How to Configure SSO

Learn more about how to configure SSO

Updated over a week ago

Below is a guide on how you can configure SSO for Synthesia, this is a self-serve option and will take you through the process.


Configure the Identity Provider

Start by following your identity provider’s instructions for creating a SAML 2.0 single sign-on application. For example, here are links to vendor-specific instructions:

You will be asked to provide a number of details. In general, the defaults should be used except in the following cases.

Single Sign On URL

  • Sometimes referred to as the Assertion Consumer Service URL or Reply URL, please provide the following value:

<https://studio.auth.synthesia.io/saml2/idpresponse>

Audience URI

  • Sometimes referred to as the Entity ID, please provide the following value:

urn:amazon:cognito:sp:eu-west-1_7hEawdalF

Name Identifier

We require that you specify the NameID field to be the email address of the user account being used to login, and it should match exactly the email claim specified below.

Claims

We ask that you include the following claims:

  • company

  • email (Please ensure that this matches the NameID field described above.)

  • family_name

  • given_name

  • picture (optional and does not need to be used)

The email claim is used to match a SAML identity with an existing Synthesia account should one exist. This allows SAML SSO to be adopted without any loss of content. You must ensure the claim names are entered exactly as written.

Once configured, your identity provider will make available a Metadata URL. This URL provides everything we need to verify and trust assertions from your identity provider.

💡 TOP TIP 💡

There should not be any namespace and it should not be in a uri format
For Azure AD configuration , this usually means setting the namespace to be blank.

In the event that we are unable to verify your assertions, we will ask you to send an example of one so that we can validate that the integration has been configured correctly.


Specify a Domain

We require that you specify at least one domain that you wish to be associated with SAML SSO.

For any domain that you specify, we require you to add a TXT record to its DNS configuration in order to verify that you are authorized to use it.

Suppose that you specify the [example.com](<http://example.com>) domain. You must add a TXT record to the below subdomain with the value synthesia:

d9895a85-87c3-4c89-a47f-f62da6172abf.exampledomain.com

Every domain registrar and dns provider will have a form somewhere with 3/4 fields:

  • hostname

  • record type

  • record value

  • ttl -- This is usually an optional field

In most cases, it will look something like this:


Contact Synthesia

Once your identity provider has been configured and you’ve updated the DNS settings of the domains you wish to be associated with, please provide Synthesia with the following details.

Metadata URL

  • This will be made available by your identity provider once Synthesia has been configured as an application.

Identifiers

  • These are the domain(s) that you wish to be associated with SAML SSO (for example, example.com). For these domains, all other methods of login will be disabled

Did this answer your question?