- Print
- PDF
Setting SSO
- Print
- PDF
Available in Classic and VPC
SSO (Single Sign On) settings allows you to set integrated login connection which gives you access to both Media Connect Center and client company with one ID. Setting the SSO maintains the login status of the client company's enterprise information system in Media Connect Center as well. When SSO connection is complete, Media Connect Center login is available with the login information of the existing enterprise information system of the client company.
Media Connect Center supports SSO with SP (Service Provider) methods. The SSO methods provided are as follows.
OAuth
You can set SSO based on OAuth 2.0.
Operation order
The following describes the SSO operation order based on OAuth 2.0.
- Use Media Connect Center
- The user connects with URL from a web browser to use Media Connect Center
- Request to issue authorization code
- If not logged in to Media Connect Center, then the request to issue an authorization code is sent to the client company's authentication system
- Run login page (if not logged in to the client company)
- The login page customized for the client company's requirements is provided to the users
- Enter account information
- The user enters login ID and password according to the client company's login policy
- Authorization code issued after the client company authentication
- Authorization code issued after the client company authentication is processed with the account information entered by the user
- If the user is already logged into the client company system, then Steps 3 and 4 are omitted and an authorization code is immediately issued
- An authorization code is a single-use code that is used to return the access token and is eliminated
- Return (redirect) authorization code
- The authorization code is redirected to redirect_uri of Media Connect Center authentication system among the requests received when the authorization code issuance requests were initially made
- Request access token with the authorization code
- With the authorization code as the parameter, a request for access token is made to the client company's authentication system
- Return access token
- The client company's authentication system validates the authorization code, and then issues and returns an access token
- Request user information with access token
- With the access token as the parameter, a request for user information is made to the client company's authentication system
- Return user information
- The client company's authentication system validates the access token, and returns the user's login email address information
- Issue Media Connect Center authentication token
- Media Connect Center authentication system issues an authentication token for Media Connect Center based on the user information
Setup method
The following describes how to set up an OAuth 2.0-based SSO.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click the Products & Services > Media > Media Connect Center menus, in that order.
- Click the Developers menu.
- Click the Set SSO menu from Settings.
- Click the selectable item to change it to On.
- Click and select OAuth among the SSO methods.
- Enter information for configuration.
- Redirect URL: View the information, and click the [Copy] button to use
- Required value
- Web login URL: A page for the user to enter their account information to log in to Media Connect Center web. After processing the client company login, issue an authorization code and return to redirect_uri. Refer to [Web login URL (OAuth)](#web-login-url(oauth) and Issue authorization code for more detailed instruction of setup methods
- Access token return API: Refer to Access token issuing API for more information
- User info return API: Refer to User information return API for more information
- Optional value
- Application Login URL, Client ID, Client Secret, Scope, Logout URL, Logout Domain
- Click the [Apply] button.
Web Login URL(OAuth)
After processing the client company login, issue an authorization code and return to redirect_uri.
Request URL
Enter the request URL composed in the console's Web login URL field. Only Port 443 can be used according to the infrastructure security policy
<Example> https://client company domain/client company login page
HTTP Method
GET
Request
Parameter | Type | Requirement status | Description |
---|---|---|---|
response_type | String | Y | Classification value for the authentication process, specifies which format of result value is to be received. A fixed string "code" is always used. |
client_id | String | Y | Client ID value registered in the NAVER Cloud Platform console's Developers |
redirect_uri | String | Y | URL to return the authorization code after the authentication is done, it is URL encoded |
state | String | Y | Unique value randomly created to prevent CSRF (Cross-Site Request Forgery) (included in the URL when returning the authorization code, and the state value is returned as parameter) |
loginId | String | N | Login ID entered by user |
Issue authorization code
After the client company's SSO system authenticates and processes what is required for SSO, it issues an authorization code and redirects to the Media Connect Center authentication system.
Request URL
redirect_uri parameter value returned when the login page is requested by the Media Connect Center authentication system. It is subject to change depending on user environments and Media Connect Center policies, so the URL returned by redirect_url must be used
<Example> https://Media Connect Center authentication system URL/authorizationURL
HTTP Method
GET/POST
Request
Parameter | Type | Requirement status | Description |
---|---|---|---|
code | String | Y (Success) | A single-use only code that is used to issue authorization code or access token |
state | String | Y (Success) | Authentication value on the client side used to prevent CSRF. It's URL-encoded (the state value returned with the redirect_uri parameter) |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error code returned in case of failure |
Access token issuing API
The client company's SSO system validates the authorization code, and issues and returns an access token.
Request URL
Enter the request URL composed in the Access token return API field. Only Port 443 can be used according to the infrastructure security policy
<Example> https://client company domain/accessToken
HTTP Method
POST
Request
Parameter | Type | Requirement status | Description |
---|---|---|---|
grant_type | String | Y | This is a classification value for the authentication process, and it specifies which format of result value is to be received. A fixed string called "authorization_code" is always used. |
client_id | String | Y | Client ID value registered in the NAVER Cloud Platform console's Developers |
client_secret | String | Y | Client secret value registered in the NAVER Cloud Platform console's Developers |
code | String | Y | Authorization Code |
state | String | N | Authentication value used to prevent CSRF, is URL encoded |
Response
Property | Type | Requirement status | Description |
---|---|---|---|
access_token | String | Y (Success) | Access Token |
token_type | String | Y (Success) | Access token's type. Fixed as "Bearer" |
expires_in | String | Y (Success) | Access token's valid time (seconds). Actual application's login maintained time |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error code returned in case of failure |
User information return API
The client company's SSO system validates the access token, and returns the user information.
Request URL
Enter the request URL composed in the User info return API field. Only Port 443 can be used according to the infrastructure security policy
<Example> https://client company domain/user information
HTTP Method
POST
Request
Parameter | Type | Requirement status | Description |
---|---|---|---|
client_id | String | Y | Client ID value registered in the NAVER Cloud Platform console's Developers |
client_secret | String | Y | Client secret value registered in the NAVER Cloud Platform console's Developers |
access_token | String | Y | Access Token |
Response
Property | Type | Requirement status | Description |
---|---|---|---|
email_id | String | Y (Success) | The member's work email login ID |
error | String | Y (Failure) | Error code returned in case of failure |
error_description | String | Y (Failure) | Explanation of the error code returned in case of failure |
SAML
You can set SSO based on SAML 2.0.
Operation order
The following describes the SSO operation order based on SAML 2.0.
- Use Media Connect Center
- The user connects with URL from a web browser to use Media Connect Center
- Create SAML request and redirect
- If not logged in to Media Connect Center, then a SAML request is created and sent to the client company's authentication system
- If not logged in to the client company, then run the login page after validating the SAML request**
- The client company's authentication system checks if the SAML request is valid
- The login page customized for the client company's requirements is provided to the users
- Enter account information
- The user enters login ID and password according to the client company's login policy
- Create SAML response after client company authentication
- SAML response created after the client company authentication is processed with the account information entered by the user
- If the user is already logged into the client company system, then Steps 3 and 4 are omitted and a SAML response is immediately created
- SAML response is electronically signed with the pre-registered certificate on Media Connect Center
- Send (redirect) SAML response
- Send the SAML response to the SAML request's ACS URL sent from Media Connect Center
- Issue Media Connect Center authentication token
- The client company validates the SAML response with the pre-registered certificate to authenticate and confirm user information, and then issue an authentication token for Media Connect Center
Setup method
The following describes how to set up SSO based on SAML 2.0.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click the Products & Services > Media > Media Connect Center menus, in that order.
- Click the Developers menu.
- Click the Set SSO menu from Settings.
- Click the selectable item to change it to On.
- Click and select SAML among the SSO methods.
- Enter information for configuration.
- ACS URL: View the information, and click the [Copy] button to use
- Entity ID: View the information, and click the [Copy] button to use
- Required value
- Web login URL: A page for the user to enter their account information to log in to Media Connect Center web. Refer to [Web login URL (SAML)](#web-login-url(saml) andValidate SAML request for more detailed instruction of setup methods
- Optional value
- Application Login URL, Logout URL, Logout Domain
- Click [Attach files] button from Register files to register the certificate file to use for the SAML electronic signature.
- Media Connect Center uses the registered certificate to validate a SAML response received via ACS URL
- Select a file and register.
- Click the [Apply] button.
Web Login URL(SAML)
After validating the SAML request and processing the client company login, create the SAML response and return to ACS URL.
Request URL
Enter the request URL composed in the console's Web login URL field. Only Port 80 or 443 can be used according to the infrastructure security policy
<Example> https://client company domain/client company login page
HTTP Method
GET
Request
Parameter | Type | Requirement status | Description |
---|---|---|---|
SAMLRequest | String | Y | String according to the SAML 2.0 request detail (Encoded value using Deflate + Base64) |
RelayState | String | Y | URL to retry in case the authentication fails |
Validate SAML request
A SAML request is encoded using Deflate + Base64.
SAML request details
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="{ACS URL}"
ID="{ID issued by Media Connect Center authentication system}"
IssueInstant="{Request creation date and time}"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="ncloudmediaconnectcenter.com"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncloudmediaconnectcenter.com</saml2:Issuer>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
SAML request's items are as follows.
Item | Description |
---|---|
AuthnRequest AssertionConsumerServiceURL | URL to relay a SAML response (ACS URL) |
AuthnRequest ID | ID issued by Media Connect Center authentication system, is used when creating a SAML response |
AuthnRequest IssueInstant | SAML request creation date |
AuthnRequest ProtocolBinding | It is sent as "HTTP--POST," so a SAML response must be sent using the POST method |
AuthnRequest ProviderName | Name of a service provider, sending it as ncloudmediaconnectcenter.com |
Issuer | ID issued by the service provider, is used when creating a SAML response |
SAML request example
<?xml version="1.0" encoding="UTF-8"?>
<saml2p:AuthnRequest
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="https://Company ID.ncloudmediaconnectcenter.com/...."
ID="bemkplgpdoemkhjmncgmbcdibglpngclfombpmed"
IssueInstant="2018-02-14T03:33:49.999Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
ProviderName="ncloudmediaconnectcenter.com"
Version="2.0">
<saml2:Issuer
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">ncloudmediaconnectcenter.com</saml2:Issuer>
<saml2p:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</saml2p:AuthnRequest>
LDAP
You can set SSO based on LDAP.
Setup method
The following describes how to set up an LDAP-based SSO.
- From the NAVER Cloud Platform console's Platform menu, click and select between VPC and Classic.
- Click the Products & Services > Media > Media Connect Center menus, in that order.
- Click the Developers menu.
- Click the Set SSO menu from Settings.
- Click the selectable item to change it to On.
- Click and select LDAP among the SSO methods.
- Enter information for configuration.
- Required value
- LDAP URL, URL, Domain Access User Name, Domain Access User, Password, Domain Base, User Class Name, User ID attribute
- Required value
- Select a file and register.
- Click the [Apply] button.
Log out
There are two types of logouts: Media Connect Center logout and client company logout.
Media Connect Center logout
Used when logging out from Media Connect Center after logging out from the client company's enterprise information system. When Media Connect Center receives a logout request, it logs out the logged-in Media Connect Center account and redirects it to the redirect_uri it has received.
Request URL
Since redirect_uri is managed with white_url, enter the request URL composed in the console's Logout Domain field
<Example> https://Company ID.ncloudmediaconnectcenter.com/authn/logoutProcess
- OAuth
- SAML
HTTP Method
GET/POST
Request
Parameter | Type | Requirement status | Description |
---|---|---|---|
redirect_uri | String | Y | It is URL encoded as the URL to be redirected after logging out from Media Connect Center |
Response
Redirect to redirect_uri
Client company logout
Used when logging out from the client company's enterprise information system after logging out from Media Connect Center.
Request URL
Enter the request URL composed in the console's logout URL field. Only Port 443 can be used according to the infrastructure security policy
<Example> https://client company domain/logout
- OAuth
- SAML
HTTP Method
GET
Request
Parameter | Type | Requirement status | Description |
---|---|---|---|
redirect_uri | String | N | This is the URL encoded to be redirected after the logout is processed from the client company system |