Single Sign-On with Vimeo OTT using OIDC (General Instructions)

OTT sellers using this integration must agree to provide them with viewer support. Information on how support works can be found in this guide.

You can manage user logins outside of Vimeo OTT by configuring third-party authentication services (single sign-on / SSO) for your OTT site. When you have SSO enabled, all Customers will be redirected to the third-party identity provider to authenticate their accounts before they can watch content. If your site contains multiple destinations, SSO will allow your Customers to use the same login across them all. 

The following instructions provide a step-by-step walkthrough on how to configure your Identity Provider and your OTT Site to leverage SSO authentication using the OpenID Connect (OIDC) protocol.

If you are unfamiliar with Single Sign-On, please read our introductory article first.

In this article

• Configuring your Identity Provider with OIDC
• Configuring Vimeo OTT with OIDC
• Customer Migrations

Configuring your Identity Provider with OIDC

Before you begin:

There are many different Identity Providers available. As long as your IdP is capable of providing authentication through an OIDC interface (most are), the following instructions will help to guide you through the connection process.

To begin, make sure you have an account already registered with your Identity Provider. Vimeo OTT can not troubleshoot your account nor provide technical support on populating your Identity Provider with user information.

You may also want to refer to our specific onboarding instructions if you use the following services:

• Okta

The following is a broad overview of the steps to configure your IdP. Note that your Identity Provider may have a very specific interface for setting this up. 

1. Create a new Application.
   
   
2. Choose OpenID Connect as the primary type for your connection.
   
   
3. In the new application settings, make sure to select Authorization Code as the grant type.
   
   
4. Set Sign-in redirect URIs to include https://[YOUR VIMEO OTT SUBDOMAIN].vhx.tv/oauth/callback

Configuring Vimeo OTT with OIDC

To configure your Vimeo OTT site for Single Sign-On you will use the information provided from your Site Settings under Single Sign-On in the left rail. If you do not already have this page open, do so to begin.

Note: When an Identity Provider is enabled, all authentication for your OTT Site will be sent to your IdP. This means if you have any existing Customers on OTT before enabling the integration that is not also in your IdP, they will need to be migrated. Vimeo OTT can not provide support for this migration but we do provide tools for exporting Customers to CSV.

1. Under “Support Email” provide an email address where Customers can contact your Support team to help troubleshoot signing in. As Vimeo OTT is no longer the source of truth for authentication, your team must provide this information.
2. Under “Remote Settings Page URL” provide a URL to the page where your Customers can manage their settings. As Vimeo OTT is no longer the source of truth for authentication, this will be handled on your service.
3. In the Entitlements section, you can select if you will be using OTT to collect customer payments OR if you are using your own third-party payment system.
   1. If you are using OTT to collect customer payments, you will need to provide a URL where customers can go to create an account in your IDP. Customers will not be able to purchase OTT products until they have created an account and are logged in (to ensure that users don’t exist in OTT and not in the IDP, which is the source of truth for access)
   2. If you are using a third-party payment system, you will need to provide a URL where customers can go to purchase your products. You will need to make sure that this process similarly creates customers in your IDP.
4. (Optional) Under “Default Products”, choose from your list of Active products that you wish to grant Entitlements to Customers who first authenticate successfully. If your integration with Vimeo OTT requires more granular Entitlements than a default product, please leverage the OTT API to add Products to your Customers.
5. In the Identity Protocol Settings section, select Open ID Connect from the dropdown menu.
6. In your IDP, you will need to find both your Token URL and Authorize URL.
7. In your IDP, you will also need to locate your Client ID and Client Secret (potentially under a Credentials header)
8. Provide “Login button text” - this is generally a generic message along the lines of “Sign In with [Your Site.]”
9. Save your data

When you are ready, choose Enable SSO and save again. As soon as this option is selected and saved, your Customers will start to be redirected to your Identity Provider.

Customer Migrations

Before you enable Single Sign-On, please ensure that all of your Customers exist within your IdP beforehand. If you are enabling SSO for your Site and have not migrated your Customers to your IdP they will suffer service interruption. 

Use the Customers export tool in your OTT CMS to retrieve the latest list of your Customers.