This basic guide describes how to configure and use SAML with uStudio Platform. Below are items for your IT and business teams as well as items for uStudio. Please review and complete everything on the checklist below.
Check List
-
Send the following outgoing attributes: given_name, family_name, and email.
- If your IdP offers one, providing uStudio a sample SAML assertion can aid in debugging issues.
-
Provide an Identity Provider Metadata XML file or a public URL to the metadata file.
-
If an Identity Provider Metadata XML file is not available, send uStudio your:
- Single Sign-on Service URL.
- Single Logout Service URL.
- X509 Signing Certificate in .pem or .cer format.
-
If an Identity Provider Metadata XML file is not available, send uStudio your:
- Add uStudio settings as needed to your SAML set up.
- Onboard or migrate admins.
uStudio SAML Settings
Note: companycode is provided by uStudio. If you do not have a companycode, please reach out to your uStudio representative or support@ustudio.com.
-
Our SAML service provider will be identified by a single URL, which will be used for all SP URLs and as the SP Entity ID/Audience URI.
- Example: https://login.ustudio.com/auth/realms/platform-users/broker/companycode/endpoint
-
Once uStudio has configured its end, an SP SSO Descriptor will be available at a public URL.
- Example: https://login.ustudio.com/auth/realms/platform-users/broker/companycode/endpoint/descriptor
- Our SAML SP expects a Subject NameID element in the SAML assertion to uniquely identify the user across our entire database.
- Sign Request Algorithm: RSA-SHA256
- Sign Request Digest: SHA256
-
Outgoing Attributes:
Outgoing Attribute Attribute Requirement given_name First Name Required family_name Last Name Required email Email Required - Note: All SAML attributes should be constant to avoid duplicate account entries that cause login failure.
- Authentication is handled by your identity provider, while admin access is managed within uStudio via email invitations. To streamline onboarding and maintain consistency across environments, apply the same access group used for the uStudio Audience App to this Admin App connection. This ensures anyone eligible for admin access can be invited and activated without additional configuration on your side.
uStudio Admin Application
PMC: https://podcast-admin.ustudio.com
Old URLs that still work.
HUB: https://app.ustudio.com/api/v2/login?client_id=a2da148f333345d7855ee02dfe72e2d7&idp=companycode
PMC: https://podcast-admin.ustudio.com/login?idp=companycode
Note: You can create an application icon/bookmark that routes to these links.
uStudio iDP Specific SSO Guides:
- Azure SSO Configuration (SAML 2.0)
- Okta SSO Configuration (SAML 2.0)
- OneLogin SSO Configuration (SAML 2.0)
Onboarding Admins
- Assign Admins from your iDP to the uStudio Platform application.
- The super admin or account owner will be the first to accept their invitation from notifications@ustudio.com and login.
- The super admin or account owner will alert uStudio Support of sign-in.
- After uStudio Support confirms sign-in, the super admin or account owner logs in again to confirm access to the HUB or PMC.
- Then, the super admin or account owner will invite other admins via HUB by following this guide.
- Lastly, the other admins accept invitations from notifications@ustudio.com.
Note: If you login before accepting or receiving your invitation, your account will be created but not assigned to a studio. You will notice a message about your "trial has ended." Please contact support to get reassigned your studio after you have accepted the invitation.
Migrating Existing Admins
If you're migrating an admin from non-SSO to SSO, simply invite them by using the same email address and full name. For this process to successfully work, the admin must be a member of the studio prior to migration.
This process is the same when migrating from 1 identity provider to another (SSO to SSO), except an existing admin will need to need to click "Add to existing account" and verify their email access when prompted after clicking the invitation email link.
