Verimatrix Platform provides support for single sign-on (SSO) through a customer-provided SAML 2.0-compatible external Identity Provider (IdP) such as Microsoft SSO or Okta.

The external IdP authenticates the customer user before allowing access to Platform services such as XTD, Counterspy, and Streamkeeper.

To integrate Verimatrix Platform with your IdP, Customer Single Sign On using SAML requires an initial exchange of configuration values between your organization (the Identity Provider or IdP), and Verimatrix Platform (Service Provider or SP).

In this article:

Overview
Customer Provided Information
Verimatrix Platform Provided Information
- Single sign-on URL
- User pool ID for Audience URI (SP Entity ID)
User Permissions and Roles
Limitations

Overview

Customer Single-Sign On using SAML requires an initial exchange of configuration values to and from the Customer (Identity Provider) and Verimatrix Platform (Service Provider).

This article outlines the values that are exchanged between parties. To start the exchange, submit a help desk ticket to Verimatrix Customer Care.

What you need to provide

SAML 2.0 Metadata URL
SAML Attribute Mapping
Customer Email Domain

SAML 2.0 Metadata URL

Obtain the Metadata URL from your IdP. The Metadata URL helps configure the SAML service provider (Verimatrix Platform).

Examples of Metadata URLs:

Microsoft

https://login.microsoftonline.com/dcb260f9-022d-4495-8602-eae51035a000/federationmetadata/2007-06/federationmetadata.xml?appid=9999059b-8a15-498b-b473-b0f8578a1000

Okta

https://integrator-79950000.okta.com/app/exkuva5uejH6BuefS000/sso/saml/metadata

IdP Metadata Security Considerations

Your IdP should, at a minimum, follow these security guidelines for metadata:

IdP Certificate and Signing algorithms:

For encryption and signing, prioritize modern algorithms over legacy algorithms.
RSA 2048+ or Elliptic Curve (P-256, P-384).
SHA-256 or stronger for signatures.

Metadata Related:

Include the IdP Organization and Contact Person information in the metadata (ideally, a group email address).
Publish metadata over HTTPS with valid certificates.
Optionally sign the metadata XML with a trusted signing certificate.
Make metadata available via a well-known URL (e.g., https://idp.example.com/metadata).
If distributing manually, ensure integrity (e.g., signed file or checksum).
Don’t embed expired certificates; remove old ones.
Keep metadata minimal – include only what is necessary for relying parties.
Use separate test and production metadata to avoid confusion.
Notify SPs (Verimatrix) well in advance of changes (such as certificate rotation).

SAML Attribute Mapping

Provide the SAML attributes used by your IdP that will map to the equivalent attributes used by Verimatrix Platform Service Provider.

The attributes to map are:

email (email address)
given_name (first name)
family_name (last name, surname)

Examples of Identity Provider mappings:

User pool attribute	Microsoft SAML attributes	Okta SAML attributes
email	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress`	user.email
given_name	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`	user.lastName
family_name	`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`	user.firstName

Customer Email Domain

Provide the email domain(s) of users who are allowed to log in through SSO.

This can be a list if there are multiple domains. For example, if you use "[email protected]" and "[email protected]" email addresses, you must provide x.z.com and y.z.com, and not just z.com. However, if only users in y.z.com should be allowed to login, then you only need to provide y.z.com.

What Verimatrix Platform provides

Your IdP needs configuration values from Verimatrix Platform for their specific organization. Verimatrix Platform provides:

Single sign-on URL
Userpool ID for Audience URI (SP Entity ID)

Add these values to your IdP application’s SAML settings.

Single Sign-on URL

This is the URL that your IdP will send successful SAML responses to.

Example:

https://c04667050101447f88dbds000.auth.us-east-1.amazoncognito.com/saml2/idpresponse

User Pool ID for Audience URI (Service Provider Entity ID)

A user pool contains the registered users for an organization.

This value is the user pool ID of your organization’s user pool. The user pool ID is used to construct the Audience URI (SP Entity ID).

User pool ID Example:

us-east-1_OxJo2sTkj

SP Entity ID Example:

urn:amazon:cognito:sp:us-east-1_OxJo2sTkj

User Permissions and Roles

Verimatrix Platform does not currently support roles, groups, or permissions provided by the IdP.

After a user has been onboarded successfully, they have a Verimatrix Platform role of "Customer User", with limited permissions. An existing "Customer Admin" user can log in and adjust the user’s role or permissions from Verimatrix Platform.

Limitations

IdP-initiated logins are not supported.
Real-time enforcement of the IdP state is not supported. This means that disabling accounts or sessions on the IdP does not result in immediate enforcement on Verimatrix Platform (SP).
Verimatrix Platform does not invoke the single-logout service specified in IdP metadata when a user logs out of Verimatrix Platform.