SSO

Single-Sign-On (via SAML2) is available on OpenReplay Enterprise Edition only.

Identity Provider (IDP) configuration

Section titled Identity Provider (IDP) configuration

In you Identity Provider’s dashboard, create a new app called openreplay (you can use this icon), In the configuration page, make sure to set the following value (please make sure to replace YOUR_DOMAIN with the correct value, example https://openreplay.mycompany.com):

VariableValue
ACS URL (also called Single Sign On URL or Consumer URL)YOUR_DOMAIN/api/sso/saml2/acs/
Entity ID (also called Audience)YOUR_DOMAIN/api/sso/saml2/metadata/
Single Logout URL (also called SLO URL)YOUR_DOMAIN/api/sso/saml2/sls/ (optional)
Name ID (sometimes it is configurable in the ‘Attribute Statements’ or the ‘Parameters’ section)Email or EmailAddress or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, depending on your Identity Provider
SAML initiatorSet it to Service Provider (optional)

In the ‘Attribute Statements’, or the ‘Parameters’ section, please make sure to define the following fields:

FieldValue
tenantKeyTENANT_KEY its value can be found in the Dashboard, under ‘Preferences’ > ‘Account’
firstNameuser.firstName
lastNameuser.lastName
internalIdInternal ID or user.email (the user’s ID in your identity management system) (optional)
roleThe user’s role, depending on you Identity Provider it can be user.role or group, etc. (optional, default = member)
adminPrivilegesIf the user have admin privileges or not, if this field contains any value different from false, it will be considered as true. (optional, default = false)

You should now have all the required values for the next step/section.

SSO (SAML2) configuration

Section titled SSO (SAML2) configuration

To enable SSO, run openreplay -e and uncomment then update the below env variables in chalice section:

VariableDescription
idp_entityIdThe entityId of your identity provider, also referred to as Issuer URL
idp_sso_urlThe singleSignOnService of your identity provider, also referred to as SAML 2.0 Endpoint (HTTP)
idp_x509certThe x509cert, must be a one-line string, without line breaks. You can use this tool to format your value
idp_nameThe identity provider’s name (optional)
idp_sls_urlThe singleLogoutService of your identity provider, also referred to as SLO Endpoint (HTTP) (optional)
enforce_SSOIf set to true, all connexions with username and password will be blocked (optional, default=false)

Then, save and quit using :wq for the changes to take effect:

OpenReplay certificate

Section titled OpenReplay certificate

This is optional, you can add a x509 certificate for extra SSO security:

  1. run this command in your server or your secure machine (you can change the validity time of your certificate according to your needs):
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout openreplay-sso.key -out openreplay-sso.crt
  1. In your server, run openreplay -e
  2. Under the chalice section, add the following env variables:
  • sp_crt: must be a one-line string, without line breaks of the generated ‘openreplay-sso.crt’ file (you can use this tool to format your value)
  • sp_key: must be a one-line string, without line breaks of the generated ‘openreplay-sso.key’ file
  1. Save and quit using :wq for the changes to take effect
  2. Add the generated ‘openreplay-sso.crt’ file to your Identity Provider’s application configuration

Example using Okta

Section titled Example using Okta
  1. Login to your Okta administration dashboard and go to ‘Applications’ > ‘Applications’
  2. Press ‘Create new app integration’, then select SAML 2.0 and press ‘Next’
  3. Set the ‘App Name’ to OpenReplay (you can upload this icon) for your application) then press ‘Next’
  4. Set:
  • Single sign on URL to YOUR_DOMAIN/api/sso/saml2/acs/
  • Audience URI (SP Entity ID) to YOUR_DOMAIN/api/sso/saml2/metadata/
  • Name ID format to EmailAddress
  1. Define the below fields in ‘Attribute Statements’:
  • tenantKey: format Basic and set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’
  • firstName: format Basic and set the value to user.firstName
  • lastName: format Basic and set the value to user.lastName
  • internalId: format Basic and set the value to user.email
  1. Define the below field in ‘Group Attribute Statements’:
  • role: format Basic filter Match Regex value .* (or you can specify a different filter and regex according to your needs)
  • adminPrivileges: format Basic filter Match Regex value admin (the current user will have admin privileges if he is part of the admin group)
  1. Press Next, Select ‘I’m an Okta customer adding an internal app’ and ‘This is an internal app that we have created’ then press ‘Finish’
  2. In the Sign On tab, scroll down and press ‘View Setup Instructions’ to see you SAML2 configuration
  3. In your server, run openreplay -e
  4. Under the chalice section, uncomment then set the following env variables:
  • idp_entityId: Identity Provider Issuer
  • idp_sso_url: Identity Provider Single Sign-On URL
  • idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
  • idp_name: Okta
  1. Finally, save and quit using :wq for the changes to take effect.

Example using Azure Active Directory

Section titled Example using Azure Active Directory
  1. Login to your Azure portal and go to ‘Azure Active Directory’
  2. Press ’+ Add’, select ‘Enterprise application’ then click ‘Create your own application’
  3. Set the ‘App Name’ to OpenReplay then select ‘Integrate any other application you don’t find in the gallery (Non-gallery)’ and press ‘Create’
  4. Navigate to ‘Single sign-on’ in the left-side menu and set the below values in the ‘Basic SAML Configuration’ block:
  • Identifier (Entity ID) to YOUR_DOMAIN/api/sso/saml2/metadata/
  • Reply URL (Assertion Consumer Service URL) to YOUR_DOMAIN/api/sso/saml2/acs/
  • Logout URL to YOUR_DOMAIN/api/sso/saml2/sls/
  1. Add the below claims in ‘Attribute & Claims’ block and ensure the ‘Namespace’ field is left empty for each of them:
  • tenantKey: set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’
  • firstName: set the value to user.givenname
  • lastName: set the value to user.surname
  • internalId: set the value to user.mail
  1. Navigate to ‘Users and groups’ and assign your select users to the application
  2. Now SSH into your OpenReplay installation and run openreplay -e
  3. Under the chalice section, uncomment then set the following env variables (values are found in ‘Azure Active Directory’ > ‘OpenReplay’ > ‘Single sign-on’):
    • idp_entityId: Azure AD Identifier
    • idp_sso_url: Login URL
    • idp_sls_url: Logout URL
    • idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
    • idp_name: Active Directory
  4. Finally, save and quit using :wq for the changes to take effect

Example using Google Workspace (formerly G Suite)

Section titled Example using Google Workspace (formerly G Suite)

Add Custom Attributes:

Section titled Add Custom Attributes:
  1. In the Google Admin console, go to ‘Directory’ > ‘Users’ > ‘More options’ > ‘Manage custom attributes’.
  2. Click ‘Add Custom Attribute’.
  3. Set the following fields:
  • Category: ‘OpenReplay’
  • Custom fields:
  • Name: ‘role’
  • Info type: ‘Text’
  • Visibility: ‘Visible to user and admin’
  • No. of values: ‘Single-value’
  • Custom fields:
  • Name: ‘adminPrivileges’
  • Info type: ‘Yes or No’
  • Visibility: ‘Visible to user and admin’
  • No. of values: ‘Single-value’
  1. Click ‘Add’
  2. To add values to the new custom attributes, go to ‘Users’
  3. Select the desired user(s)
  4. Click on ‘User information’ then edit the ‘OpenReplay’ section
  5. Change the value of role to the desired role in ‘OpenReplay’ (the role should match the one created in OpenReplay dashboard under ‘Preferences’ > ‘Roles’)
  6. Change the value of adminPrivileges to ‘Yes’ if the user is allowed to have Admin Privileges in OpenReplay
  7. Click ‘Save’

Configuration:

Section titled Configuration:
  1. Login to your Google Admin Console and go to ‘Apps’
  2. Press ‘Web and mobile apps’ then click ‘Add app’ > ‘Add custom SAML app’
  3. Set the ‘App name’ to OpenReplay (you can upload this icon for ‘App icon”) then press ‘Continue’
  4. Copy ‘SSO URL’, ‘Entity ID’ and ‘Certificate’ then click ‘Continue’ (we will use these values in step 11)
  5. Set:
  • ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/TENANT_KEY/ (TENANT_KEY is found in OpenReplay dashboard under ‘Preferences’ > ‘Account’)
  • Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
  • Name ID format to Email
  • Name ID to Basic information > Primary Email
  1. Click ‘Continue’ then hit ‘Add Mapping’ to add the below attributes:
  • Basic information > First Name -> firstName
  • Basic information > Last Name -> lastName
  • Basic information > Primary Email -> internalId
  • OpenReplay > role -> role
  • OpenReplay > adminPrivileges -> adminPrivileges
  1. Click ‘Finish’
  2. In the Google Admin Console, go to ‘Apps’ > ‘Web and mobile apps’ and select ‘OpenReplay’
  3. Click ‘User access’, select ‘ON for everyone’ then hit ‘Save’
  4. In your server, run openreplay -e
  5. Under the chalice > env section, uncomment and set the following attributes using the values from step 4:
  • idp_sso_url: paste the value of ‘SSO URL’
  • idp_entityId: paste the value of ‘Entity ID’
  • idp_x509cert: use this tool to format the copied/downloaded certificate
  • idp_name: set the value to G-Suite
  • idp_tenantKey: TENANT_KEY found in OpenReplay dashboard under ‘Preferences’ > ‘Account’
  1. Finally, save and quit using :wq for the changes to take effect.

Example using JumpCloud

Section titled Example using JumpCloud
  1. Login to your JumpCloud administration dashboard and in the left menu, go to ‘SSO’
  2. Press ’+ Add New Application’, then select ‘Custom SAML App’
  3. Set the ‘Display Label’ to OpenReplay (you can upload this icon for your application) then move to ‘SSO’ tab
  4. Set:
  • IdP Entity ID to openreplay/TENANT_KEY
  • SP Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
  • ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/
  • SAMLSubject NameID to email
  • SAMLSubject NameID Format: to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Signature Algorithm to RSA-SHA256
  • Check Sign Assertion
  • IDP URL to end with openreplay-TENANT_KEY (this value cannot be changed later)
  1. If you followed the OpenReplay-Certificate instructions, you can upload the generated ‘openreplay-sso.crt’ file by pressing the ‘Upload SP Certificate’, otherwise ignore this step
  2. Define the below fields in ‘USER ATTRIBUTE MAPPING’ by pressing the ‘add attribute’ button:
  • firstName: set the value to firstname
  • lastName: set the value to lastname
  • internalId: set the value to email
  • role: optional, the user’s role in OpenReplay, if it is a constant value for all users, you should define it in the next step, otherwise you have to add a new string-attribute to the JumpCloud’s group, call it OpenReplayRole and set the value to the role’s name, and then in the SSO configuration, select ‘Custom User or Group Attribute’ and set the value to OpenReplayRole.
  • adminPrivileges: optional, if it is a constant value for all users, you should define it in the next step, otherwise you have to add a new boolean-attribute to the JumpCloud’s group, call it OpenReplayAdminPrivileges and set the value to the role’s name, and then in the SSO configuration, select ‘Custom User or Group Attribute’ and set the value to OpenReplayAdminPrivileges.
  1. Define the below fields in ‘CONSTANT ATTRIBUTES’ by pressing the ‘add attribute’ button:
  • tenantKey: set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’
  • role: optional, ignore if defined in the previous step, the user’s role in OpenReplay, should match role name already defined in OpenReplay (default = member)
  • adminPrivileges: optional, ignore if defined in the previous step, set the value to true if you want to give new users admin privilege, false if not (default = false)
  1. At this stage, you can move to the ‘User Groups’ tab, and select the group of users that will have access to OpenReplay, or you can do it later
  2. Press ‘activate’ and ‘continue’ in the confirmation popup
  3. Press the new OpenReplay application icon, then on the left dropdown ‘IDP Certificate Valid’ choose ‘Download certificate’
  4. In your server, run openreplay -e
  5. Under the chalice section, uncomment then set the following env variables:
  • idp_entityId: openreplay/TENANT_KEY
  • idp_sso_url: https://sso.jumpcloud.com/saml2/openreplay-TENANT_KEY
  • idp_x509cert: the downloaded certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
  • idp_name: JumpCloud
  1. Finally, save and quit using :wq for the changes to take effect.

Errors

Section titled Errors

The response was received at http instead of http

Section titled The response was received at http instead of http

This is very common, and is due to the ‘X-Forwarded-Proto’ header not being present in th request. In order to resolve that, make sure the Load Balancer is correctly forwarding the header to the OpenReplay backend.