SSO

Single-Sign-On (via SAML2) is available on OpenReplay Enterprise Edition only.

Identity Provider (IDP) configuration

In you Identity Provider’s dashboard, create a new app called openreplay (you can use this icon), In the configuration page, make sure to set the following value (please make sure to replace YOUR_DOMAIN with the correct value, example https://openreplay.mycompany.com):

Variable	Value
ACS URL (also called Single Sign On URL or Consumer URL)	`YOUR_DOMAIN/api/sso/saml2/acs/`
Entity ID (also called Audience)	`YOUR_DOMAIN/api/sso/saml2/metadata/`
Single Logout URL (also called SLO URL)	`YOUR_DOMAIN/api/sso/saml2/sls/` (optional)
Name ID (sometimes it is configurable in the ‘Attribute Statements’ or the ‘Parameters’ section)	`Email` or `EmailAddress` or `urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress`, depending on your Identity Provider
SAML initiator	Set it to `Service Provider` (optional)

In the ‘Attribute Statements’, or the ‘Parameters’ section, please make sure to define the following fields:

Field	Value
tenantKey	`TENANT_KEY` its value can be found in the Dashboard, under ‘Preferences’ > ‘Account’
firstName	`user.firstName`
lastName	`user.lastName`
internalId	Internal ID or `user.email` (the user’s ID in your identity management system) (optional)
role	The user’s role, depending on you Identity Provider it can be `user.role` or `group`, etc. (optional, default = `member`)
adminPrivileges	If the user have admin privileges or not, if this field contains any value different from `false`, it will be considered as `true`. (optional, default = `false`)

You should now have all the required values for the next step/section.

SSO (SAML2) configuration

To enable SSO, edit openreplay/scripts/helmcharts/vars.yaml and uncomment then update the below env variables in chalice section:

Variable	Description
idp_entityId	The `entityId` of your identity provider, also referred to as `Issuer URL`
idp_sso_url	The `singleSignOnService` of your identity provider, also referred to as `SAML 2.0 Endpoint (HTTP)`
idp_x509cert	The `x509cert`, must be a one-line string, without line breaks. You can use this tool to format your value
idp_name	The identity provider’s name (optional)
idp_sls_url	The `singleLogoutService` of your identity provider, also referred to as `SLO Endpoint (HTTP)` (optional)

Then, reinstall the web server for the changes to take effect:

cd openreplay/scripts/helmcharts && ./openreplay-cli -I

Example using Okta

Login to your Okta administration dashboard and go to ‘Applications’ > ‘Applications’
Press ‘Create new app integration’, then select SAML 2.0 and press ‘Next’
Set the ‘App Name’ to OpenReplay (you can upload this icon) for your application) then press ‘Next’
Set:

Single sign on URL to YOUR_DOMAIN/api/sso/saml2/acs/
Audience URI (SP Entity ID) to YOUR_DOMAIN/api/sso/saml2/metadata/
Name ID format to EmailAddress

Define the below fields in ‘Attribute Statements’:

tenantKey: format Basic and set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’
firstName: format Basic and set the value to user.firstName
lastName: format Basic and set the value to user.lastName
internalId: format Basic and set the value to user.email

Define the below field in ‘Group Attribute Statements’:

role: format Basic filter Match Regex value .* (or you can specify a different filter and regex according to your needs)
adminPrivileges: format Basic filter Match Regex value admin (the current user will have admin privileges if he is part of the admin group)

Press Next, Select ‘I’m an Okta customer adding an internal app’ and ‘This is an internal app that we have created’ then press ‘Finish’
In the Sign On tab, scroll down and press ‘View Setup Instructions’ to see you SAML2 configuration
In your server, edit your openreplay/scripts/helmcharts/vars.yaml
Under the chalice section, uncomment then set the following env variables:

idp_entityId: Identity Provider Issuer
idp_sso_url: Identity Provider Single Sign-On URL
idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
idp_name: Okta

Finally, save your changes and reinstall the web server:

cd openreplay/scripts/helmcharts && ./openreplay-cli -I

Example using Google Workspace (formerly G Suite)

Add Custom Attributes:

In the Google Admin console, go to ‘Directory’ > ‘Users’ > ‘More options’ > ‘Manage custom attributes’.
Click ‘Add Custom Attribute’.
Set the following fields:

Category: ‘OpenReplay’
Custom fields:
Name: ‘role’
Info type: ‘Text’
Visibility: ‘Visible to user and admin’
No. of values: ‘Single-value’
Custom fields:
Name: ‘adminPrivileges’
Info type: ‘Yes or No’
Visibility: ‘Visible to user and admin’
No. of values: ‘Single-value’

Click ‘Add’
To add values to the new custom attributes, go to ‘Users’
Select the desired user(s)
Click on ‘User information’ then edit the ‘OpenReplay’ section
Change the value of role to the desired role in ‘OpenReplay’ (the role should match the one created in OpenReplay dashboard under ‘Preferences’ > ‘Roles’)
Change the value of adminPrivileges to ‘Yes’ if the user is allowed to have Admin Privileges in OpenReplay
Click ‘Save’

Configuration:

Login to your Google Admin Console and go to ‘Apps’
Press ‘Web and mobile apps’ then click ‘Add app’ > ‘Add custom SAML app’
Set the ‘App name’ to OpenReplay (you can upload this icon for ‘App icon”) then press ‘Continue’
Copy ‘SSO URL’, ‘Entity ID’ and ‘Certificate’ then click ‘Continue’ (we will use these values in step 11)
Set:

ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/TENANT_KEY/ (TENANT_KEY is found in OpenReplay dashboard under ‘Preferences’ > ‘Account’)
Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
Name ID format to Email
Name ID to Basic information > Primary Email

Click ‘Continue’ then hit ‘Add Mapping’ to add the below attributes:

Basic information > First Name -> firstName
Basic information > Last Name -> lastName
Basic information > Primary Email -> internalId
OpenReplay > role -> role
OpenReplay > adminPrivileges -> adminPrivileges

Click ‘Finish’
In the Google Admin Console, go to ‘Apps’ > ‘Web and mobile apps’ and select ‘OpenReplay’
Click ‘User access’, select ‘ON for everyone’ then hit ‘Save’
In your server, go to openreplay/scripts/helmcharts and edit vars.yaml
Under the chalice > env section, uncomment and set the following attributes using the values from step 4:

idp_sso_url: paste the value of ‘SSO URL’
idp_entityId: paste the value of ‘Entity ID’
idp_x509cert: use this tool to format the copied/downloaded certificate
idp_name: set the value to G-Suite
idp_tenantKey: TENANT_KEY found in OpenReplay dashboard under ‘Preferences’ > ‘Account’

Finally, save your changes and reinstall the web server:

cd openreplay/scripts/helmcharts && ./openreplay-cli -I

Example using JumpCloud

Login to your JumpCloud administration dashboard and in the left menu, go to ‘SSO’
Press ’+ Add New Application’, then select ‘Custom SAML App’
Set the ‘Display Label’ to OpenReplay (you can upload this icon for your application) then move to ‘SSO’ tab
Set:

IdP Entity ID to openreplay/TENANT_KEY
SP Entity ID to YOUR_DOMAIN/api/sso/saml2/metadata/
ACS URL to YOUR_DOMAIN/api/sso/saml2/acs/
SAMLSubject NameID to email
SAMLSubject NameID Format: to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Signature Algorithm to RSA-SHA256
Check Sign Assertion
IDP URL to end with openreplay-TENANT_KEY (this value cannot be changed later)

Define the below fields in ‘USER ATTRIBUTE MAPPING’ by pressing the ‘add attribute’ button:

firstName: set the value to firstname
lastName: set the value to lastname
internalId: set the value to email
role: optional, the user’s role in OpenReplay, if it is a constant value for all users, you should define it in the next step, otherwise you have to add a new string-attribute to the JumpCloud’s group, call it OpenReplayRole and set the value to the role’s name, and then in the SSO configuration, select ‘Custom User or Group Attribute’ and set the value to OpenReplayRole.
adminPrivileges: optional, if it is a constant value for all users, you should define it in the next step, otherwise you have to add a new boolean-attribute to the JumpCloud’s group, call it OpenReplayAdminPrivileges and set the value to the role’s name, and then in the SSO configuration, select ‘Custom User or Group Attribute’ and set the value to OpenReplayAdminPrivileges.

Define the below fields in ‘CONSTANT ATTRIBUTES’ by pressing the ‘add attribute’ button:

tenantKey: set the value to TENANT_KEY, found in OpenReplay dashboard under ‘Preferences’ > ‘Account’
role: optional, ignore if defined in the previous step, the user’s role in OpenReplay, should match role name already defined in OpenReplay (default = member)
adminPrivileges: optional, ignore if defined in the previous step, set the value to true if you want to give new users admin privilege, false if not (default = false)

At this stage, you can move to the ‘User Groups’ tab, and select the group of users that will have access to OpenReplay, or you can do it later
Press ‘activate’ and ‘continue’ in the confirmation popup
Press the new OpenReplay application icon, then on the left dropdown ‘IDP Certificate Valid’ choose ‘Download certificate’
In your server, edit your openreplay/scripts/helmcharts/vars.yaml
Under the chalice section, uncomment then set the following env variables:

idp_entityId: openreplay/TENANT_KEY
idp_sso_url: https://sso.jumpcloud.com/saml2/openreplay-TENANT_KEY
idp_x509cert: the downloaded certificate, must be a one-line string, without line breaks (you can use this tool to format your value)
idp_name: JumpCloud

Finally, save your changes and reinstall the web server:

cd openreplay/scripts/helmcharts && ./openreplay-cli -I

Have questions?

If you have any questions about this process, feel free to reach out to us on our Slack or check out our Forum.