Single Sign On (SSO) Configuration Guide


Getty Images supports single sign-on (SSO) for customers of the website. This allows users to authenticate with their organization account and get logged into the website.


An identity provider that supports single sign-on via the SAML 2.0 standard.

Some examples are Okta, Microsoft Azure AD SSO, and Ping Identity.

Supported Features

  • SAML SP-Initiated SSO: POST/Artifact Binding
  • SAML IdP-Initiated SSO: POST Binding
  • Just-In-Time User Provisioning
  • System for Cross domain Identity Management (SCIM)
  • Manual mapping of existing users

SSO Configuration

When setting up SSO, there is some information you’ll need from us. If your identity provider supports it, you may be able to import our metadata XML directly and avoid typographical errors.

Assertion Consumer Service URL
Recipient URL
Destination URL
Audience URI (SP Entity Id) (Note: the trailing slash is required.)
Name Id format Unspecified
Signature Certificate This is the certificate our SAML Authentication Requests will be signed with. Used during SP-Initiated login.

Configuration Steps

  1. Contact your Getty Images account representative or a customer service representative ( to let them know you’d like to set up single sign-on.
  2. Set up the integration in your identity provider with the information from the previous section.
  3. Once the application is defined in your identity provider, get your metadata XML link (or the file itself) and send it to your support representative.

Identity Provider Specific Information

Azure AD SSO

To set up Azure, you will need to configure “Basic SAML Configuration” and “Attributes & Claims” in the Single sign-on page in the Azure portal. Azure supports importing some of these settings via our XML metadata.

In Basic SAML Configuration, the settings are constants:

Identifier (Entity ID) (Note: the trailing slash is required.)
Reply URL (Assertion Consumer Service URL)

Use these values verbatim, with no missing or additional slashes, or change of case.

In Attributes & Claims, the required claim “Unique User Identifier” is up to you for configuration, but keep in mind that this is the value sent to Getty Images to uniquely identify the user. It, like all other claims and configuration values, is case-sensitive and must not change over time. This is the value referred to in some documentation as “nameid” or “Name Identifier” in SAML parlance.

If you need to configure just-in-time user creation, you will also need to configure Additional claims:

The first three are up to you to define from your directory attributes (e.g. emailaddress is often mapped to Azure’s user.mail attribute). The last claim, groupid, is a constant value and will be provided to you by Getty Images after we establish an IdP for you in our system from your metadata.

Azure Configuration

Fig. 1 - Azure Configuration


To set up with Okta, you’ll need to go to Applications and click Create App Integration. Under SAML Settings, use the information provided above to fill in the required values.

Okta Configuration - SAML Settings

Fig. 2 - Okta Configuration - SAML Settings

Attribute Statements are only required if the integration is configured for just-in-time user provisioning.

Okta Configuration - Attribute Statements|

Fig. 3 - Okta Configuration - Attribute Statements