Contents
- Background
- Required Orchid Fusion Properties
-
Configuring your Identity Provider
- Assigning Permissions to SAML Users
Background
SAML is an open standard that allows Orchid Fusion VMS customers to use a third-party identity provider (like Ping, Auth0, Microsoft Entra ID, Google Workspace, and many others) to manage the users who can log into Orchid VMS and those users' permissions.
Configuring SAML for Orchid Fusion VMS is an IT task that will require administrator access to both your Identity Provider's web interface, as well as to the server running Orchid Fusion VMS. Orchid Hybrid VMS customers should submit a ticket with IPConfigure technical support for assistance in configuring SAML.
SAML is configured with the following steps, each explained in subsequent sections:
- Update your Orchid Fusion VMS properties file to include required SAML settings.
- Use your SAML Identity Provider (IdP)'s web interface to set up Orchid Fusion VMS as a web application. In this step you will copy values between your IdP's web interface and the Orchid Fusion properties file.
- Restart Orchid Fusion, and associate Orchid Fusion Permission Groups with the SAML groups that now have login access to Orchid Fusion VMS.
Required Orchid Fusion Properties
Stage the properties shown below in your fusion.properties file to begin configuring SAML. The values for the last three properties won't be known until you've configured your Identity Provider as explained in the next section (so don't restart Orchid Fusion VMS just yet).
# URL used to access Orchid Fusion VMS
fusion.public.url=https://{your-url}
# Name displayed on the Orchid VMS login page (e.g., "Okta", "Ping", etc.):
saml.provider.samlclient1.common.name=IdP Vendor
# Name of the XML file you downloaded from your Identity Provider
# (see next section). Make sure that this file is in the directory
# /etc/opt/fusion/ for Linux, or C:\Program Files\IPConfigure\Fusion\conf
# on Windows.
saml.provider.samlclient1.idp.metadata.filename=ap-idp-metadata.xml
# The key used by your Identity Provider to represent user names
saml.provider.samlclient1.attr.key.name=name
# Next, specify SAML attributes by which you will identify users.
# In most cases, you will do this with only your users' SAML group
# attribute (similar to using groups in Active Directory, for example).
# More complex enterprise environment may have additional attributes
# which can be used for assigning users Fusion permissions. For example:
# OPTION 1: Simple example considering only a user's group:
saml.provider.samlclient1.attr.key.group=group
# OPTION 2: Enterprise example considering the Zone, Region, and Job Role
# attributes provided by SAML:
saml.provider.samlclient1.attr.key.zone=ZoneNumber
saml.provider.samlclient1.attr.key.region=RegionNumber
saml.provider.samlclient1.attr.key.role=JobRole
Note that up to five separate SAML identity providers can be configured and used in Orchid Fusion VMS. Specify additional providers by copying the last four properties (those that include "samlclient1" in the name) and update each set of four property names to replace "samlclient1" with "samlclient2", "samlclient3", and so forth.
Configuring your Identity Provider
The steps to set up your SAML Identity Provider (IdP) to work with Orchid Fusion VMS will vary based on your specific IdP vendor's web interface. This section provides general steps that should work with any IdP, although the order of the steps will vary by vendor. Subsequent subsections provide more specific guidance on a few popular vendors. If your vendor isn't listed or you need any additional assistance, please contact IPConfigure Technical Support.
When configuring your IdP to support Orchid Fusion VMS, you will create a new web application configuration and set the following properties:
- ACS (Assertion Consumer Service) URL: https://{your-url}/service/sessions/login/samlCallback?client_name=samlclient1
-
Entity ID:
https://{your-url}/service/sessions/login/samlCallback?client_name=samlclient1 -
Start URL:
https://{your-url}
Note that if you are configuring multiple identity providers, you will need to change the value of "samlclient1" to "samlclient2", "samlclient3", and so forth.
Within the IdP web interface, ensure that there are mappings from each user's IdP username (or email address) and group(s) to SAML attributes. The names of these mapped attributes are specified in the Orchid Fusion VMS properties file:
saml.provider.samlclient1.attr.key.name={name-mapping}
saml.provider.samlclient1.attr.key.{attribute1}={attribute1-mapping}
saml.provider.samlclient1.attr.key.{attribute2}={attribute2-mapping}
saml.provider.samlclient1.attr.key.{attribute3}={attribute3-mapping}
For simple SAML configurations, only one attribute (typically "group") will be specified.
Next, download an XML metadata file from your IdP's web interface that you will install in your Orchid Fusion VMS server's configuration directory and specify with the property:
saml.provider.samlclient1.idp.metadata.filename={file-name}
Depending on your IdP vendor, you may also need to specify which users or groups are allowed to log in to Orchid VMS. Note that this will only affect users' ability to log in; it does not grant them access to any Orchid Recorder servers or cameras. Additionally, some IdPs may require that you explicitly enable the new web application from their web interface.
Finally, restart Orchid Fusion VMS and configure Orchid Permission Groups to grant Orchid Fusion permissions to users from one or more of your IdP groups.
Identity Provider: Google Workspace
Consult the article: Set up your own custom SAML app in the Google Workspace Admin Help pages.
When configuring your SAML app in Google Workspace, select "Option 1: Download IdP metadata". Copy this file to your Orchid Fusion VMS server's configuration directory and specify its name in the Orchid Fusion VMS properties file:
saml.provider.samlclient1.idp.metadata.filename={file-name}
When configuring Service Provider Details, select Name ID format as EMAIL:
Finally, in Attribute mapping, you will configure the Google Workspace fields that Orchid Fusion VMS will use to identify a user's username and permission group(s). In so doing you will also configure the Google Workspace groups that are allowed to sign in to Orchid Fusion VMS:
The groups specified above must also be assigned to Permission Groups within Orchid Fusion (see next section).
Based on the attributes shown above, your Orchid Fusion properties file should contain the lines:
saml.provider.samlclient1.attr.key.name=name
saml.provider.samlclient1.attr.key.group=group
Note that by default your SAML web app will be marked as "OFF for everyone" in the Google Admin interface. Make sure you enable the app for one or more organizational units before continuing.
Identity Provider: Microsoft Entra ID (formerly Azure AD)
Consult the article: Enable single sign-on for an enterprise application in the Microsoft Entra ID documentation. Note that for Orchid Fusion VMS, you will select "Create your own application" since Orchid Fusion VMS is a "non-gallery" application.
Within the SAML-based Sign-On section of the Entra ID portal, set the Entity ID, Reply URL (ACS) and Sign on URL as explained in the beginning of this section:
Note that in order to configure Microsoft Azure group names (and not raw GUID values) within Orchid Fusion VMS, you must have one of the following Azure product tiers: Azure Active Directory Premium P1 or Microsoft Entra ID P1.
Configure Attributes & Claims so that Microsoft Entra ID values correctly map to Orchid Fusion VMS users and groups:
First, map the Required "Name ID" claim to use user.objectid as its value.
Ensure there is a claim for the value user.userprincipalname with the name name (this may already exist).
Add a group claim for the value user.groups[ApplicationGroup] with the name groups (this mapping will be created automatically) when you create the group claim. Configure this Group Claim to work only with "Groups assigned to the application" and as the Source attribute select "Cloud-only group display names".
Based on the attributes described above, your Orchid Fusion properties file should contain the lines:
saml.provider.samlclient1.attr.key.name=name
saml.provider.samlclient1.attr.key.group=groups
From the SAML-based Sign-on section, select "Federation Metadata XML → Download" to get the SAML configuration file needed by Orchid Fusion. Copy this file to your Orchid Fusion VMS server's configuration directory and specify its name in the Orchid Fusion VMS properties file:
saml.provider.samlclient1.idp.metadata.filename={file-name}
Finally, note that the groups whose users are assigned to Orchid Fusion VMS within the Microsoft Entra ID web interface must also be assigned to Permission Groups within Orchid Fusion (see next section).
Identity Provider: Auth0
Consult the article: Configure Auth0 as SAML Identity Provider from Auth0's documentation page.
After creating an Orchid Fusion VMS web application with type "Regular Web Application", go to the Settings tab, and under Application URIs, set Allowed Callback URLs to the "ACS" value described at the beginning of this section:
Next, scroll down to Advanced Settings and create a metadata mapping group → mappings.group:
Save changes, then navigate to the "Addons" tab and enable "SAML2 WEB APP". Under settings the Application Callback URL should be configured with the ACS value you set above. Scroll down and click "Enable", and then "Save".
Based on the attributes described above, your Orchid Fusion properties file should contain the lines:
saml.provider.samlclient1.attr.key.name=name
saml.provider.samlclient1.attr.key.group=group
Next go to the "Usage" tab (still in the "SAML2 WEB APP" section) and download the Identity Provider Metadata file. Copy this file to your Orchid Fusion VMS server's configuration directory and specify its name in the Orchid Fusion VMS properties file:
saml.provider.samlclient1.idp.metadata.filename={file-name}
In order to associate Auth0 users with Groups whose permissions can be configured in Orchid Fusion VMS, you need to install the "Auth0 Authorization" extension within the Auth0 web interface:
Click into the "Auth0 Authorization" page to create one or more Groups containing members who will have access to Orchid Fusion VMS. Note that the users added to these Groups in Auth0 will not have access to Orchid Fusion VMS until these Auth0 groups are associated with Orchid Fusion VMS Permission Groups (see next section).
Identity Provider: Ping
Consult the article: Add a SAML application from the PingIdentity Knowledge Base.
For SAML Configuration, manually enter the values for ACS URL and Entity ID provided at the beginning of this section:
Under Attribute Mappings, create two additional entries to map Ping identity values to Orchid Fusion users and groups:
Based on the attributes shown above, your Orchid Fusion properties file should contain the lines:
saml.provider.samlclient1.attr.key.name=name
saml.provider.samlclient1.attr.key.group=group
From the Configuration section, select "Download Metadata" to get the SAML configuration file needed by Orchid Fusion. Copy this file to your Orchid Fusion VMS server's configuration directory and specify its name in the Orchid Fusion VMS properties file
saml.provider.samlclient1.idp.metadata.filename={file-name}
Finally, note that the groups whose users are assigned to Orchid Fusion VMS within the Ping web interface must also be assigned to Permission Groups within Orchid Fusion (see next section).
Further note that your Orchid Fusion application may be disabled by default within the Ping web interface. Ensure that it is marked as enabled from the Applications list.
Assigning Permissions to SAML Users
Once your Orchid Fusion VMS properties file and Identity Provider web interface have been configured, restart Orchid Fusion VMS and associate your Identity Provider's group names with Orchid Fusion VMS Permissions Groups.
For any Permission Group, go the External Group Mappings section and select the SAML provider you specified using saml.provider.samlclient1.common.name in the Fusion properties file. From here, specify the attributes and attribute values that users must have in order to gain access to a particular Fusion permission group.
Note that a user must have all of the attributes specified in a given Attribute Set in order to gain access. If multiple Attribute Sets are specified, a user whose attributes matches any one of the Attribute Sets will gain access.
In the following example, we have a Permission Group that provides Administrator access to users in the orchid-hybrid-admins SAML group (in this case, that's name of a Google Workspace group):
Comments
0 comments
Please sign in to leave a comment.