Single Sign On (SSO) Configuration Guide
Overview
Getty Images supports single sign-on (SSO) for customers of the gettyimages.com website. This allows users to authenticate with their organization account and get logged into the gettyimages.com website.
Contact your Getty Images account representative or a customer service representative (support@gettyimages.com) to let them know you’d like to set up single sign-on.
Prerequisites
An Identity Provider (IdP) that supports single sign-on via the SAML 2.0 standard. Some examples are Okta, Microsoft Azure AD SSO, and Ping Identity.
Supported Features
- SAML SP-Initiated SSO: POST/Artifact Binding
- SAML IdP-Initiated SSO: POST Binding
- Just-In-Time User Provisioning
SSO Configuration steps
Step 1: Configuring your IdP
If you are using Okta or Microsoft Azure, please use our integrations with those platforms:
If you are not using Okta or Azure, you will need to manually set up SSO. Please see the table below for the information you’ll need from us. If your identity provider supports it, you may be able to import our metadata XML directly and avoid typographical errors. You may also need the certificate used for signing authentication requests.
| Assertion Consumer Service URL | https://www.gettyimages.com/sign-in/sso/acs |
| Recipient URL | https://www.gettyimages.com/sign-in/sso/acs |
| Destination URL | https://www.gettyimages.com/sign-in/sso/acs |
| Audience URI (SP Entity Id) | https://gettyimages.com/ (Note: the trailing slash is required.) |
| Name Id format | Unspecified |
| Signature Certificate | This is the certificate our SAML Authentication Requests will be signed with. Used during SP-Initiated login. |
Step 2: Info we need from you
- Your IdP metadata URL - please provide us with your Identity Provider’s metadata URL. We can use this to retrieve the necessary information from your provider.
- Your email address domains - please provide us with the list of your email address domains. We use these to verify that the user is part of a company that has been configured for SSO on gettyimages.com.
Step 3: Decide – map users to their existing gettyimages.com accounts or provision new gettyimages.com accounts
There are two paths forward, please let us know which you would like to do.
- Map users to their existing gettyimages.com accounts – this involves Getty Images sharing a list of gettyimages.com user accounts and someone in your company providing each user’s Name ID (unique identifier, typically an email address) from your IdP so that we can connect them in Getty Images systems. This will allow each user to maintain access to their account info (search history, download history, boards, etc.) when they log in through SSO.
- Provision new gettyimages.com accounts for your existing users – many companies opt for this path as it starts all users with fresh accounts, ensuring that only the correct users get access to gettyimages.com. Your IT team will have control over who gets a new account. Plus, it’s much faster that trying to map accounts. Creating new accounts uses either a Just In Time process or SCIM. Once you’ve provisioned new gettyimages.com accounts, we can deactivate the old accounts.
- JIT – this requires the addition of a “GroupId” value in the SAML assertions provided by your IdP to gettyimages.com. This value ensure that the new account is correctly aligned with your company account in Getty Images systems.
- SCIM – our SCIM implementation allows for gettyimages.com account creation, update and deactivation. See our SCIM documentation for more information.
Step 4: Disabling web auth
Disabling the ability to sign in to gettyimages.com via the traditional username/password flow is an important step in providing better security. After the above steps are completed, let us know if and when you’d like us to disable web authentication for your users.