Set your video’s privacy as private. Doing that means the landing page or embed code will only show the video in our player if a valid cookie or JSON Web Token (JWT) is sent in the request for it. Those are the ways we authenticate a viewer.

A JWT is not applicable when using single sign-on. We need a cookie.

Note: We use cookies that are secure, signed, http-only and whose value is encrypted.

So: how is the cookie set?

Well, because of the way browsers work, the cookie must be set by our domain by a page we control. Your identity provider can not set it directly as it can’t set cookies using our domain. Similarly, we can’t read a cookie set by your identity provider (such as Okta or Centrify) for the same reason. Therefore there needs to be a way for us to set that cookie. We do that in one of two ways when using single sign-on:

Identity provider initiated sign in

Some identity providers may have our vidbeo CMS set up as an application. In which case clicking on that will trigger a HTTP request to our SSO URL. Upon receiving that, we will redirect the viewer via our sign-in page which in turn will set the cookie mentioned above. Having done that, when that person then tries to watch one of your private videos, they will be able to. Since the cookie sent by their browser in that request proves they are authenticated.

Service provider initiated sign in

This approach is more common. The authentication is initiated at our end. In the case of a private video for which you want a viewer authenticated using single sign-on to be able to watch it, if you are using a custom player (see More > Players in the dashboard), you can set your player to prompt to authnticate using single sign-on when a private video is viewed. Upon doing so you will see that when you request that private video, as well as the normal message explaining that it can not be watched without authentication, we add a button for the viewer to click in order to authenticate themselves. When they click that, we will initiate a single sign-on request (using SAML2) to your identity provider (if you have multiple ones, the viewer will be asked to pick on from them). And assuming the viewer is successfully signed in using your identity provider (either then, or having previously done so), the request in turn sets that cookie that lets us show them your videos that are set as private. We will attempt to return them to the same page having done that, however some browsers do not make the page’s URL available and so this may not be possible to do. If not, the user simply has to visit the page your private video is shown on themselves. And this time - since the cookie is set - the private video will load (as it sees the viewer is now authenticated).