SSO

Single-Sign-On (via SAML2) is available on OpenReplay Enterprise Edition only.

In you Identity Provider’s dashboard, create a new app called openreplay (you can use this icon), In the configuration page, make sure to set the following value (please make sure to replace YOUR_DOMAIN with the correct value, example https://openreplay.mycompany.com):

In the ‘Attribute Statements’, or the ‘Parameters’ section, please make sure to define the following fields:

You should now have all the required values for the next step/section.

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition, run openreplay -e and uncomment then update the below env variables in chalice section:

Then, save and quit using :wq for the changes to take effect:

This is optional, you can add a x509 certificate for extra SSO security:

1. run this command in your server or your secure machine (you can change the validity time of your certificate according to your needs):

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout openreplay-sso.key -out openreplay-sso.crt

2. In your server, run openreplay -e
3. Under the chalice section, add the following env variables:

• sp_crt: must be a one-line string, without line breaks of the generated ‘openreplay-sso.crt’ file (you can use this tool to format your value)
• sp_key: must be a one-line string, without line breaks of the generated ‘openreplay-sso.key’ file

4. Save and quit using :wq for the changes to take effect
5. Add the generated ‘openreplay-sso.crt’ file to your Identity Provider’s application configuration

1. Login to your Okta administration dashboard and go to ‘Applications’ > ‘Applications’
2. Press ‘Create new app integration’, then select SAML 2.0 and press ‘Next’
3. Set the ‘App Name’ to OpenReplay (you can upload this icon) for your application) then press ‘Next’
4. Set:

• Single sign on URL to YOUR_DOMAIN/api/sso/saml2/acs/
• Audience URI (SP Entity ID) to YOUR_DOMAIN/api/sso/saml2/metadata/
• Name ID format to EmailAddress

5. Define the below fields in ‘Attribute Statements’:

• tenantKey: format Basic and set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’ (this attribute must not be added if you’re using our Cloud Dedicated plan)
• firstName: format Basic and set the value to user.firstName
• lastName: format Basic and set the value to user.lastName
• internalId: format Basic and set the value to user.email

6. Define the below field in ‘Group Attribute Statement’:

• groups: format Basic filter Match Regex value OpenReplay-* (or you can specify a different filter and regex according to your needs)

7. Press Next, Select ‘I’m an Okta customer adding an internal app’ and ‘This is an internal app that we have created’ then press ‘Finish’
8. In the Sign On tab, scroll down and press ‘View Setup Instructions’ to see you SAML2 configuration

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition:

9. SSH into your OpenReplay installation and run openreplay -e
10. Under the chalice section, uncomment then set the following env variables:

• idp_entityId: Identity Provider Issuer
• idp_sso_url: Identity Provider Single Sign-On URL
• idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
• idp_name: Okta

11. Finally, save and quit using :wq for the changes to take effect

1. Login to your Azure portal and go to ‘Azure Active Directory’
2. Press ’+ Add’, select ‘Enterprise application’ then click ‘Create your own application’
3. Set the ‘App Name’ to OpenReplay then select ‘Integrate any other application you don’t find in the gallery (Non-gallery)’ and press ‘Create’
4. Navigate to ‘Single sign-on’ in the left-side menu and set the below values in the ‘Basic SAML Configuration’ block:

• Identifier (Entity ID) to YOUR_DOMAIN/api/sso/saml2/metadata/
• Reply URL (Assertion Consumer Service URL) to YOUR_DOMAIN/api/sso/saml2/acs/
• Logout URL to YOUR_DOMAIN/api/sso/saml2/sls/

5. Add the below claims in ‘Attribute & Claims’ block and ensure the ‘Namespace’ field is left empty for each of them:

• tenantKey: set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’ (this attribute/claim must not be added if you’re using our Cloud Dedicated plan)
• firstName: set the value to user.givenname
• lastName: set the value to user.surname
• internalId: set the value to user.mail

6. Navigate to ‘Users and groups’ and assign your select users to the application

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section (values are found in ‘Azure Active Directory’ > ‘OpenReplay’ > ‘Single sign-on’).

Otherwise, if you’re running our Enterprise Edition:

7. SSH into your OpenReplay installation and run openreplay -e
8. Under the chalice section, uncomment then set the following env variables (values are found in ‘Azure Active Directory’ > ‘OpenReplay’ > ‘Single sign-on’):

• idp_entityId: Azure AD Identifier
• idp_sso_url: Login URL
• idp_sls_url: Logout URL
• idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
• idp_name: Active Directory

9. Finally, save and quit using :wq for the changes to take effect

1. In the Google Admin console, go to ‘Directory’ > ‘Users’ > ‘More options’ > ‘Manage custom attributes’.
2. Click ‘Add Custom Attribute’.
3. Set the following fields:

• Category: ‘OpenReplay’
• Custom fields:
• Name: ‘role’
• Info type: ‘Text’
• Visibility: ‘Visible to user and admin’
• No. of values: ‘Single-value’
• Custom fields:
• Name: ‘adminPrivileges’
• Info type: ‘Yes or No’
• Visibility: ‘Visible to user and admin’
• No. of values: ‘Single-value’

4. Click ‘Add’
5. To add values to the new custom attributes, go to ‘Users’
6. Select the desired user(s)
7. Click on ‘User information’ then edit the ‘OpenReplay’ section
8. Change the value of role to the desired role in ‘OpenReplay’ (the role should match the one created in OpenReplay dashboard under ‘Preferences’ > ‘Roles’)
9. Change the value of adminPrivileges to ‘Yes’ if the user is allowed to have Admin Privileges in OpenReplay
10. Click ‘Save’

1. Login to your Google Admin Console and go to ‘Apps’
2. Press ‘Web and mobile apps’ then click ‘Add app’ > ‘Add custom SAML app’
3. Set the ‘App name’ to OpenReplay (you can upload this icon for ‘App icon”) then press ‘Continue’
4. Copy ‘SSO URL’, ‘Entity ID’ and ‘Certificate’ then click ‘Continue’ (we will use these values in step 11)
5. Set:

• ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/TENANT_KEY/ (TENANT_KEY is found in OpenReplay dashboard under ‘Preferences’ > ‘Account’, but if you’re using our Cloud Dedicated plan, leave the tenantKey’s value empty)
• Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
• Name ID format to Email
• Name ID to Basic information > Primary Email

6. Click ‘Continue’ then hit ‘Add Mapping’ to add the below attributes:

• Basic information > First Name -> firstName
• Basic information > Last Name -> lastName
• Basic information > Primary Email -> internalId
• OpenReplay > groups -> groups

7. Click ‘Finish’
8. In the Google Admin Console, go to ‘Apps’ > ‘Web and mobile apps’ and select ‘OpenReplay’
9. Click ‘User access’, select ‘ON for everyone’ then hit ‘Save’

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition:

10. SSH into your OpenReplay installation and run openreplay -e
11. Under the chalice > env section, uncomment and set the following attributes using the values from step 4:

• idp_sso_url: paste the value of ‘SSO URL’
• idp_entityId: paste the value of ‘Entity ID’
• idp_x509cert: use this tool to format the copied/downloaded certificate
• idp_name: set the value to G-Suite
• idp_tenantKey: TENANT_KEY found in OpenReplay dashboard under ‘Preferences’ > ‘Account’

12. Finally, save and quit using :wq for the changes to take effect

1. Login to your JumpCloud administration dashboard and in the left menu, go to ‘SSO’
2. Press ’+ Add New Application’, then select ‘Custom SAML App’
3. Set the ‘Display Label’ to OpenReplay (you can upload this icon for your application) then move to ‘SSO’ tab
4. Set:

• IdP Entity ID to openreplay/TENANT_KEY (TENANT_KEY is found in OpenReplay dashboard under ‘Preferences’ > ‘Account’, but if you’re using our Cloud Dedicated plan, leave the tenantKey’s value empty)
• SP Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
• ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/
• SAMLSubject NameID to email
• SAMLSubject NameID Format: to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
• Signature Algorithm to RSA-SHA256
• Check Sign Assertion
• IDP URL to end with openreplay-TENANT_KEY (this value cannot be changed later, if you’re using our Cloud Dedicated plan, leave the tenantKey’s part empty)

5. If you followed the OpenReplay-Certificate instructions, you can upload the generated ‘openreplay-sso.crt’ file by pressing the ‘Upload SP Certificate’, otherwise ignore this step
6. Define the below fields in ‘USER ATTRIBUTE MAPPING’ by pressing the ‘add attribute’ button:

• firstName: set the value to firstname
• lastName: set the value to lastname
• internalId: set the value to email
• groups: optional, the user’s role & admin-privilege in OpenReplay, if it is a constant value for all users, you should define it in the next step, otherwise you have to add a new string-attribute to the JumpCloud’s group, call it OpenReplay-groups and set the value to the role’s name, and then in the SSO configuration, select ‘Custom User or Group Attribute’ and set the value to OpenReplay-groups.

7. Define the below fields in ‘CONSTANT ATTRIBUTES’ by pressing the ‘add attribute’ button:

• tenantKey: set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’ (this attribute must not be added if you’re using our Cloud Dedicated plan)
• groups: optional, ignore if defined in the previous step, the user’s role & admin-privilege in OpenReplay, should match role name already defined in OpenReplay (default = member without admin-privilege)

8. At this stage, you can move to the ‘User Groups’ tab, and select the group of users that will have access to OpenReplay, or you can do it later
9. Press ‘activate’ and ‘continue’ in the confirmation popup
10. Press the new OpenReplay application icon, then on the left dropdown ‘IDP Certificate Valid’ choose ‘Download certificate’

If you’re using our Cloud dedicated plan, go to the Console then click on the instance and set the variables under the SSO section.

Otherwise, if you’re running our Enterprise Edition:

11. SSH into your OpenReplay installation and run openreplay -e
12. Under the chalice section, uncomment then set the following env variables:

• idp_entityId: openreplay/TENANT_KEY
• idp_sso_url: https://sso.jumpcloud.com/saml2/openreplay-TENANT_KEY
• idp_x509cert: the downloaded certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
• idp_name: JumpCloud

13. Finally, save and quit using :wq for the changes to take effect

Openreplay supports the option to provision user identities in the Enterprise Edition.

To integrate with Openreplay’s SCIM service, simply enable SCIM provisioning in your Identity Provider dashboard. Please be sure to set the following values in order for smooth integration:

After setting these values, follow the prompts from your Identity Provider dashboard in order to test integration and authorize the application.

Following this, you will be able to provision user identities using Openreplay as a SCIM Service Provider.

Note: While Openreplay acts as a SCIM Service Provider, it does not support the partitioning of users into multiple groups (i.e. each user can only belong to one group). If this is not respected, then a user might be assigned to fewer or more projects than expected and might have fewer or more permissions in Openreplay’s application.

In your SAML 2.0 application, do the following

1. Click the General tab
2. In the App Settings section, click Edit
3. In the Provisioning field, select SCIM, and click Save

1. Click the Provisioning tab. The SCIM connection settings appear under Settings > Integration.
2. In Settings > Integration, click Edit.
3. Specify the SCIM connector base URL and the field name of the unique identifier for your users mentioned above.
4. Under Supported provisioning actions, choose the provisioning actions mentioned above.
5. Set the Authentication Mode dropdown to the value mentioned above.
6. Set the Access token endpoint, Authorization endpoint, Client id, and Client secret as mentioned above.
7. Click Save.
8. Click Authentiate application.
9. In the Provisioning tab, click To App.
10. Click Edit, enable Create Users, Update User Attributes, Deactivate Users and save changes.

• Before starting the next step, we recommend creating new groups in Okta, called OpenReplay-admin where you list the users having admin-privilege in OpenReplay, and OpenReplay-members where you list users having the role member in OpenReplay, …

11. Go to Push Groups tab, Click + Push Groups (by name or by rule), select the group you want to push to OpenReplay, and press save

• At this point, the pushed groups represent roles and admin-privilege in OpenReplay, and it doesn’t have the list of users provisioned for OpenReplay.

12. Go to Assignmets tab, and add users in the way that suites you (using people or groups)

This is very common, and is due to the ‘X-Forwarded-Proto’ header not being present in the request. In order to resolve that, make sure the Load Balancer is correctly forwarding the header to the OpenReplay backend, and run openreplay -e, under the ingress-nginx > config section, uncomment the line use-forwarded-headers: true.