Embedded SSO Requirements

What is Embedded SSO used for?

Embedded SSO is designed to allow clients to transparently log in users who are embedded inside another tool, like CRM or custom data management integration.

Embedded SSO cannot be implemented with out scheduling efforts with the Streem team. In order to accept Embedded auth, settings need to be activated on the Streem auth system. Please reach out to your account manager to Schedule a technical conversation.

Requirements:
All implementations of the Embedded SSO must be tested via a sandbox before migrating to production.

Embedded SSO does require server side access by clients allowing them to host a token Keygen and supply those tokens to the streem service for use.

Environments

US Prod: 'prod-us'
US Sandbox: 'sandbox-us'

Generating Tokens

We have server-side libraries for the following languages:

• Node - https://github.com/streem/streem-sdk-node
• Ruby - https://github.com/streem/streem-sdk-ruby
• Go - https://github.com/streem/streem-sdk-go
• JVM - https://github.com/streem/streem-sdk-jvm

Please let us know if you need this functionality with a different server-side language.

Below is an example of using the Streem SDK for Ruby to generate a token server-side. Ensure that sandbox-us is specific for the API Environment, if that is where you are testing.

require 'streem'

...

# Initialize the Streem SDK for the sandbox environment, using API Key ID/Secret
def initialize
  Streem.init(api_key_id, api_key_secret)
  Streem.api_environment = "sandbox-us"
end

# Generate a Streem Token for the provider user
def generate_token(user)
  builder = Streem::TokenBuilder.new
  builder.user_id = user.id
  builder.name = user.name
  builder.avatar_url = user.avatar_url
  builder.email = user.ema

  return builder.token
end

Using Tokens

After generating a token, you need to pass it down to the client browser or device (how you do this is up to you).

Append #token=TOKEN (replacing TOKEN with the value from above) to a Streem URL, and open in a new browser tab or iframe.

Sandbox Example 1: https://{{company_code}}.swaga.sandbox.streem.cloud#token=abc123
Sandbox Example 2: https://{{company_code}}.swaga.sandbox.streem.cloud/callLog/rm_123/artifacts/ss_456#token=abc123

Once opened, the user should automatically be logged into the sandbox environment.

If the token is incorrectly signed, expired, associated with the wrong company, or created for the wrong environment, the page will load as if the token were not present on the URL, and the user will be asked to login. If you are seeing this behavior, you can verify in the Network Inspector that the call to /auth/token resulted in a 400 response, indicating an invalid token.

FAQ

Q: Can I use sub-companies with Embedded SSO?
A: Yes, if your license type allows for sub-companies, they will function see FAQ for details.

Q: When a sub-company is in use, how does Streem associate individual users with the appropriate sub-company?
A: Tokens will automatically log users into any sub-company. Using your API credentials from the parent company, Create a token for the unique user. Send the user to whatever sub-company URL you wish, where they would be automatically logged in. The user that is "created" is actually not a real user, and would never be able to actually login to Streem directly. A new call log would be started for that user under the sub-company so it is important to ensure that each user has an accurate company_code on record as the Parent company will orchestrate who goes where.

Q: How do I control the Token expiration?
A: Expiration defaults to 4 hours, but can be configured via builder.expiration_ms
Please note, because a server NOT controlled by Streem is generating the token, you will need to generate a new token for the User on expiration as it cannot be refreshed and you are the token authority..

Q: What happens if I am on a call when my access Token expires?
A: Your call will continue to completion, but you may be blocked from viewing post-call media or making updates until new authentication occurs.

Q: Why can't my SSO users log in through the login page?
A: Users who are created via the Embedded SSO process do not have a password created. They are restricted and will NOT be able to log in through any other means. They can only access the system via the Token share.

Q: How do I use Embedded SSO with Streem "Embed" and still retain the ability to pass form data into Streem?
A: You might be attempting to Authenticate too far upstream and be losing your parameters.
The easiest path is to add your auth directly to the embed request
Example: https://yourcompanyname.streempro.app/embed?yourparam=gohere#token=YourToken