Chat with us, powered by LiveChat Skip to main content
Echo360 Status: 

EchoVideo: Transitioning from PingOne to Auth0 (Entra)

Hannah Petty
  • Updated

Overview

Echo360 is transitioning the EchoVideo Single Sign-On (SSO) capability from PingOne to Auth0 by Okta to simplify and streamline the SSO onboarding and configuration process for customers. This change also serves as a precursor to future releases, including unified login. The Auth0 implementation employs a self-service model that allows customers to initiate, configure, and manage the SSO connection within the EchoVideo solution (and the institution's IdP) without requiring the use of PingOne or requiring assistance from Echo360 technical support.

Institutions may be used to an exchange of metadata to establish a new SSO connection. Under the self-service model, this exchange still occurs but is automated as part of the self-service process. If your institution requires a downloadable metadata file for your record, this guide will show you how to create one. 
Note that the metadata file cannot be obtained until the self-service SSO wizard in EchoVideo is completed.

This document provides details on:

  1. Navigating the Auth0 self-service setup wizard
  2. Entra ID - App Registration and setup
  3. Auth0 Self-Service Wizard – Configuration Connection
  4. Auth0 Self-Service Wizard & Entra ID – Claims Mapping
  5. Entra ID – Assign Access
  6. Auth0 Self-Service Wizard – Testing Connection
  7. Auth0 SSO connection metadata

Backup Plan

Initiating the Auth0 SSO configuration will result in the existing PingOne details in EchoVideo being erased. Before commencing the Auth0 self-service wizard, it is important that you retain a copy of the PingOne Identity Provider ID.

To obtain the PingOne Identity Provider ID:

  • Log in to EchoVideo as an Administrator.
  • Click the Settings icon (represented by a gear), then navigate to Institution Settings > Integrations > PingOne, and copy the Identity Provider ID. This will be required for any backup plan actioned.

If a return to PingOne is required at any time during configuration or at completion of the Auth0 self-service SSO:

  • In EchoVideo, delete the Auth0 Connection ID located at the Settings icon > Institution Settings > Integrations > Auth0.
  • In EchoVideo, add the PingOne Identity Provider ID (that you previously recorded) at the Settings icon > Institution Settings > Integrations > PingOne.
  • This will reinstate your previous SSO setup using PingOne.

The PingOne screen is shown for reference in the figure below.
Create a connection to an Identity Provider for PingOne integration with Identitiy Provider ID entry indentified

Navigating to the Auth0 Self-Service Setup Wizard

Use the following documentation to navigate to and commence the Auth0 self-service setup wizard: 
Configuring Auth0 Authentication

Entra ID - App Registration and Setup

The information below provides a step-by-step guide to the self-service wizard in EchoVideo.

When setting up your new App Registration for Entra ID, there are three key pieces of information to collect that will be required in Auth0:

  • Application Client ID
  • Client Secret Value
  • Microsoft Entra ID domain

EchoSystem Setup showing step 1 Create an Application for Configure Entra ID as describedIn a separate tab, access your Azure Portal and go to the relevant Entra ID for App Registration.

Create an Application

To connect your Entra ID tenant as an identity provider, you must create an OIDC application.

  1. Navigate to App Registration.
  2. Click New Registration. Microsoft Azure App registrations showing the + New registration option highlighted
  3. Enter a name for the application.
  4. Under Supported account types, choose Accounts in this organization directory only (Default Directory only - Single tenant).
  5. Click Register. Microsoft Azure Register an application showing the Name field and Accounts in this organizational directory only open selected and highlighted
  6. Copy your Application (client) ID. You will use it in the next step to configure your connection.
  7. Under Redirect URIs, select Add a Redirect URI. Microsoft Azure App registrations Overivew showing the Application (client) ID and Redirect URIs fields highlighted
  8. Under Platform Configurations, select Add a platform and choose Web as the platform. Web option for Configure platforms highlighted as described
  9. Select Configure. Redirect URIs for Configure Web highlighted as described

  10. Add the Callback URL in the Redirect URIs field.

    Note: The callback URL for EchoVideo is available in step 2 of the Auth0 self-service wizard: Configure connection as shown in the figure below for reference.
    Step 2 Configure Connection of the Configure Entra ID showing the Callback URL as described

  11. Select Certificates & secrets in the left-hand navigation, and then click + New client secret.
  12. Enter a Description and set the expiration.
  13. Click Add. Add a client secret area with Description and Expires options highlighted

  14. Copy the Client secrets Value. Value option of Certification & secrets highlighted

    Note: Ensure you copy the Client Secrets Value and not the Secret ID.

Now that your App Registration is set up, return to the Auth0 Self-Service Wizard in your other browser tab.

Auth0 Self-Service Wizard – Configure Connection

Using the three key pieces of information - Application Client ID, Client Secret Value, and Microsoft Entra ID Domain. - from the App registration. Complete the details, and click Create Connection. Configure Connection step of the Configure Entra ID with Microsoft Entra ID Domain, Client ID, and Client Secret fields displayed

Auth0 Self-Service Wizard & Entra ID – Claims Mapping

If your institution uses the userPrincipalName (UPN) instead of the email address as the primary claim, you will need to take additional steps to send the UPN as the echo_identity claim to ensure your users' identities are authenticated correctly.

For further instructions, please use the following link: Configuring Entra SSO to Use UPN Instead of Email

Auth0 Self-Service

The Auth0 Self-Service Wizard will provide you with the Required and Optional Claims for the attributed from your institution’s identity provider.
Auth0 Self-Service Wizard showing Claims Mapping, Required Claims, and Option Claims

Entra ID

The Azure blade Token configuration for your Entra ID App Registration will allow you to setup claims.
The Azure blade Token configuration for your Entra ID App Registration

Entra ID – Assign Access

It is important to be aware of the groups within your Azure Entra ID tenant that will require SSO login to your EchoVideo tenant.

The Auth0 self-service wizard will step you through this process.

  1. Navigate to Users and groups in the left-hand navigation within the application you just created in Entra ID.
  2. Select Add user / group. Microsoft Azure Users and groups and +Add user/group highlighted
  3. Under Users, select None selected. Users and groups Add Assignment showing Users None Selected highlighted
  4. Select the users you want to assign access to this application.
  5. Click Select. List of Users with Select button highlighted
  6. Select Assign. Users showing 3 users selected with Assign button highlighted

Auth0 Self-Service Wizard – Testing Connection

Once the App Registration is set up, the Auth0 connection is configured, the claims are mapped, and the access is assigned, the final step is to test the SSO connection. This will ensure that it is working correctly and authenticating users appropriately.

If the Test Connection is successful, then you will see the following screen in a new tab. Testing complete message as described

When you return to the Auth0 Self-Service setup wizard, you will see the following updated screen. Test SSO screen showing a Test Successful message and an Enable Connection button

Make a copy of the information and attributes passed. The value of the connection field is required to obtain a copy of the metadata from the Auth0 SSO connection if desired (optional).

Finally, click Enable Connection to activate the Auth0 SSO connection, making it live and allowing users to log in using SSO.

Possible Error:
If an error, such as Failed to obtain access token, occurs in the Auth0 wizard, then check that you have copied the Client Secrets Value and not the ID.

Should you receive an error, you may have to enact your backup plan and seek assistance at support@echo360.com with copies of the error message.

Auth0 SSO Connection Metadata - SAML

Using the value obtained in the connection field in the attributes in the step above - Auth0 Self-Service Wizard – Testing Connection – under the Test Successful on the final screen, you can modify this URL below to obtain the metadata:

https://echosystem.<region>.auth0.com/samlp/metadata?connection={connection}

Specifically, replace {connection} in the URL with the value for the connection from the previous step. This URL will provide you with the SAML XML metadata for you to review.

Related to