SSO

Single-Sign-On (via SAML2) is available on OpenReplay Enterprise Edition only.

Identity Provider (IDP) configuration

Section titled Identity Provider (IDP) configuration

In you Identity Provider’s dashboard, create a new app called openreplay (you can use this icon), In the configuration page, make sure to set the following value (please make sure to replace YOUR_DOMAIN with the correct value, example https://openreplay.mycompany.com):

VariableValue
ACS URL (also called Single Sign On URL or Consumer URL)YOUR_DOMAIN/api/sso/saml2/acs/
Entity ID (also called Audience)YOUR_DOMAIN/api/sso/saml2/metadata/
Single Logout URL (also called SLO URL)YOUR_DOMAIN/api/sso/saml2/sls/ (optional)
Name ID (sometimes it is configurable in the ‘Attribute Statements’ or the ‘Parameters’ section)Email or EmailAddress or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, depending on your Identity Provider
SAML initiatorSet it to Service Provider (optional)

In the ‘Attribute Statements’, or the ‘Parameters’ section, please make sure to define the following fields:

FieldValue
tenantKeyTENANT_KEY its value can be found in the Dashboard, under ‘Preferences’ > ‘Account’ (this attribute must not be added if you’re using our Cloud Dedicated plan)
firstNameuser.firstName
lastNameuser.lastName
internalIdInternal ID or user.email (the user’s ID in your identity management system) (optional)
roleThe user’s role, depending on you Identity Provider it can be user.role or group, etc. (optional, default = member)
adminPrivilegesIf the user have admin privileges or not, if this field contains any value different from false, it will be considered as true. (optional, default = false)

You should now have all the required values for the next step/section.

SSO (SAML2) configuration

Section titled SSO (SAML2) configuration

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition, run openreplay -e and uncomment then update the below env variables in chalice section:

VariableDescription
idp_entityIdThe entityId of your identity provider, also referred to as Issuer URL
idp_sso_urlThe singleSignOnService of your identity provider, also referred to as SAML 2.0 Endpoint (HTTP)
idp_x509certThe x509cert, must be a one-line string, without line breaks. You can use this tool to format your value
idp_nameThe identity provider’s name (optional)
idp_sls_urlThe singleLogoutService of your identity provider, also referred to as SLO Endpoint (HTTP) (optional)
enforce_SSOIf set to true, all connexions with username and password will be blocked (optional, default=false)

Then, save and quit using :wq for the changes to take effect:

OpenReplay certificate

Section titled OpenReplay certificate

This is optional, you can add a x509 certificate for extra SSO security:

  1. run this command in your server or your secure machine (you can change the validity time of your certificate according to your needs):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout openreplay-sso.key -out openreplay-sso.crt
  1. In your server, run openreplay -e
  2. Under the chalice section, add the following env variables:
  • sp_crt: must be a one-line string, without line breaks of the generated ‘openreplay-sso.crt’ file (you can use this tool to format your value)
  • sp_key: must be a one-line string, without line breaks of the generated ‘openreplay-sso.key’ file
  1. Save and quit using :wq for the changes to take effect
  2. Add the generated ‘openreplay-sso.crt’ file to your Identity Provider’s application configuration

Example using Okta

Section titled Example using Okta
  1. Login to your Okta administration dashboard and go to ‘Applications’ > ‘Applications’
  2. Press ‘Create new app integration’, then select SAML 2.0 and press ‘Next’
  3. Set the ‘App Name’ to OpenReplay (you can upload this icon) for your application) then press ‘Next’
  4. Set:
  • Single sign on URL to YOUR_DOMAIN/api/sso/saml2/acs/
  • Audience URI (SP Entity ID) to YOUR_DOMAIN/api/sso/saml2/metadata/
  • Name ID format to EmailAddress
  1. Define the below fields in ‘Attribute Statements’:
  • tenantKey: format Basic and set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’ (this attribute must not be added if you’re using our Cloud Dedicated plan)
  • firstName: format Basic and set the value to user.firstName
  • lastName: format Basic and set the value to user.lastName
  • internalId: format Basic and set the value to user.email
  1. Define the below field in ‘Group Attribute Statements’:
  • role: format Basic filter Match Regex value .* (or you can specify a different filter and regex according to your needs)
  • adminPrivileges: format Basic filter Match Regex value admin (the current user will have admin privileges if he is part of the admin group)
  1. Press Next, Select ‘I’m an Okta customer adding an internal app’ and ‘This is an internal app that we have created’ then press ‘Finish’
  2. In the Sign On tab, scroll down and press ‘View Setup Instructions’ to see you SAML2 configuration

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition:

  1. SSH into your OpenReplay installation and run openreplay -e
  2. Under the chalice section, uncomment then set the following env variables:
  • idp_entityId: Identity Provider Issuer
  • idp_sso_url: Identity Provider Single Sign-On URL
  • idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
  • idp_name: Okta
  1. Finally, save and quit using :wq for the changes to take effect

Example using Azure Active Directory

Section titled Example using Azure Active Directory
  1. Login to your Azure portal and go to ‘Azure Active Directory’
  2. Press ’+ Add’, select ‘Enterprise application’ then click ‘Create your own application’
  3. Set the ‘App Name’ to OpenReplay then select ‘Integrate any other application you don’t find in the gallery (Non-gallery)’ and press ‘Create’
  4. Navigate to ‘Single sign-on’ in the left-side menu and set the below values in the ‘Basic SAML Configuration’ block:
  • Identifier (Entity ID) to YOUR_DOMAIN/api/sso/saml2/metadata/
  • Reply URL (Assertion Consumer Service URL) to YOUR_DOMAIN/api/sso/saml2/acs/
  • Logout URL to YOUR_DOMAIN/api/sso/saml2/sls/
  1. Add the below claims in ‘Attribute & Claims’ block and ensure the ‘Namespace’ field is left empty for each of them:
  • tenantKey: set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’ (this attribute/claim must not be added if you’re using our Cloud Dedicated plan)
  • firstName: set the value to user.givenname
  • lastName: set the value to user.surname
  • internalId: set the value to user.mail
  1. Navigate to ‘Users and groups’ and assign your select users to the application

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section (values are found in ‘Azure Active Directory’ > ‘OpenReplay’ > ‘Single sign-on’).

Otherwise, if you’re running our Enterprise Edition:

  1. SSH into your OpenReplay installation and run openreplay -e
  2. Under the chalice section, uncomment then set the following env variables (values are found in ‘Azure Active Directory’ > ‘OpenReplay’ > ‘Single sign-on’):
    • idp_entityId: Azure AD Identifier
    • idp_sso_url: Login URL
    • idp_sls_url: Logout URL
    • idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
    • idp_name: Active Directory
  3. Finally, save and quit using :wq for the changes to take effect

Example using Google Workspace (formerly G Suite)

Section titled Example using Google Workspace (formerly G Suite)

Add Custom Attributes:

Section titled Add Custom Attributes:
  1. In the Google Admin console, go to ‘Directory’ > ‘Users’ > ‘More options’ > ‘Manage custom attributes’.
  2. Click ‘Add Custom Attribute’.
  3. Set the following fields:
  • Category: ‘OpenReplay’
  • Custom fields:
  • Name: ‘role’
  • Info type: ‘Text’
  • Visibility: ‘Visible to user and admin’
  • No. of values: ‘Single-value’
  • Custom fields:
  • Name: ‘adminPrivileges’
  • Info type: ‘Yes or No’
  • Visibility: ‘Visible to user and admin’
  • No. of values: ‘Single-value’
  1. Click ‘Add’
  2. To add values to the new custom attributes, go to ‘Users’
  3. Select the desired user(s)
  4. Click on ‘User information’ then edit the ‘OpenReplay’ section
  5. Change the value of role to the desired role in ‘OpenReplay’ (the role should match the one created in OpenReplay dashboard under ‘Preferences’ > ‘Roles’)
  6. Change the value of adminPrivileges to ‘Yes’ if the user is allowed to have Admin Privileges in OpenReplay
  7. Click ‘Save’

Configuration:

Section titled Configuration:
  1. Login to your Google Admin Console and go to ‘Apps’
  2. Press ‘Web and mobile apps’ then click ‘Add app’ > ‘Add custom SAML app’
  3. Set the ‘App name’ to OpenReplay (you can upload this icon for ‘App icon”) then press ‘Continue’
  4. Copy ‘SSO URL’, ‘Entity ID’ and ‘Certificate’ then click ‘Continue’ (we will use these values in step 11)
  5. Set:
  • ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/TENANT_KEY/ (TENANT_KEY is found in OpenReplay dashboard under ‘Preferences’ > ‘Account’, but if you’re using our Cloud Dedicated plan, leave the tenantKey’s value empty)
  • Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
  • Name ID format to Email
  • Name ID to Basic information > Primary Email
  1. Click ‘Continue’ then hit ‘Add Mapping’ to add the below attributes:
  • Basic information > First Name -> firstName
  • Basic information > Last Name -> lastName
  • Basic information > Primary Email -> internalId
  • OpenReplay > role -> role
  • OpenReplay > adminPrivileges -> adminPrivileges
  1. Click ‘Finish’
  2. In the Google Admin Console, go to ‘Apps’ > ‘Web and mobile apps’ and select ‘OpenReplay’
  3. Click ‘User access’, select ‘ON for everyone’ then hit ‘Save’

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition:

  1. SSH into your OpenReplay installation and run openreplay -e
  2. Under the chalice > env section, uncomment and set the following attributes using the values from step 4:
  • idp_sso_url: paste the value of ‘SSO URL’
  • idp_entityId: paste the value of ‘Entity ID’
  • idp_x509cert: use this tool to format the copied/downloaded certificate
  • idp_name: set the value to G-Suite
  • idp_tenantKey: TENANT_KEY found in OpenReplay dashboard under ‘Preferences’ > ‘Account’
  1. Finally, save and quit using :wq for the changes to take effect

Example using JumpCloud

Section titled Example using JumpCloud
  1. Login to your JumpCloud administration dashboard and in the left menu, go to ‘SSO’
  2. Press ’+ Add New Application’, then select ‘Custom SAML App’
  3. Set the ‘Display Label’ to OpenReplay (you can upload this icon for your application) then move to ‘SSO’ tab
  4. Set:
  • IdP Entity ID to openreplay/TENANT_KEY (TENANT_KEY is found in OpenReplay dashboard under ‘Preferences’ > ‘Account’, but if you’re using our Cloud Dedicated plan, leave the tenantKey’s value empty)
  • SP Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
  • ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/
  • SAMLSubject NameID to email
  • SAMLSubject NameID Format: to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Signature Algorithm to RSA-SHA256
  • Check Sign Assertion
  • IDP URL to end with openreplay-TENANT_KEY (this value cannot be changed later, if you’re using our Cloud Dedicated plan, leave the tenantKey’s part empty)
  1. If you followed the OpenReplay-Certificate instructions, you can upload the generated ‘openreplay-sso.crt’ file by pressing the ‘Upload SP Certificate’, otherwise ignore this step
  2. Define the below fields in ‘USER ATTRIBUTE MAPPING’ by pressing the ‘add attribute’ button:
  • firstName: set the value to firstname
  • lastName: set the value to lastname
  • internalId: set the value to email
  • role: optional, the user’s role in OpenReplay, if it is a constant value for all users, you should define it in the next step, otherwise you have to add a new string-attribute to the JumpCloud’s group, call it OpenReplayRole and set the value to the role’s name, and then in the SSO configuration, select ‘Custom User or Group Attribute’ and set the value to OpenReplayRole.
  • adminPrivileges: optional, if it is a constant value for all users, you should define it in the next step, otherwise you have to add a new boolean-attribute to the JumpCloud’s group, call it OpenReplayAdminPrivileges and set the value to the role’s name, and then in the SSO configuration, select ‘Custom User or Group Attribute’ and set the value to OpenReplayAdminPrivileges.
  1. Define the below fields in ‘CONSTANT ATTRIBUTES’ by pressing the ‘add attribute’ button:
  • tenantKey: set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’ (this attribute must not be added if you’re using our Cloud Dedicated plan)
  • role: optional, ignore if defined in the previous step, the user’s role in OpenReplay, should match role name already defined in OpenReplay (default = member)
  • adminPrivileges: optional, ignore if defined in the previous step, set the value to true if you want to give new users admin privilege, false if not (default = false)
  1. At this stage, you can move to the ‘User Groups’ tab, and select the group of users that will have access to OpenReplay, or you can do it later
  2. Press ‘activate’ and ‘continue’ in the confirmation popup
  3. Press the new OpenReplay application icon, then on the left dropdown ‘IDP Certificate Valid’ choose ‘Download certificate’

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition:

  1. SSH into your OpenReplay installation and run openreplay -e
  2. Under the chalice section, uncomment then set the following env variables:
  • idp_entityId: openreplay/TENANT_KEY
  • idp_sso_url: https://sso.jumpcloud.com/saml2/openreplay-TENANT_KEY
  • idp_x509cert: the downloaded certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
  • idp_name: JumpCloud
  1. Finally, save and quit using :wq for the changes to take effect

Add SCIM (System for Cross-domain Identity Management) provisioning

Section titled Add SCIM (System for Cross-domain Identity Management) provisioning

Openreplay supports the option to provision user identities in the Enterprise Edition.

To integrate with Openreplay’s SCIM service, simply enable SCIM provisioning in your Identity Provider dashboard. Please be sure to set the following values in order for smooth integration:

VariableDescription
SCIM connector base URLYOUR_DOMAIN/api/sso/scim/v2/
User unique identifier field nameuserName
Support provisioning actionsPush new users, Push profile updates, Push groups
Authentication modeOAuth2
Access token endpointYOUR_DOMAIN/api/sso/scim/v2/token/
Authorization endpointYOUR_DOMAIN/api/sso/scim/v2/authorize/
Client idTENANT_ID it’s value can be found in the Dashboard, under ‘Preferences’ > ‘Account’
Client secretTENANT_KEY it’s value can be found in the Dashboard, under ‘Preferences’ > ‘Account’

After setting these values, follow the prompts from your Identity Provider dashboard in order to test integration and authorize the application.

Openreplay requires custom attributes to be used in order to properly setup users and groups with valid projects and permissions. You will need to add the following attributes in your Identity Provider dashboard:

  • projectKeys. This attribute if of type string array and added to the user schema, though it will be controlled by the group resource. You will find all of the possible values of this attribute in the ‘Projects’ page of Openreplay’s application.
  • permissions. This attribute if of type string array and added to the user schema, though it will be controlled by the group resource. The possible values of this attribute are listed below:
    • SESSION_REPLAY
    • DEV_TOOLS
    • METRICS
    • ASSIST_LIVE
    • ASSIST_CALL
    • SPOT
    • SPOT_PUBLIC

Following this, you will be able to provision user identities using Openreplay as a SCIM Service Provider.

Note: While Openreplay acts as a SCIM Service Provider, it does not support the partitioning of users into multiple groups (i.e. each user can only belong to one group). If this is not respected, then a user might be assigned to fewer or more projects than expected and might have fewer or more permissions in Openreplay’s application.

Example using Okta

Section titled Example using Okta

In your SAML 2.0 application, do the following

Add SCIM provisioning

Section titled Add SCIM provisioning
  1. Click the General tab
  2. In the App Settings section, click Edit
  3. In the Provisioning field, select SCIM, and click Save

Choose provisioning options

Section titled Choose provisioning options
  1. Click the Provisioning tab. The SCIM connection settings appear under Settings > Integration.
  2. In Settings > Integration, click Edit.
  3. Specify the SCIM connector base URL and the field name of the unique identifier for your users mentioned above.
  4. Under Supported provisioning actions, choose the provisioning actions mentioned above.
  5. Set the Authentication Mode dropdown to the value mentioned above.
  6. Set the Access token endpoint, Authorization endpoint, Client id, and Client secret as mentioned above.
  7. Click Save.
  8. Click Authentiate application.

Add extra attributes

Section titled Add extra attributes

You will need to add the attributes mentioned above.

  1. Click the Provisioning tab.
  2. In Settings > To App, scroll down and click Add attribute.

For projectKeys, use the following.

VariableDescription
Data typestring array
Variable nameprojectKeys
External nameprojectKeys
External namespaceurn:ietf:params:scim:schemas:extension:openreplay:2.0
Enumchecked
Attribute membersUse the values of the project names for the Display name and project keys as the Value. You will find these in the ‘Projects’ page of Openreplay’s application
Attribute typeGroup
Group priorityUse group priority

For permissions, use the following.

VariableDescription
Data typestring array
Variable namepermissions
External namepermissions
External namespaceurn:ietf:params:scim:schemas:extension:openreplay:2.0
Enumchecked
Attribute membersUse the values outlined above for the Display name and Value
Attribute typeGroup
Group priorityUse group priority

Errors

Section titled Errors

The response was received at http instead of http

Section titled The response was received at http instead of http

This is very common, and is due to the ‘X-Forwarded-Proto’ header not being present in th request. In order to resolve that, make sure the Load Balancer is correctly forwarding the header to the OpenReplay backend.