Configuring SSO
This article outlines the configuration steps for Single Sing-On (SSO) with Fullcast using a SAML v2 Identity Provider (IdP). This article provides information that Fullcast only supports SP-initiated SSO (starting the login process) and outlines the required information for Fullcast to complete the SSO setup on their end.
Notes:
- IdP-initiated Single Sign-on is NOT supported.
- SSO is only available in production.
Supported Features
- SAML Protocol: Version 2.0
- SSO Initiation: Service provider-initiated (SP-initiated) only. You must start the login process by navigating to https://app.fullcast.io to begin the SSO login process. The SSO app panel can use a bookmark app to allow login from the app directory.
- Just-in-Time (JIT) Provisioning: Fullcast supports automatic user provisioning upon initial login through SSO.
- User Access Management: User access within Fullcast is managed through the Fullcast User Management settings panel.
Configuration:
- Fullcast Settings:
- Supported Protocol: SAMLv2
- SSO Initiation: SP-initiated only
- Tenant ID: Obtainable from your user profile within the Fullcast app (see directions below):
- Access your Fullcast instance.
- Click your profile picture in the top right corner.
- Click the copy icon next to the tenant ID.
Your tenant ID is now copied to your clipboard and ready for pasting.
- Post-back URL (Assertion Consumer Service URL/Reply URL): Include the connection parameter in the post-back URL: https://auth.fullcast.io/login/callback?connection={tenantid} Note: Replace {tenantid} with your actual Fullcast tenant ID.
IdP Settings:
- Sign-in URL for your IdP
- Entity ID (Identifier): The ID of the service provider is: urn:auth0:fcio:{tenantid}. Use connection.options.entityId if available. Note: Replace {tenantid} with your actual Fullast tenant ID.
- SAML Request binding: Also called the Protocol Binding, is sent to the IdP from Fullcast. If possible, dynamically set the value based on connection.options.protocolBinding :
| connection.options.protocolBinding value | SAML Request Binding value |
| Empty value (“”) or not present | HTTP-Redirect |
| urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect | HTTP-Redirect |
| urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST | HTTP-POST |
If dynamically setting the value isn't possible, then set as either HTTP-Redirect (default) or HTTP-Post if you selected this option in Protocol Binding.
- SAML Response Binding: How the SAML token is received by Fullcast from IdP, set as HTTP-Post
- SAML Assertion and Response: The SAML assertion, and teh SAML response, can be individually or simultaneously signed.
- Logout URL: This is the URL where the IdP sends logout requests and responses: https://auth.fullcast.io/logout. The IdP must sign all logout requests.
- Signed Assertions: Once the configuration is completed in your SSO IdP, please download the certificate in either CER or PEM format. You will need to send this to Fullcast.
Logo Image
Please download this image to use in your SSO environment for the Fullcast application.
Next Steps
To finish the configuration of Single Sign On for your Fullcast instance, you will need to file a ticket with the below details:
- The Sign in URL for your IdP
- The x509 Signing Certificate in either PEM or CER format (see above)
You can alternatively contact your Fullcast Business Partner.