Overview of Single Sign on with Perfecto
What is SSO?
Single Sign-On (SSO) Authentication, in simple terms, means that a single set of credentials can be used to log into several different applications/services. This is especially useful in a corporate setting, when you want your employees to be able to access a variety of applications using their company credentials.
Many corporations use different Identity Providers (IDP) to manage their SSO systems. Here is a list of the most commonly used third-party IDP’s:
- ADFS 2.0/3.0
- CA (formerly CA SiteMinder®)
A high-level diagram of the Perfecto SSO sign-in flow is shown below:
User accesses the Perfecto Lab URL, e.g. .
- Perfecto Lab forwards the request to the IDP. The user will be redirected to the IDP login page.
- User logs-in using his/her company credentials.
- User is validated against the user store.
- SAML assertion is sent back to Perfecto. At a minimum, the SAML assertion response from the identity provider must contain the desired username for the CQ Lab (if it isn’t the user email the Lab should be configured accordingly). The email address, given name and surname attributes are typically sent as parameters as well, but they are not required to enable SSO.
Note: By default the user within the Perfecto Lab will be JIT (just in time) provisioned without any user intervention (default roles, email suffix, etc are configurable).
- The user is authenticated and he/she is logged into his/her Perfecto Lab session.
Setting Up Single Sign On
Setting Up SSO with Perfecto
- Discover - After finalizing IDP selection, Perfecto Lab and the IDP need to replace SAML 2.0 metadata, See below for instructions on how to obtain your IDP metadata. Once you acquire the metadata please make sure it is validated against the SAML 2.0 XSD (for example, you can use the following login validation tool ).
- Set up - Upon receiving your IDP metadata, a member from the Perfecto technical team will set up the connection from our SP to your IDP. Similarly, on your side, you will need to setup the connection from your IDP to our SP using the Perfecto metadata file.
- Test - Upon accessing Perfecto Lab URL (for example, ) you will be redirected to your IDP login page, enter you IDP user credentials and you should be logged in to the Perfecto Lab.
Must support SP initiated SSO
Must support SAML 2.0
What you need from Perfecto to set up your connection:
You will need to obtain the Perfecto metadata file for your installation - contact Perfecto SSO support personnel who will supply the file. The file is in XML format and includes your installation license.
The following is an example of the Perfecto Metadata File:
What Perfecto needs from your identity provider:
IDP Metadata file
Assign your IDP users to the Perfecto application within your IDP
We recommend that you contact your IDP to -
- Extract the SAML 2.0 metadata file
- Assign users (also for the IDP optimal configuration and setup).
Below are, very high-level, instructions on how to do the above for some of the common IDP, that should be used as a reference only, please verify them with your specific IDP.
Register a new OKTA app: Click the profile name -> your org -> Admin -> Applications -> add application -> create new app -> SAML 2 -> enter a name, and click Next.
For Single sign on URL, enter the following - .perfectomobile.com/auth/realms/<CQLab-name>.perfectomobile.com/broker/<CQLab-name>-okta/endpoint
Audience URI (SP Entity ID) will be the IDP name.
Click Next, then select "I'm an Okta customer adding an internal app".
Click "Identity Provider metadata" link to download the IDP metadata. Save the downloaded metadata file to supply to Perfecto support personnel.
To integrate users with Perfecto applications, go to the created application (Admin -> Applications -> Perfecto application) and click the Assign button, user will be attached to the Perfecto application.
CA (formerly CA SiteMinder®)
Go to Apps -> add an app -> can't find your app link.
To have users integrated with Perfecto application, CA has to have at least one department. If you don't have a department, create one (Clilck Admin, then organization, then Select departments enter a name, click Add).
|Azure based Active Directory|
Please contact your IDP directly to assist in obtaining the metadata file.
Single Sign on Features
Single Sign On with Reporting Application
Once you are logged in to your Perfecto Lab (at ), you can access the DigitalZoom Reporting service without a need to re-login, at the link: you can also access it from your Lab (Reporting tab -> press the link in the upper right corner), Note - all future Perfecto services will also be accessed from SSO without a need to re-login.
Using Security Tokens
When using the Perfecto Lab with external IDP configuration, due to security constraints, you cannot execute scripts and API’s with your IDP username and password, instead you should use a security token
If you are using UFT, you can use the generated security token to generate scripts, see more details.