Synthesia

Step 1: Configure Your Identity Provider (IdP)

- Follow your IdP's instructions to create a SAML 2.0 single sign-on application.
- Refer to vendor-specific guides if needed:
 - <a href="https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso" rel="nofollow noopener noreferrer" target="_blank">Azure AD</a>
 - <a href="https://help.okta.com/oag/en-us/content/topics/access-gateway/add-app-saml-pass-thru-add-okta.htm" rel="nofollow noopener noreferrer" target="_blank">Okta</a>

1. Single Sign-On URL (Assertion Consumer Service URL):
 - <a href="https://studio.auth.synthesia.io/saml2/idpresponse" rel="nofollow noopener noreferrer" target="_blank">https://studio.auth.synthesia.io/saml2/idpresponse</a>
2. Audience URI (Entity ID): 
 - urn:amazon:cognito:sp:eu-west-1_7hEawdalF
3. Name Identifier:
 - Set the NameID field to the user's email address in lowercase. Ensure it matches the email claim.

- Include the following claims in your IdP configuration:
 - company
 - email 
 - It has to be in lower case. Use the function <code>ToLowercase</code>, often user altogether <code>ToLowercase( user.mail )</code>
 - It has to have NO namespace
 - It has to be named <code>email</code> . Other variations such as <code>emailaddress</code> or <code>email_address</code> are not valid.
 - family_name
 - given_name
 - picture (optional)

Ensure there is no namespace in the claims (For Azure AD: set the namespace to blank).

1. Create a SAML 2.0 Application:
 - Follow your IdP's instructions to create a SAML 2.0 single sign-on application.
 - Refer to vendor-specific guides if needed:
 - <a href="https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal-setup-sso" rel="nofollow noopener noreferrer" target="_blank">Azure AD</a>
 - <a href="https://help.okta.com/oag/en-us/content/topics/access-gateway/add-app-saml-pass-thru-add-okta.htm" rel="nofollow noopener noreferrer" target="_blank">Okta</a>
2. Set Required Synthesia-Specific Details:
 1. Single Sign-On URL (Assertion Consumer Service URL):
 - <a href="https://studio.auth.synthesia.io/saml2/idpresponse" rel="nofollow noopener noreferrer" target="_blank">https://studio.auth.synthesia.io/saml2/idpresponse</a>
 2. Audience URI (Entity ID): 
 - urn:amazon:cognito:sp:eu-west-1_7hEawdalF
 3. Name Identifier:
 - Set the NameID field to the user's email address in lowercase. Ensure it matches the email claim.
3. Add Required Claims:
 - Include the following claims in your IdP configuration:
 - company
 - email 
 - It has to be in lower case. Use the function <code>ToLowercase</code>, often user altogether <code>ToLowercase( user.mail )</code>
 - It has to have NO namespace
 - It has to be named <code>email</code> . Other variations such as <code>emailaddress</code> or <code>email_address</code> are not valid.
 - family_name
 - given_name
 - picture (optional) 
4. Ensure there is no namespace in the claims (For Azure AD: set the namespace to blank).

___________________________________________________________

Obtain Metadata URL. Your IdP will provide a Metadata URL after configuration.

Send the following details to Synthesia support:

1. Metadata URL
2. Identifiers (domains to associate with SAML SSO, e.g., 'example.com')

1. Obtain Metadata URL. Your IdP will provide a Metadata URL after configuration.
2. Send the following details to Synthesia support:
   1. Metadata URL
   2. Identifiers (domains to associate with SAML SSO, e.g., 'example.com')

Synthesia support will process the metadata file and enable a testing phase. During this phase:

1. Users can still log in with email and password.
2. SSO login is available for testing.

Test SSO Login by logging out of Synthesia.

Use the unique SSO URL provided by Synthesia support.

Log in via your IdP using your professional email address.

1. Synthesia support will process the metadata file and enable a testing phase. During this phase:
   1. Users can still log in with email and password.
   2. SSO login is available for testing.
2. Test SSO Login by logging out of Synthesia.
3. Use the unique SSO URL provided by Synthesia support.
4. Log in via your IdP using your professional email address.

Confirm that the SSO login works for all test users.

Contact Synthesia support to enforce SSO for your organization. Please provide:

- Validation that tests were successful.
- A list of domain names managed by your IdP (e.g., 'synthesia.io').

Once enforced, login via email and password will be disabled for all users within your organization.

1. Confirm that the SSO login works for all test users.
2. Contact Synthesia support to enforce SSO for your organization. Please provide:
   - Validation that tests were successful.
   - A list of domain names managed by your IdP (e.g., 'synthesia.io').
3. Once enforced, login via email and password will be disabled for all users within your organization.

For additional information see the<a href="https://docs.synthesia.io/docs/synthesia-sso-guide" rel="nofollow noopener noreferrer" target="_blank"> Synthesia SSO documentation</a> page.

- To see an example of setting up SSO configuration with Azure AD view the <a href="https://help.synthesia.io/en/articles/10295580-how-do-i-setup-azure-ad-for-sso-configuration-with-synthesia">How do I setup Azure AD for SSO Configuration with Synthesia?</a> article.
- For general SSO troubleshooting tips, refer to the <a href="https://help.synthesia.io/en/articles/9550636-why-is-my-sso-not-working">Why is my SSO not working?</a> guide or <a href="mailto:support@synthesia.io" rel="nofollow noopener noreferrer" target="_blank">contact Synthesia support</a> for assistance.

To configuring SSO for Synthesia:

Step 1: Configure Your Identity Provider (IdP)

Step 2: Share Metadata with Synthesia

Step 3: Testing Phase

Step 4: Enforce SSO

Notes: