Chat with us, powered by LiveChat Skip to main content
Echo360 Status: 

EchoVideo: Configuring Auth0 Authentication

Amanda Leibovich
  • Updated

You must be a top-level EchoVideo Admin to set up the Auth0 integration in EchoVideo.
You will also require the assistance of your IdP Administrator.

Echo360 is creating a unified login experience across our platform and as part of that initiative we are transitioning from PingOne to Auth0 (by Okta). This change will enable improved integration for customers utilizing multiple Echo360 solutions and enhance the overall authentication experience, paving the way for a unified login experience.

Supported Identity Providers

Echo360 is using Auth0 as a bridge between EchoVideo platform and your Identity Provider (IdP) to facilitate the Single Sign-On (SSO) authentication of users. Auth0 provides a self-service wizard to configure off-the-shelf IdP as well as custom SAML and OIDC. 

For common IdPs, such as Okta, Entra ID, Google etc, the self-service wizard provides step by step instructions show you how to configure your IdP.

Custom Claims Mapping

By default, EchoVideo depends on the 'email' claim being the unique identifier as part of the lookup in the authentication process. If this is not the case for your institution, then you need to create a custom claim called 'echo_identity' to pass the unique identifier which can be used in the lookup against the 'email' and 'ssoId' fields of the users in your EchoVideo tenant. 

If you require the 'echo_identity' custom claim then you must configure a Custom SAML or Custom OIDC SSO connection.

 

Email Aliases as the unique identifier

If the 'email' claim is not the unique identifier for your users then you need to configure a custom claim called 'echo_identity' and pass the relevant email or alias that EchoVideo will use as the primary lookup in the authentication process. 

For more information about mapping SSOID and the echo_identity claim please refer to EchoVideo: SSO and Auth0 - Understanding SSOID and custom echo_identity claim

UPNs or Usernames as the unique identifier

If you need to pass a UPN or username as the unique identifier then you will need to create a custom claim called 'echo_identity' and also populate the ssoId field for the relevant EchoVideo users in your tenant.

The ssoId field can be populated manually via the UI under the Administrators 'Users' tab, programmatically using APIs, and in bulk using a EchoVideo: Using CSV Import to Create, Update, and Delete in Bulk CSV import.

Creating a custom claim

Every Identity Provider is different when it comes to the configuring a custom claim and you may need to refer to the documentation provided by your specific IdP.

For Entra ID, we have some specific documentation - EchoVideo: Configuring Entra SSO to Use UPN Instead of Email

Before you get started

Important Information

Keeping a note of your EchoVideo Institution ID and regional url is useful for creating a direct local login link if you are locked out of your tenant during the configuration of Auth0 or if you require a direct SSO login link.

Institution ID

Your EchoVideo Institution ID found on the Institution Settings -> Integrations -> API Client page.

Regional URLs

EchoVideo region specific URLs are:

  • United States: echo360.org
  • Canada: echo360.ca
  • UK/EMEA: echo360.org.uk
  • APAC: echo360.net.au

Back Out Plan

Before you get started, there is key information that you should note down and save locally to help you either restore PingOne configurations or login if you are locked out of your EchoVideo tenant.

Warning
Beginning the Auth0 configuration will immediately disable an existing PingOne SSO integration preventing new SSO logins until the setup is complete. Do not proceed until you have all the necessary information and expertise at your disposal. Please save your existing PingOne Identity Provider ID and have your EchoVideo institution ID copied before proceeding.

Restoring PingOne

Navigate to the PingOne settings page, delete an value that is in the 'Identity Provider ID' field and re-enter your previous PingOne 'Identity Provider ID' and click 'Connect To PingOne'.

This will restore your PingOne configuration, disable and invalidate an Auth0 configuration, and allow users to continue to use SSO using PingOne.

Accessing an EchoVideo tenant if locked out

If Auth0 is configured incorrectly or the setup wizard is abandoned then this may prevent EchoVideo administrators from accessing the tenant.

The direct login link takes the form of:

https://{EchoVideo Region-specific URL}/directLogin?institutionId={EchoVideo Institution ID}

Finding your region specific url is found here and finding your institution id is here.

Transition Plan

Before you attempt to configure Auth0 in your production EchoVideo tenant you should:

  1. Use a sandbox EchoVideo tenant to familiarize yourself with the Auth0 self-service wizard and understand what needs to be configured on your Identity Provider side. It's ok to break the configuration and test out the email and custom claims as it is a sandbox environment.
  2. Document a complete and successful start-to-finish configuration of Auth0 in your EchoVideo sandbox tenant with your IdP. This provides the plan to ensure you can replicate a successful SSO configuration in your production EchoVideo tenant.
  3. Consider configuring your IdP before beginning your Auth0 configuration in your production EchoVideo tenant as this may minimise interruptions to users they maybe logging during your transition.

A note about LTI

Learning Tools Interoperability (LTI) versions 1.1 and 1.3 are different authentication workflows to Single-Sign-On (SSO) and therefore while you are transitioning to Auth0, users logging in using LTI from your LMS will not be impacted.

Getting started with Auth0 self-service

  1. Click the Settings icon in the upper-right corner of the screen.

  2. From the Settings menu, select Institution Settings.

    General settings appear, and Basic Info is selected by default.

  3. Click Integrations.
  4. Select Auth0
    Auth0 integration page with Generate button identified as described
  5. Click Generate, as shown in the figure above.

  6. Review the warning and click Yes.

    Warning
    Clicking Yes will immediately disable an existing PingOne SSO integration. Do not click Yes until you have all the necessary information and expertise available to proceed. Also, consider saving the PingOne ID prior to proceeding.

    The Identity Provider ID is populated.

  7. Choose Click To Proceed, as shown in the figure below. 
    Showing the Identity Provider ID box populated and the Click To Proceed button identified as described

    A new Auth0 browser tab opens.

  8. Click Get Started, as shown in the figure below. 
    The setup Auth0 screen with the Get Started button identified as described
  9. Choose the identity provider you plan to integrate with EchoVideo to access step-by-step instructions for SSO configuration. 
    List of identitiy providers with one selected and the Next button identified as described
  10. Click Next, as shown in the figure above.
  11. Follow the workflow for the identity provider you selected to complete the integration.

Direct SSO Login Links

After completing the Auth0 configuration, it is possible to create a seamless login experience across your systems using a direct SSO login link. That is if a user logins to one system using your IdP, you can use a direct SSO login link so they can be automatically logged into EchoVideo without needing to input their email or select a tenant. The link takes the form:

https://login.{EchoVideo Region-specific URL}/auth0/{EchoVideo Institution ID}

You can find out how to retrieve region and institution id above. Note that the institution id should be the EchoVideo tenant Auth0 is configured for.

A guided tour

Related to