Single Sign On (SSO) Management

Managing user authentication manually across multiple systems can be cumbersome and inefficient. To streamline authentication, you can configure Single Sign-On (SSO) using our SSO API. This allows users to log in once and access multiple applications without re-authenticating, improving security and user experience.

Users of all VMS editions can log in with Microsoft or Google as an IdP, but Standard Edition users are limited to the following domains:

msn.com, live.com, hotmail.com, outlook.com, gmail.com

Professional and Enterprise Edition users have the flexibility to configure custom Identity Providers (IdPs). Upon login, users will be seamlessly redirected to their designated IdP for authentication.

Important: Administrators will always be able to log in via username and password; they will not be forwarded to the IdP login. This is to prevent the risk of being locked out of the account.

Before You Begin

1. Obtain an access token by following the Login Guide.
2. Retrieve the Base URL from API URLs.

With these prerequisites in place, you can configure, update, and manage SSO settings for your account.

Available Endpoints:

• The GET request to the /accounts/self/ssoAuthSettings API retrieves the current SSO configuration.
• The PATCH request to the /accounts/self/ssoAuthSettings API updates the SSO configuration.

1. Retrieve SSO Configuration

To check the current SSO authentication settings and retrieve the redirectUri for your account, use the /accounts/self/ssoAuthSettings endpoint.

To retrieve the redirectUri used within the IdP configuration, include ssoOidcIdpConfigUrls in the query parameters.

Example:

curl --location 'https://{BaseUrl}/api/v3.0/accounts/self/ssoAuthSettings?include=ssoOidcIdpConfigUrls' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <access-token>'

If SSO has not been configured, the response will indicate it is disabled:

{
  "type": "disabled",
  "ssoOidcIdpConfigUrls": {
    "redirectUri": "https://auth.eagleeyenetworks.com/login/oauth2/code/"
  }
}

Once SSO is enabled and configured, the response will reflect the chosen IdP settings.
Example response for Microsoft Entra ID:

{
  "type": "microsoftActiveDirectory",
  "ssoOidcIdpConfigUrls": {
    "redirectUri": "https://auth.eagleeyenetworks.com/login/oauth2/code/"
  },
  "config": {
    "credentials": {
      "clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "clientSecret": "AbC1dEfG~2hIjKlMnOpQrStUvWxYz1234567890"
    },
    "tenantId": "f4a6b7c8-9d0e-1234-5678-9abcdef01234"
  },
  "scim": {
    "autoUserProvisioningEnabled": true
  },
  "spInitiatedSsoLogin": true
}

2. Configure SSO

To enable SSO for your account, send a PATCH request to the /accounts/self/ssoAuthSettings endpoint with the desired SSO configuration.

The parameters you can submit via this request are:

• type (e.g., microsoftActiveDirectory, google, okta, disabled).
• clientId (the client ID provided by your identity provider).
• clientSecret (the client secret provided by your identity provider).
• tenantId (the tenant ID for your identity provider).
• autoUserProvisioningEnabled (boolean, default: false):
  • When true, new users who authenticate via the IdP but do not yet exist in the VMS will be automatically created.
  • When false, only pre-existing users in the VMS can log in via SSO.
• spInitiatedSsoLogin (boolean, default: false):
  • When true, users accessing the login page without an active session will be automatically redirected to the IdP for authentication.
  • When false, users must manually go to the IdP’s login portal before accessing the VMS.

For custom OIDC configuration, additional parameters are needed:

• authorization (URL for the authorization endpoint).
• token (URL for the token endpoint).
• userinfo (URL for the user info endpoint).
• jwks (URL for the JSON Web Key Set endpoint).

Example (Microsoft Entra ID):

curl --location --request PATCH 'https://{BaseUrl}/api/v3.0/accounts/self/ssoAuthSettings' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <access-token>' \
--data '{
  "type": "microsoftActiveDirectory",
  "config": {
    "credentials": {
      "clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "clientSecret": "AbC1dEfG~2hIjKlMnOpQrStUvWxYz1234567890"
    },
    "tenantId": "f4a6b7c8-9d0e-1234-5678-9abcdef01234"
  },
  "scim": {
    "autoUserProvisioningEnabled": true
  },
  "spInitiatedSsoLogin": true
}'

Example (Custom SSO):

curl --request PATCH \
     --url https://api.cxxx.eagleeyenetworks.com/api/v3.0/accounts/self/ssoAuthSettings \
     --header 'accept: application/json' \
     --header 'content-type: application/json' \
     --data '
{
  "type": "oidc",
  "config": {
    "credentials": {
      "clientId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
      "clientSecret": "AbC1dEfG~2hIjKlMnOpQrStUvWxYz1234567890"
    },
    "endpoints": {
      "authorization": "https://accounts.domain.com/o/oauth2/v2/auth",
      "token": "https://oauth2.domain.com/token",
      "userInfo": "https://openidconnect.domain.com/v1/userinfo",
      "jwks": "https://www.domain.com/oauth2/v3/certs"
    },
    "issuer": {
      "url": "https://accounts.domain.com"
    }
  },
  "scim": {
    "autoUserProvisioningEnabled": true
  },
  "spInitiatedSsoLogin": true
}'

Initiate Login URL

In the Initiate Login URL box, enter the following URL:

https://auth.eagleeyenetworks.com/sso?issuer={accountId}&target_link_uri={webapp_url}

The accountId is your Eagle Eye account ID. Your login URL will be:

https://auth.eagleeyenetworks.com/sso?issuer=00000011&target_link_uri=https%3A//webapp.eagleeyenetworks.com

Note: Ensure that the URL is properly encoded. For example, the colon (:) in https:// must be encoded as %3A for the URL to work correctly.

By using these endpoints, you can seamlessly integrate and manage SSO authentication for your organization, improving security and simplifying user access to the Eagle Eye Networks Video platform.