Single Sign On (SSO) Management
Managing user authentication manually across multiple systems can be cumbersome and inefficient. To streamline authentication, you can configure Single Sign-On (SSO) using our SSO API. This allows users to log in once and access multiple applications without re-authenticating, improving security and user experience.
Users of all VMS editions can log in with Microsoft or Google as an IdP, but Standard Edition users are limited to the following domains:
msn.com
, live.com
, hotmail.com
, outlook.com
, gmail.com
Professional and Enterprise Edition users have the flexibility to configure custom Identity Providers (IdPs). Upon login, users will be seamlessly redirected to their designated IdP for authentication.
Important: Administrators will always be able to log in via username and password; they will not be forwarded to the IdP login. This is to prevent the risk of being locked out of the account.
Before You Begin
- Obtain an access token by following the Login Guide.
- Retrieve the Base URL from API URLs.
With these prerequisites in place, you can configure, update, and manage SSO settings for your account.
Available Endpoints:
- The
GET
request to the /accounts/self/ssoAuthSettings API retrieves the current SSO configuration. - The
PATCH
request to the /accounts/self/ssoAuthSettings API updates the SSO configuration.
1. Retrieve SSO Configuration
To check the current SSO authentication settings and retrieve the redirectUri
for your account, use the /accounts/self/ssoAuthSettings endpoint.
To retrieve the redirectUri
used within the IdP configuration, include ssoOidcIdpConfigUrls
in the query parameters.
Example:
curl --location 'https://{BaseUrl}/api/v3.0/accounts/self/ssoAuthSettings?include=ssoOidcIdpConfigUrls' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <access-token>'
If SSO has not been configured, the response will indicate it is disabled:
{
"type": "disabled",
"ssoOidcIdpConfigUrls": {
"redirectUri": "https://auth.eagleeyenetworks.com/login/oauth2/code/"
}
}
Once SSO is enabled and configured, the response will reflect the chosen IdP settings.
Example response for Microsoft Entra ID:
{
"type": "microsoftActiveDirectory",
"ssoOidcIdpConfigUrls": {
"redirectUri": "https://auth.eagleeyenetworks.com/login/oauth2/code/"
},
"config": {
"credentials": {
"clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"clientSecret": "AbC1dEfG~2hIjKlMnOpQrStUvWxYz1234567890"
},
"tenantId": "f4a6b7c8-9d0e-1234-5678-9abcdef01234"
},
"scim": {
"autoUserProvisioningEnabled": true
},
"spInitiatedSsoLogin": true
}
2. Configure SSO
To enable SSO for your account, send a PATCH
request to the /accounts/self/ssoAuthSettings endpoint with the desired SSO configuration.
The parameters you can submit via this request are:
type
(e.g.,microsoftActiveDirectory
,google
,okta
,disabled
).clientId
(the client ID provided by your identity provider).clientSecret
(the client secret provided by your identity provider).tenantId
(the tenant ID for your identity provider).autoUserProvisioningEnabled
(boolean, default: false):- When
true
, new users who authenticate via the IdP but do not yet exist in the VMS will be automatically created. - When
false
, only pre-existing users in the VMS can log in via SSO.
- When
spInitiatedSsoLogin
(boolean, default: false):- When
true
, users accessing the login page without an active session will be automatically redirected to the IdP for authentication. - When
false
, users must manually go to the IdP’s login portal before accessing the VMS.
- When
For custom OIDC configuration, additional parameters are needed:
authorization
(URL for the authorization endpoint).token
(URL for the token endpoint).userinfo
(URL for the user info endpoint).jwks
(URL for the JSON Web Key Set endpoint).
Example (Microsoft Entra ID):
curl --location --request PATCH 'https://{BaseUrl}/api/v3.0/accounts/self/ssoAuthSettings' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <access-token>' \
--data '{
"type": "microsoftActiveDirectory",
"config": {
"credentials": {
"clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"clientSecret": "AbC1dEfG~2hIjKlMnOpQrStUvWxYz1234567890"
},
"tenantId": "f4a6b7c8-9d0e-1234-5678-9abcdef01234"
},
"scim": {
"autoUserProvisioningEnabled": true
},
"spInitiatedSsoLogin": true
}'
Example (Custom SSO):
curl --request PATCH \
--url https://api.cxxx.eagleeyenetworks.com/api/v3.0/accounts/self/ssoAuthSettings \
--header 'accept: application/json' \
--header 'content-type: application/json' \
--data '
{
"type": "oidc",
"config": {
"credentials": {
"clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"clientSecret": "AbC1dEfG~2hIjKlMnOpQrStUvWxYz1234567890"
},
"endpoints": {
"authorization": "https://accounts.domain.com/o/oauth2/v2/auth",
"token": "https://oauth2.domain.com/token",
"userInfo": "https://openidconnect.domain.com/v1/userinfo",
"jwks": "https://www.domain.com/oauth2/v3/certs"
},
"issuer": {
"url": "https://accounts.domain.com"
}
},
"scim": {
"autoUserProvisioningEnabled": true
},
"spInitiatedSsoLogin": true
}'
Initiate Login URL
In the Initiate Login URL box, enter the following URL:
https://auth.eagleeyenetworks.com/sso?issuer={accountId}&target_link_uri={webapp_url}
The accountId
is your Eagle Eye account ID. Your login URL will be:
https://auth.eagleeyenetworks.com/sso?issuer=00000011&target_link_uri=https%3A//webapp.eagleeyenetworks.com
Note: Ensure that the URL is properly encoded. For example, the colon (:) in https://
must be encoded as %3A
for the URL to work correctly.
By using these endpoints, you can seamlessly integrate and manage SSO authentication for your organization, improving security and simplifying user access to the Eagle Eye Networks Video platform.
Updated 20 days ago