Classic SSO: Requirements

Universal SSO: Requirements for use

Provide configuration for your IdP

  • Must have, or act as an, Identity Provider (IdP)
    • Requires compatibility with SAML2.0 or OpenID Connect (OIDC)
    • IdP must be externally accessible, cannot be private network

IF SAMLv2
We need:

  • Login Endpoint
  • Assertion Verification Public Key

IF OpenID Connect
We need:

  • Client ID

  • Client Secret

  • Issuer URL with .well-known metadata endpoint (preferred)

    • Alternatively, URLs for Authorization, Token, and User info endpoints
  • Scope

  • Email domain(s) of accounts that should authenticate with your IdP

    • Ownership of the domain must be verified
    • NOTE- We only provide SSO for Verified Domain Owners and do NOT support collections of unowned email domains. See FAQ
  • Field Mappings

    • Provide us with the mappings to these claims from your SAML Assertion or JWT
    • Required
      • ID
      • Email
      • Name (full, or first + last)
    • Optional
      • Avatar URL

What will be provided?

SAML 2.0

  • Sandbox access for initial implementation
  • Callback URL (ACS)
  • Issuer
  • Metadata URL

OpenID Connect (OIDC)

  • Sandbox access for initial implementation
  • Redirect URL (callback location)

FAQ

Q: I use various private email addresses in my SSO to identify users. Does Streem support this?
A: Supporting IdPs with private emails comes with some complexity which needs to be understood. Supporting private emails would require a technical conversation to identify if we could support your use case and technology. We have alternate paths which might serve you and your users more efficiently.

Q: Does access to Single Sign-On connectivity require an additional license?
A: Activation and sustain of SSO does have a cost but not as an element of your Streem license. The cost is seen in that your org must already have and be sustaining an SSO IDP. During your contracting process, make sure that this is a bullet to discuss so that SSO will be a consideration during your setup.

Q: Is a Sandbox available for testing SSO before going live?
A: Yes. Sandbox is available. Please work with Streem to schedule your deployment and testing scenarios.