SSO
Single-Sign-On (via SAML2) is available on OpenReplay Enterprise Edition only.
Identity Provider (IDP) configuration
In you Identity Provider's dashboard, create a new app called openreplay
(you can use this icon), In the configuration page, make sure to set the following value (please make sure to replace YOUR_DOMAIN
with the correct value, example https://openreplay.mycompany.com
):
Variable | Value |
---|---|
ACS URL (also called Single Sign On URL or Consumer URL) | YOUR_DOMAIN/api/sso/saml2/acs/ |
Entity ID (also called Audience) | YOUR_DOMAIN/api/sso/saml2/metadata/ |
Single Logout URL (also called SLO URL) | YOUR_DOMAIN/api/sso/saml2/sls/ (optional) |
Name ID (sometimes it is configurable in the 'Attribute Statements' or the 'Parameters' section) | Email or EmailAddress or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress , depending on your Identity Provider |
SAML initiator | Set it to Service Provider (optional) |
In the 'Attribute Statements', or the 'Parameters' section, please make sure to define the following fields:
Field | Value |
---|---|
tenantKey | Its value can be found in the Dashboard, under 'Preferences' > 'Account' |
firstName | user.firstName |
lastName | user.lastName |
internalId | Internal ID or user.email (the user's ID in your identity management system) (optional) |
role | The user's role, depending on you Identity Provider it can be user.role or group , etc. (optional, default = member ) |
adminPrivileges | If the user have admin privileges or not, if this field contains any value different from false , it will be considered as true . (optional, default = false ) |
You should now have all the required values for the next step/section.
SSO (SAML2) configuration
To enable SSO, edit openreplay/scripts/helmcharts/vars.yaml
and uncomment then update the below env variables in chalice
section:
Variable | Description |
---|---|
idp_entityId | The entityId of your identity provider, also referred to as Issuer URL |
idp_sso_url | The singleSignOnService of your identity provider, also referred to as SAML 2.0 Endpoint (HTTP) |
idp_x509cert | The x509cert , must be a one-line string, without line breaks. You can use the FORMAT A X509 CERTIFICATE tool to format your value |
idp_name | The identity provider's name (optional) |
idp_sls_url | The singleLogoutService of your identity provider, also referred to as SLO Endpoint (HTTP) (optional) |
Then, reinstall the web server for the changes to take effect:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I
Example using Okta
- Login to your Okta administration dashboard and go to 'Applications' > 'Applications'
- Press 'Create new app integration', then select SAML 2.0 and press 'Next'
- Set the 'App Name' to OpenReplay (you can upload this icon for your application) then press 'Next'
- Set:
- Single sign on URL to
YOUR_DOMAIN/api/sso/saml2/acs/
- Audience URI (SP Entity ID) to
YOUR_DOMAIN/api/sso/saml2/metadata/
- Name ID format to
EmailAddress
- Single sign on URL to
- Define the below fields in 'Attribute Statements':
- tenantKey: format
Basic
and set the value to the one you got from OpenReplay dashboard under 'Preferences' > 'Account' - firstName: format
Basic
and set the value touser.firstName
- lastName: format
Basic
and set the value touser.lastName
- internalId: format
Basic
and set the value touser.email
- tenantKey: format
- Define the below field in 'Group Attribute Statements':
- role: format
Basic
filterMatch Regex
value.*
(or you can specify a different filter and regex according to your needs) - adminPrivileges: format
Basic
filterMatch Regex
valueadmin
(the current user will haveadmin privileges
if he is part of the admin group)
- role: format
- Press Next, Select 'I'm a software vendor. I'd like to integrate my app with Okta' then press 'Finish'
- In the Sign On tab, scroll down and press 'View Setup Instructions' to see you SAML2 configuration
- In your server, edit your
openreplay/scripts/helmcharts/vars.yaml
- Under the
chalice
section, uncomment then set the following env variables:
- idp_entityId: Identity Provider Issuer
- idp_sso_url: Identity Provider Single Sign-On URL
- idp_x509cert: X.509 Certificate, must be a one-line string, without line breaks (ou can use the FORMAT A X509 CERTIFICATE tool to format your value)
- idp_name: okta
- Finally, save your changes and reinstall the web server:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I
Example using Google Workspace (formerly G Suite)
Add Custom Attributes:
- In the Google Admin console, go to 'Directory' > 'Users' > 'More options' > 'Manage custom attributes'.
- Click 'Add Custom Attribute'.
- Set the following fields:
- Category: 'OpenReplay'
- Custom fields:
- Name: 'role'
- Info type: 'Text'
- Visibility: 'Visible to user and admin'
- No. of values: 'Single-value'
- Custom fields:
- Name: 'adminPrivileges'
- Info type: 'Yes or No'
- Visibility: 'Visible to user and admin'
- No. of values: 'Single-value'
- Click 'Add'
- To add values to the new custom attributes, go to 'Users'
- Select the desired user(s)
- Click on 'User information' then edit the 'OpenReplay' section
- Change the value of role to the desired role in 'OpenReplay' (the role should match the one created in OpenReplay dashboard under 'Preferences' > 'Roles')
- Change the value of adminPrivileges to 'Yes' if the user is allowed to have Admin Privileges in OpenReplay
- Click 'Save'
Configuration:
- Login to your Google Admin Console and go to 'Apps'
- Press 'Web and mobile apps' then click 'Add app' > 'Add custom SAML app'
- Set the 'App name' to OpenReplay (you can upload this icon for 'App icon'') then press 'Continue'
- Copy 'SSO URL', 'Entity ID' and 'Certificate' then click 'Continue' (we will use these values in step 11)
- Set:
- ACS URL to
YOUR_DOMAIN/api/sso/saml2/acs/TENANT_KEY/
(TENANT_KEY
is found in OpenReplay dashboard under 'Preferences' > 'Account') - Entity ID to
YOUR_DOMAIN/api/sso/saml2/metadata/
- Name ID format to
Email
- Name ID to
Basic information > Primary Email
- ACS URL to
- Click 'Continue' then hit 'Add Mapping' to add the below attributes:
Basic information > First Name
-> firstNameBasic information > Last Name
-> lastNameBasic information > Primary Email
-> internalIdOpenReplay > role
-> roleOpenReplay > adminPrivileges
-> adminPrivileges
- Click 'Finish'
- In the Google Admin Console, go to 'Apps' > 'Web and mobile apps' and select 'OpenReplay'
- Click 'User access', select 'ON for everyone' then hit 'Save'
- In your server, go to
openreplay/scripts/helmcharts
and editvars.yaml
- Under the
chalice > env
section, uncomment and set the following attributes using the values from step 4:
- idp_sso_url: paste the value of 'SSO URL'
- idp_entityId: paste the value of 'Entity ID'
- idp_x509cert: use the FORMAT A X509 CERTIFICATE tool to format the copied/downloaded certificate
- idp_name: set the value to
G-Suite
- idp_tenantKey: the
TENANT_KEY
value you got from the OpenReplay dashboard
- Finally, save your changes and reinstall the web server:
cd openreplay/scripts/helmcharts && ./openreplay-cli -I