How to Set Up Single Sign On (SSO)

SSO is available for customers with an Enterprise Plan.

With Single Sign On, you can use your company's identity provider to allow access to all your employees without inviting users individually. This allows your IT department to manage access from a centralized location and extends all your identity provider's security to Vocal Video.

To get started, you'll need an Enterprise subscription. You'll need a bit of help from your IT department to complete the setup.

Configuring Single Sign On

This section is meant for use by your IT department. You will need an Identity Provider that support OpenID Connect (OIDC). 

Vocal Video uses the Client Secret (POST) authentication method. You'll need to provide five parameters from your identity provider:

• Client ID
• Client Secret
• Host (your hostname / domain, without any protocol)
• Authorization Endpoint - Usually https://your-host.com/authorize
• Token Endpoint - Usually https://your-host.com/oauth/token

Inside Vocal Video, navigate to the Single Sign On settings page: https://vocalvideo.com/app/sso Here, you'll find the callback URL (something like https://vocalvideo.com/sso/your-company/callback). You'll need to enter this into your identity provider. 

Once all the fields are provided, your configuration is complete. This will activate your SSO login page, available at https://vocalvideo.com/sso/your-company

When a user clicks the Log In button, they will be redirected to your identity provider, authorized, and redirected back into Vocal Video. 

Single Sign On Policies

Once you've successfully configured your SSO connection, there are two policy options to consider.

If you'd like to require all users to authenticate via SSO, toggle the Require SSO Authentication policy. This will disable users from authenticating via password login.

In the case a users authenticates with SSO and Vocal Video does not have an associated user record, you can also allow them to access your account by toggling the Automatically Provision Users option. The user will gain access to all workspaces within your account. 

Caveats and Debugging

If a user has access to other Vocal Video accounts, they are not eligible for single sign on. They will be required to authenticate with a password.

If a user has an active Vocal Video session and visits your SSO log in page, they will be redirected to the application directly.

Vocal Video will request three OpenID Connect scopes during the sign in process: openid, email, and profile. 

Automatic provisioning of users is subject to any user limits in your subscription. Emails must be valid, deliverable, and verified.