Google SAML 2.0 (SSO) Configuration Guide

Overview

Getty Images supports single sign-on (SSO) for customers of the gettyimages.com website, allowing users to authenticate with their organization account and get logged in.

Supported Features

SAML SP-Initiated SSO: POST/Artifact Binding
SAML IdP-Initiated SSO: POST Binding
JIT (Just-In-Time) User Provisioning with the following SAML attributes
- First name → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- Last name → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Primary email → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Configuration Steps

Log in at https://admin.google.com/ac/apps/unified.
Set App name and Description of your choice.
Select the Download Metadata option and save XML metadata file. This file needs to be provided to Getty Images as part of step 6.
Fill in Service provider details with the following:
- For ACS URL use one of the urls listed under the Assertion Consumer Service URLs section of Configuring your IdP.
  The most appropriate URL should be selected based on location. Google currently only supports configuration of one ACS URL.
- For Entity ID use the Audience URI (SP Entity Id) value in this section of Configuring your IdP.
- Leave Start URL blank.
- Set Name ID format to UNSPECIFIED.
- For Name ID use whatever value makes sense for your organization. Optimally it should be a value that will not change for the lifetime of a user.
Attribute Mapping of First name, Last name, and Primary email is required if ust-In-Time User Provisioning(JIT) will be enabled. More information around JIT can be found in the Configuring Just-In-Time User Provisioning section of Configuring your IdP.
- App attributes should be set to the values in the NAME column in the Configuring Just-In-Time User Provisioning section of Configuring your IdP.
- Please see notes under JIT User Provisioning section below if client has more than one Getty Images company configured.
Contact your Getty Images account representative or a customer service representative (support@gettyimages.com) to let them know you’d like to set up single sign-on.
- Include the XML metadata file downloaded as part of step 3 with your request.

SP-initiated SSO

Go to https://www.gettyimages.com/.
Click the Sign In button.
Click the Sign in with Single Sign-On (SSO) link.
Enter your email, then click Continue.

JIT User Provisioning

Google currently does not support groupid as a claim, which is required for SSO clients with multiple configured companies. We do not require it for clients with only one configured company as we assume incoming calls are intended for the only configured company. Due to this limitation with Google IdP, clients with more than one company configured with Getty Images should contact customer support before setting up a Google/Getty Images SAML 2.0 integration.

Troubleshooting

If you have questions or difficulties with your Google/Getty Images SAML 2.0 integration, please use the Contact page on gettyimages.com.

Single Sign On (SSO) Configuration Guide Okta SAML 2.0 (SSO) Configuration Guide