You must be a top-level EchoVideo Admin to set up the Auth0 integration in EchoVideo.
You will also need assistance from your IdP Administrator.
Supported Identity Providers
Echo360 uses Auth0 as a bridge between the EchoVideo platform and your Identity Provider (IdP) to facilitate Single Sign-On (SSO) authentication for users. Auth0 provides a self-service wizard to configure both off-the-shelf IdPs and custom SAML and OIDC solutions.
For common IdPs such as Okta, Entra ID, and Google, the self-service wizard provides step-by-step instructions to help you configure your IdP.
Custom Claims Mapping
By default, EchoVideo assumes the 'email' claim is the unique identifier for lookups during authentication. If this is not the case for your institution, you need to create a custom claim called 'echo_identity' to pass the unique identifier, which can be used to look up the 'email' and 'ssoId' fields of users in your EchoVideo tenant.
If you require the 'echo_identity' custom claim then you must configure a Custom SAML or Custom OIDC SSO connection.
Email Aliases as the unique identifier
If the 'email' claim is not the unique identifier for your users, you need to configure a custom claim called 'echo_identity' and pass the relevant email or alias that EchoVideo will use as the primary lookup during authentication.
For more information about mapping SSOID and the echo_identity claim please refer to EchoVideo: SSO and Auth0 - Understanding SSOID and custom echo_identity claim
UPNs or Usernames as the unique identifier
If you need to pass a UPN or username as the unique identifier, then you will need to create a custom claim called 'echo_identity' and also populate the ssoId field for the relevant EchoVideo users in your tenant.
The ssoId field can be populated manually via the UI under the Administrators 'Users' tab, programmatically using APIs, and in bulk using a EchoVideo: Using CSV Import to Create, Update, and Delete in Bulk CSV import.
Creating a custom claim
Every Identity Provider is different when it comes to configuring a custom claim, so you may need to refer to your IdP's documentation.
For Entra ID, we have some specific documentation - EchoVideo: Configuring Entra SSO to Use UPN Instead of Email
Before you get started
Important Information
Keep a note of your EchoVideo Institution ID and regional URL for creating a direct local login link if you are locked out of your tenant during Auth0 configuration or if you require a direct SSO login link.
Institution ID
Your EchoVideo Institution ID is found on the Institution Settings -> Integrations -> API Client page.
Regional URLs
EchoVideo region-specific URLs are:
- United States: echo360.org
- Canada: echo360.ca
- UK/EMEA: echo360.org.uk
- APAC: echo360.net.au
Back Out Plan
Before you get started, there is key information that you should note down and save locally to help you log in if you are locked out of your EchoVideo tenant.
Accessing an EchoVideo tenant if locked out
If Auth0 is misconfigured or the setup wizard is abandoned, this may prevent EchoVideo administrators from accessing the tenant.
The direct login link takes the form of:
https://{EchoVideo Region-specific URL}/directLogin?institutionId={EchoVideo Institution ID}
Your region-specific URL and your institution ID are found here.
Transition Plan
Before you attempt to configure Auth0 in your production EchoVideo tenant, you should:
- Use a sandbox EchoVideo tenant to familiarize yourself with the Auth0 self-service wizard and understand what needs to be configured on your Identity Provider side. It's ok to break the configuration and test the email and custom claims in a sandbox environment.
- Document a complete and successful start-to-finish configuration of Auth0 in your EchoVideo sandbox tenant with your IdP. This provides the plan to ensure you can replicate a successful SSO configuration in your production EchoVideo tenant.
- Consider configuring your IdP before beginning your Auth0 configuration in your production EchoVideo tenant, as this may minimize interruptions to users who may be logging in during your transition.
A note about LTI
Learning Tools Interoperability (LTI) versions 1.1 and 1.3 use different authentication workflows than Single Sign-On (SSO), and therefore, while you transition to Auth0, users logging in via LTI from your LMS will not be affected.
Getting started with Auth0 self-service
- Click the Settings icon in the upper-right corner of the screen.
-
From the Settings menu, select Institution Settings.
General settings appear, and Basic Info is selected by default.
- Click Integrations.
- Select Auth0.
- Click Generate, as shown in the figure above.
-
Review the warning and click Yes.
The Identity Provider ID is populated.
-
Choose Click To Proceed, as shown in the figure below.
A new Auth0 browser tab opens.
- Click Get Started, as shown in the figure below.
- Choose the identity provider you plan to integrate with EchoVideo to access step-by-step SSO configuration instructions.
- Click Next, as shown in the figure above.
- Follow the workflow for the identity provider you selected to complete the integration.
Direct SSO Login Links
After completing Auth0 configuration, you can create a seamless login experience across your systems using a direct SSO login link. That is, if a user logs in to one system using your IdP, you can use a direct SSO login link so they are automatically logged into EchoVideo without needing to enter their email or select a tenant. The link takes the form:
https://login.{EchoVideo Region-specific URL}/auth0/{EchoVideo Institution ID}
You can find out how to retrieve the region and institution ID above. Note that the institution ID should be the EchoVideo tenant for which Auth0 is configured.