Page tree
Skip to end of metadata
Go to start of metadata

Last updated: Jul 04, 2018 11:59

Overview of Single Sign on with Perfecto

What is SSO?

Single Sign-On (SSO) Authentication, in simple terms, means that a single set of credentials can be used to log into several different applications/services. This is especially useful in a corporate setting, when you want your employees to be able to access a variety of applications using their company credentials.

Many corporations use different Identity Providers (IDP) to manage their SSO systems. Here is a list of the most commonly used third-party IDP’s:

  • ADFS 2.0/3.0
  • PingFederate/PingOne
  • Okta
  • CA (formerly CA SiteMinder®)

A high-level diagram of the Perfecto SSO sign-in flow is shown below:

  1. User accesses the Perfecto Lab URL, e.g.

  2.  Perfecto Lab forwards the request to the IDP.  The user will be redirected to the IDP login page.
  3.  User logs-in using his/her company credentials. 
  4.  User is validated against the user store.
  5.  SAML assertion is sent back to Perfecto. At a minimum, the SAML assertion response from the identity provider must contain the desired username for the CQ Lab (if it isn’t the user email the Lab should be configured accordingly). The email address, given name and surname attributes are typically sent as parameters as well, but they are not required to enable SSO.

    Note: Perfecto offers a feature whereby the user within the Perfecto Lab will be JIT (just in time) provisioned without any user intervention (default roles, email suffix, user info, etc are configurable). To activate this feature, open a support ticket.
  6.  The user is authenticated and he/she is logged into his/her Perfecto Lab session.

Note: SSO with Perfecto is an authentication method, not an integration. There is no method to sync the individual accounts in a user store to the Perfecto Lab.

Setting Up Single Sign On

Setting Up SSO withPerfecto

  • Discover- After finalizing IDP selection, Perfecto Lab and the IDP need to replace SAML 2.0 metadata, See below  for instructions on how to obtain your IDP metadata. Once you acquire the metadata please make sure it is validated against the SAML 2.0 XSD (for example, you can use the following login validation tool ).
  • Set up- Upon receiving your IDP metadata, a member from the Perfecto technical team will set up the connection from our SP to your IDP.  Similarly, on your side, you will need to setup the connection from your IDP to our SP using the Perfecto metadata file.
  • Test- Upon accessing Perfecto Lab URL  (for example, you will be redirected to your IDP login page, enter you IDP user credentials and you should be logged in to the Perfecto Lab.

Important Note:The Perfecto Lab user management is not connected to the IDP user management, therefore, when deleting/retiring a user from the IDP this should be preformed in parallel within the Perfecto Lab user management (even though the user can no longer login).

IDP Requirements: 

  • Must support SP initiated SSO 

  • Must support SAML 2.0


What you need from Perfecto to set up your connection: 

You will need to obtain the Perfecto metadata file for your installation - contact Perfecto SSO support personnel who will supply the file. The file is in XML format and includes your installation license.

  • The following is an example of the Perfecto Metadata File: 


<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID=""> 
    <SPSSODescriptor AuthnRequestsSigned="true" 
            protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol urn:oasis:names:tc:SAML:1.1:protocol"> 
        <KeyDescriptor use="signing"> 
            <dsig:KeyInfo xmlns:dsig=""> 
        <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=""/> 
        <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> 
                Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="" 
                index="1" isDefault="true" /> 

 What Perfecto needs from your identity provider:

  • IDP Metadata file 

  • Assign your IDP users to the Perfecto application within your IDP

We recommend that you contact your IDP to -

  • Extract the SAML 2.0 metadata file  
  • Assign users (also for the IDP optimal configuration and setup). 

Below are, very high-level, instructions on how to do the above for some of the common IDP, that should be used as a reference only, please verify them  with your specific IDP.


  1. Register a new OKTA app: Click the profile name -> your org -> Admin -> Applications -> add application -> create new app -> SAML 2 -> enter a name, and click Next.
  2. For Single sign on URL, enter the following -<CQLab-name><CQLab-name>-okta/endpoint
    1. Audience URI (SP Entity ID) will be the IDP name.
  3. Click Next, then select "I'm an Okta customer adding an internal app".
  4. Click "Identity Provider metadata" link to download the IDP metadata. Save the downloaded metadata file to supply to Perfecto support personnel.


To integrate users with Perfecto applications, go to the created application (Admin -> Applications -> Perfecto application) and click the Assign button, user will be attached to the Perfecto application. 

CA (formerly CA SiteMinder®) 

Go to Apps -> add an app -> can't find your app link. 
A wizard will popup. 
Enter a display name, for example "Perfecto", in the basic info field. 
Click the "Download IDP metadata" from the current wizard step, and click Continue. 
Use the given Perfecto metadata file and upload it to the current wizard step. 
Finish the wizard with defaults. 


To have users integrated with Perfecto application, CA has to have at least one department. If you don't have a department, create one (Clilck Admin, then organization, then Select departments enter a name, click Add). 
Click Rules, then add the department of the user as a rule, to assign the application to the user. 

Azure based Active Directory
  1. Go to Azure classic portal
  2. Go to the Active Directory sub menu
  3. Select the active directory you wish to use for SSO
  4. Go the "Applications" section along the top navigation bar
  5. Press "Add" at the bottom of the screen
  6. Select "Add an application from the gallery"
  7. Select "Custom" -> "Add an unlisted application my organization is using" -> Enter “Perfecto" as the application name. Then press the check button when complete
  8. Select "Configure single sign-on"
  9. Select "Microsoft Azure AD Single Sign-On"
  10. Place the fields that Perfecto SSO team provided for you in the corresponding fields (Identifier and Reply Url).
  11. On the next page, Download Metadata (XML), check the box confirming you have configured SSO and press Next.
  12. Enter an email address at which you would like to be notified about maintenance issues.
  13. Once you are back to the applications main page, navigate to "Attributes"
  14. In "SAML Token Attributes", hover over the line where "TYPE" is "user attribute (nameid)" (usually the first one) and click on the pencil icon to edit
  15. Change the attribute value to "user.mail" and press the check button
  16. Press "Apply Changes" at the bottom of the screen
  17. Add users to the Perfecto application in Azure.

Other/Custom IDP 

Please contact your IDP directly to assist in obtaining the metadata file. 

Single Sign on Features 


Single Sign On with Reporting Application 

Once you are logged in to your Perfecto Lab (at, you can access the DigitalZoom Reporting service without a need to re-login, at the link: you can also access it from your Lab (Reporting tab -> press the link in the upper right corner), Note - all future Perfecto services will also be accessed from SSO without a need to re-login. 


Using Security Tokens 

When using the Perfecto Lab with external IDP configuration, due to security constraints, you cannot execute scripts and API’s with your IDP username and password, instead you should use a security token. 

If you are using UFT, you can use the generated security token to generate scripts, see more details.