Single Sign On (SSO) Configuration Guide

Overview

Getty Images supports single sign-on (SSO) for customers of the gettyimages.com website. This allows users to authenticate with their organization account and get logged into the gettyimages.com website.

Contact your Getty Images account representative or use the Contact page on gettyimages.com to let us know you’d like to set up single sign-on.

Prerequisites

An Identity Provider (IdP) that supports single sign-on via the SAML 2.0 standard. Some examples are Okta, Microsoft Azure AD SSO, and Ping Identity.

Supported Features

  • SAML SP-Initiated SSO: POST/Artifact Binding
  • SAML IdP-Initiated SSO: POST Binding
  • Just-In-Time User Provisioning

SSO Configuration steps

Step 1: Configuring your IdP

If you are using Okta or Microsoft Azure, please use our integrations with those platforms:

If you are not using Okta or Azure, you will need to manually set up SSO. Please see the table below for the information you’ll need from us. If your identity provider supports it, you may be able to import our metadata XML directly and avoid typographical errors. You may also need the certificate used for signing authentication requests.

Assertion Consumer Service URLs

It is important to enter all values for this to accommodate global users. If your IdP only supports a single value, use the Getty Images domain that fits with the location of the majority of your users. Please note that users outside of that area may be unable to use the SP initiated sign in method and will have to use IdP initiated to log into the Getty Images site.
https://www.gettyimages.com/sign-in/sso/acs
https://www.gettyimages.com.au/sign-in/sso/acs
https://www.gettyimages.at/sign-in/sso/acs
https://www.gettyimages.be/sign-in/sso/acs
https://www.gettyimages.ca/sign-in/sso/acs
https://www.gettyimages.dk/sign-in/sso/acs
https://www.gettyimages.fi/sign-in/sso/acs
https://www.gettyimages.fr/sign-in/sso/acs
https://www.gettyimages.de/sign-in/sso/acs
https://www.gettyimages.in/sign-in/sso/acs
https://www.gettyimages.ie/sign-in/sso/acs
https://www.gettyimages.it/sign-in/sso/acs
https://www.gettyimages.co.jp/sign-in/sso/acs
https://www.gettyimages.co.nz/sign-in/sso/acs
https://www.gettyimages.no/sign-in/sso/acs
https://www.gettyimages.pt/sign-in/sso/acs
https://www.gettyimages.es/sign-in/sso/acs
https://www.gettyimages.se/sign-in/sso/acs
https://www.gettyimages.ch/sign-in/sso/acs
https://www.gettyimages.nl/sign-in/sso/acs
https://www.gettyimages.ae/sign-in/sso/acs
https://www.gettyimages.co.uk/sign-in/sso/acs
Recipient URL https://www.gettyimages.com/sign-in/sso/acs
Destination URL https://www.gettyimages.com/sign-in/sso/acs
Audience URI (SP Entity Id) https://gettyimages.com/ (Note: the trailing slash is required.)
Name Id format Unspecified
Signature Certificate This is the certificate our SAML Authentication Requests will be signed with. Used during SP-Initiated login.

Configuring Just-In-Time User Provisioning

Just-in-time (JIT) user provisioning is an optional method of automating user account provisioning. JIT cannot be used if SCIM provisioning is configured, but is a good option if SCIM provisioning is not possible. With JIT configured, new users will be provisioned automatically and existing users can automatically be mapped for SSO upon their first login attempt. However, you will not be able to update users' metadata via this method. Contact your Getty Images sales rep if you need to update an existing user.

To configure JIT user creation, you will need to configure additional claims:

Name Name Format Value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname URI Reference user.firstName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname URI Reference user.lastName
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress URI Reference user.email
groupid Unspecified <ASSIGNED_GROUP_ID>

The groupid value will be provided by Getty Images if necessary. Groupid is required if multiple “companies” in Getty Images systems are configured to a single IdP. If only one company is configured, users will be mapped to the single configured company by default.

A groupid represents a “company” in Getty Images systems. Each company has access to one or more specific license agreements (such as Premium Access or Editorial Subscription). The groupid specified for the new user will assign that user to the associated company, giving the user access to the license agreement configured for the company. Once the user is created, it is not possible to change their configuration to a different groupid/company. Please contact us if you need to change the groupid for a user.

When JIT is configured, automapping will automatically apply. When a user tries to login, Getty Images will do a lookup before creating the new user. If an existing Getty Images account for that user is found, by looking for an exact match between the supplied username and a gettyimages.com username, the existing Getty Images account will be mapped for SSO and no new account will be created. If no match is found, a new Getty Images account will be created and this new account will be mapped for SSO.

Step 2: Info we need from you

  • Your IdP metadata URL - please provide us with your Identity Provider’s metadata URL. We can use this to retrieve the necessary information from your provider.
  • Your email address domains - please provide us with the list of your email address domains. We use these to verify that the user is part of a company that has been configured for SSO on gettyimages.com.

Step 3: Decide – map users to their existing gettyimages.com accounts or provision new gettyimages.com accounts

There are two paths forward, please let us know which you would like to do.

  • Map users to their existing gettyimages.com accounts – this involves Getty Images sharing a list of gettyimages.com user accounts and someone in your company providing each user’s Name ID (unique identifier, typically an email address) from your IdP so that we can connect them in Getty Images systems. This will allow each user to maintain access to their account info (search history, download history, boards, etc.) when they log in through SSO.
  • Provision new gettyimages.com accounts for your existing users – many companies opt for this path as it starts all users with fresh accounts, ensuring that only the correct users get access to gettyimages.com. Your IT team will have control over who gets a new account. Plus, it’s much faster that trying to map accounts. Creating new accounts uses either a Just In Time process or SCIM. Once you’ve provisioned new gettyimages.com accounts, we can deactivate the old accounts.
    • JIT – this requires the addition of a “GroupId” value in the SAML assertions provided by your IdP to gettyimages.com. This value ensure that the new account is correctly aligned with your company account in Getty Images systems.
    • SCIM – our SCIM implementation allows for gettyimages.com account creation, update and deactivation. See our SCIM documentation for more information.

Step 4: Disabling web auth

Disabling the ability to sign in to gettyimages.com via the traditional username/password flow is an important step in providing better security. After the above steps are completed, let us know if and when you’d like us to disable web authentication for your users.