Guide to using SSO and Mediafly

This guide assumes you are using an Identity Provider that is compatible with SAML 2.0. Examples include PingIdentity, Microsoft ADFS, Okta.

1. To link your Single Sign-On (SSO) Identity Provider with Mediafly, send Mediafly your Identity Provider's metadata in standard XML format. This file will be different for each provider as each has its own entityID, public key, and Assertion Consumer Service (ASC) endpoints.
2. Use the following service provider settings:
   • Service Provider ID: https://sso.mediafly.com/saml
   • Assertion URL: https://sso.mediafly.com/saml/idpinit/{companycode}
     Customer support can assist you in obtaining the company code for your organization if you do not have one.
3. After provisioning is complete on the client and vendor side, you can test logging into the Mediafly SSO Testing Environment. Test Environment URL and user accounts will be provisioned by Mediafly at this step.
4. Upon successful test and client approval, Mediafly will adjust the configuration to point to SSO for the production client environment.

Example of a valid XML metadata file: https://sso.mediafly.com/saml_sp_metadata.xml

FAQ

1. What happens when we enable logging in via SSO? Users already logged in will remain logged in with no impact. Only first-time or returning users logging will see the SSO portal versus the previous Mediafly's username/password input.
2. What if not all of my users utilize SSO and I still need Mediafly username/password functionality? No worries, by utilizing Mediafly's hybrid login page, users can select either path to log in. The hybrid login UI allows users to pick SSO or Mediafly username/password. The hybrid login page is partially customizable and includes your branding.
3. Do users need to be created in Mediafly's account management (Airship) before they can use SSO? Depends on your requirements. You can choose the option where the users must exist inside Mediafly before they are allowed to use the app. We match the users via an email address. (If email address is not an option, we can configure to use any other field that you can provide to us during the configuration phase.)
   OR You can also choose to auto-create users that get successfully authenticated via SSO. In that case, we can work with you to configure a default group they should be assigned and any other details that need to be setup by default.
4. If a user is deprovisioned in the identity provider, how is Mediafly notified about this deactivation?'  Simply contact your CSM to let them know about these changes.
5. If you would like to use Mediafly's Accounts as an Identity Provider, please contact your CSM/support and we will provide you with IDP URL and can work with you to get configuration completed.