Configuring an Identity Provider

SAML authentication may be used with a wide variety of Identity Providers. The steps required to configure each IdP will vary based on the IdP vendor’s web interface. In this section, we will provide the basic steps that should work with any IdP, although the order of the steps may vary by vendor. After you read through these steps, you’ll find more specific details in the topics that focus on these Identity Providers:

• Google Workspace
• Microsoft Entra ID (formerly Azure AD)
• Auth0
• Ping
  

If your vendor isn’t listed, or you need additional assistance, please contact IPConfigure Technical Support.

Create a New Web Application Configuration

1. To configure your Identity Provider to support Orchid Fusion VMS, you will create a new web application configuration. For this, you will need to set the following properties: the ACS URL, the Entity ID, and the Start URL.

• Set the ACS (Assertion Consumer Service) URL.
  • https://your-url/service/sessions/login/samlCallback?client_name=samlclient1

• Set the Entity ID.
  • https://your-url/service/sessions/login/samlCallback?client_name=samlclient1

• Set the Start URL. (This is the same as your Fusion public URL.)
  • https://your-url

*If you are configuring multiple identity providers, you will need to replace the value of “samlclient1” with the appropriate client name (“samlclient2”, “samlclient3”, and so on).

2. Within the IdP web interface, ensure that there are mappings from each user’s IdP username (or email address) and group(s) to SAML attributes. The names of these mapped attributes are specified in the Orchid Fusion VMS properties file:

saml.provider.samlclient1.attr.key.name=name-mapping
saml.provider.samlclient1.attr.key.group=group-mapping

3. Once you have the name and group mapping info, you will need to copy it into the fusion.properties file (as covered in the previous topic).

Download an XML Metadata File

1. Next, download an XML metadata file from your IdP’s web interface.
2. Copy this file into your Orchid Fusion VMS server’s configuration directory.
   1. In Linux: /etc/opt/fusion/
   2. In Windows: C:\Program Files\IPConfigure\Fusion\conf
3. Now you need to copy the metadata filename into the fusion.properties file (as covered in the previous topic):

saml.provider.samlclient1.idp.metadata.filename=file-name

Additional Steps

1. Depending on your IdP vendor, you may also need to specify which users or groups are allowed to log in to Orchid Fusion VMS. (This will only affect users’ ability to log in; it does not grant them access to any Orchid Recorders or cameras.)
2. Additionally, some IdPs may require that you explicitly enable the new web application from their web interface.

3. Once all other steps are complete, save the fusion.properties file and restart the Orchid Fusion VMS service.
4. Now, log into Orchid Fusion VMS as an Administrator and go to the Permission Groups screen. This is where you will add your new groups and assign permissions. (For more details, please refer to Assigning Permissions to SAML Users.)