Single Sign On (SSO) Configuration Guide
Overview
Getty Images supports single sign-on (SSO) for customers of the gettyimages.com website. This allows users to authenticate with their organization account and get logged into the gettyimages.com website.
Prerequisites
An identity provider that supports single sign-on via the SAML 2.0 standard.
Some examples are Okta, Microsoft Azure AD SSO, and Ping Identity.
Supported Features
- SAML SP-Initiated SSO: POST/Artifact Binding
- SAML IdP-Initiated SSO: POST Binding
- Just-In-Time User Provisioning
- System for Cross domain Identity Management (SCIM)
- Manual mapping of existing users
SSO Configuration
When setting up SSO, there is some information you’ll need from us. If your identity provider supports it, you may be able to import our metadata XML directly and avoid typographical errors.
| Assertion Consumer Service URL | https://www.gettyimages.com/sign-in/sso/acs |
| Recipient URL | https://www.gettyimages.com/sign-in/sso/acs |
| Destination URL | https://www.gettyimages.com/sign-in/sso/acs |
| Audience URI (SP Entity Id) | https://gettyimages.com/ (Note: the trailing slash is required.) |
| Name Id format | Unspecified |
| Signature Certificate | This is the certificate our SAML Authentication Requests will be signed with. Used during SP-Initiated login. |
Configuration Steps
- Contact your Getty Images account representative or a customer service representative (support@gettyimages.com) to let them know you’d like to set up single sign-on.
- Set up the integration in your identity provider with the information from the previous section.
- Once the application is defined in your identity provider, get your metadata XML link (or the file itself) and send it to your support representative.
Identity Provider Specific Information
Azure AD SSO
To set up Azure, you will need to configure “Basic SAML Configuration” and “Attributes & Claims” in the Single sign-on page in the Azure portal. Azure supports importing some of these settings via our XML metadata.
In Basic SAML Configuration, the settings are constants:
| Identifier (Entity ID) | https://gettyimages.com/ (Note: the trailing slash is required.) |
| Reply URL (Assertion Consumer Service URL) | https://www.gettyimages.com/sign-in/sso/acs |
Use these values verbatim, with no missing or additional slashes, or change of case.
In Attributes & Claims, the required claim “Unique User Identifier” is up to you for configuration, but keep in mind that this is the value sent to Getty Images to uniquely identify the user. It, like all other claims and configuration values, is case-sensitive and must not change over time. This is the value referred to in some documentation as “nameid” or “Name Identifier” in SAML parlance.
If you need to configure just-in-time user creation, you will also need to configure Additional claims:
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
- groupid
The first three are up to you to define from your directory attributes (e.g. emailaddress is often mapped to Azure’s user.mail attribute). The last claim, groupid, is a constant value and will be provided to you by Getty Images after we establish an IdP for you in our system from your metadata.
Fig. 1 - Azure Configuration
Okta
To set up with Okta, you’ll need to go to Applications and click Create App Integration. Under SAML Settings, use the information provided above to fill in the required values.
Fig. 2 - Okta Configuration - SAML Settings
Attribute Statements are only required if the integration is configured for just-in-time user provisioning.
|
Fig. 3 - Okta Configuration - Attribute Statements