

User information return API

After validating the access token in the client's SSO system, return your user information.

Request URL
Enter the prepared request URL in the user info return API field. According to the infrastructure security policy, only port 443 can be used.

Example: https://client domain/user information

mediaconnectcenter-ssosettings_04_ko

HTTP Method
POST

Request

Parameter Type Required Description
client_id String Y The client id value registered in Developers from the NAVER Cloud Platform console.
client_secret String Y The client secret value registered in Developers from the NAVER Cloud Platform console.
access_token String Y Access Token

Response

Properties Type Required Description
email_id String Y (succeeded) Work email login ID of the member.
error String Y (failed) An error code returned on failure.
error_description String Y (failed) Describes errors returned on failure.

SAML

You can configure SSO using SAML 2.0.

Operation flow

The SSO operation flow based on SAML 2.0 is as follows:

  1. Use Media Connect Center.
    • You can access the URL in a web browser to use Media Connect Center.
  2. Create and forward (redirect) SAML request.
    • If you are not logged in to Media Connect Center, create and forward a SAML request to the client's authorization system.
  3. If you are not logged in to the client system, validate the SAML request and open the login page.**
    • Verify that the SAML request is a correct request in the client's authorization system.
    • A login page designed according to the client's requirements is provided.
  4. Enter the account information.
    • Enter your login ID and password according to the client's login policy.
  5. After client authorization is completed, create a SAML response.
    • After the client system authorization is completed using the entered account information, create a SAML response.
    • If you are already logged in to the client system, steps 3-4 are skipped and a SAML response is created immediately.
    • For an SAML Response, digitally sign with a certificate registered in advance in Media Connect Center.
  6. Forward an SAML response (redirect).
    • Forward the SAML response to the ACS URL of the SAML request forwarded from Media Connect Center.
  7. Issue Media Connect Center authorization token.
    • A certificate already registered by the client. Validate the SAML response to check the authorization and user information, and issue the Media Connect Center authorization token.

How to configure

To configure SSO based on SAML 2.0:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Media > Media Connect Center.
  2. Click the Developers menu.
  3. Click SSO settings in Settings.
  4. Click to change Enable setting to On.
  5. Click and select SAML in the SSO method.
  6. Enter the information for settings.
    mediaconnectcenter-ssosettings_05_ko
    • ACS URL: Check the information and click [Copy] when using it.
    • Entity ID: Check the information and click [Copy] when using it.
    • Required input values
    • Optional input values
      • Application Login URL, Logout URL, Logout Domain
  7. To register a certificate file for a SAML digital signature, click [Add file] in Register file.
    • When receiving a SAML response via the ACS URL, Media Connect Center performs its validation using a registered certificate.
  8. Select and register a file.
  9. Click [Apply].

Web Login URL(SAML)

After validating the SAML request and processing the client login, create an SAML response and send it to the ACS URL.

Request URL
Enter the prepared request URL in the Web Login URL field on the console. According to the infrastructure security policy, only ports 80 or 443 can be used.

Example: https://client domain/client login page

mediaconnectcenter-ssosettings_06_ko

HTTP Method
GET

Request

Parameter Type Required Description
SAMLRequest String Y Strings based on SAML 2.0 request details (value encoded to Deflate + Base64)
RelayState String Y A URL to retry authorization after a failure

Validate SAML request

SAML Request is encoded to Deflate + Base64.

SAML Request details

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  AssertionConsumerServiceURL="{ACS URL}"
  ID="{ID issued in the Media Connect Center authorization system}"
  IssueInstant="{Request creation date and time}"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  ProviderName="ncloudmediaconnectcenter.com"
  Version="2.0">
  <saml2:Issuer
      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncloudmediaconnectcenter.com</saml2:Issuer>
  <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>

The SAML request items are as follows:

Item Description
AuthnRequest AssertionConsumerServiceURL A URL forwarding the SAML response (ACS URL).
AuthnRequest ID An ID issued in the Media Connect Center authorization system; used when creating a SAML response.
AuthnRequest IssueInstant Date and time when the SAML Request is created.
AuthnRequest ProtocolBinding A SAML response must be transferred in the POST method, as it is sent using the HTTP POST method.
AuthnRequest ProviderName The service provider's name, which is sent to "ncloudmediaconnectcenter.com."
Issuer The ID issued in the service provider creator name item; used when creating an SAML response.

SAML Request example

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
  AssertionConsumerServiceURL="https://company ID.ncloudmediaconnectcenter.com/...."
  ID="bemkplgpdoemkhjmncgmbcdibglpngclfombpmed"
  IssueInstant="2018-02-14T03:33:49.999Z"
  ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  ProviderName="ncloudmediaconnectcenter.com"
  Version="2.0">
  <saml2:Issuer
      xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncloudmediaconnectcenter.com</saml2:Issuer>
  <saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>

LDAP

You can configure SSO using LDAP.

How to configure

To configure SSO based on LDAP:

  1. From the NAVER Cloud Platform console, navigate to i_menu > Services > Media > Media Connect Center.
  2. Click the Developers menu.
  3. Click SSO settings in Settings.
  4. Click to change Enable setting to On.
  5. Click and select LDAP in the SSO method.
  6. Enter the information for settings.
    mediaconnectcenter-ssosettings_07_ko
    • Required input values
      • LDAP URL, URL, Domain Access User Name, Domain Access User, Password, Domain Base, User Class Name, User ID attribute
  7. Select and register a file.
  8. Click [Apply].

Log out

There are 2 types of logout: Media Connect Center logout and client logout.

Log out of Media Connect Center

You can use it if you log out of Media Connect Center after logging out of the client's company information system. After a logout request is received, the currently logged-in Media Connect Center account is logged out of Media Connect Center. Then, you are redirected to the forwarded redirect_uri.

Request URL
Because redirect_uri is managed using white_url, enter the prepared request URL in the logout domain field on the console.

Example: https://company ID.ncloudmediaconnectcenter.com/authn/logoutProcess
  • OAuth
    mediaconnectcenter-ssosettings_08_ko
  • SAML
    mediaconnectcenter-ssosettings_10_ko

HTTP Method
GET/POST

Request

Parameter Type Required Description
redirect_uri String Y A URL to redirect after logging out of Media Connect Center. It is URL-encoded.

Response
Redirect to redirect_uri.

Log out of the client system

You can use it if you log out of the client's company information system after logging out of Media Connect Center.

Request URL
Enter the prepared request URL in the logout URL field on the console. According to the infrastructure security policy, only port 443 can be used.

Example: https://client domain/logout
  • OAuth
    mediaconnectcenter-ssosettings_09_ko
  • SAML
    mediaconnectcenter-ssosettings_11_ko

HTTP Method
GET

Request

Parameter Type Required Description
redirect_uri String N A URL to redirect after logging out of the client system. It is URL-encoded.