SETUP GUIDE FOR USERS AND IT

Overview

The following document details the setup and considerations of enabling Single Sign On (SSO) for CasparCloud.

SSO in CasparCloud is implemented via OAUTH 2.0 enabling customers to use Microsoft Azure AD to authenticate end users. This technology relies on internal IT and Microsoft Azure to grant access to CasparCloud instances, thereby eliminating the need for additional passwords. 

The feature has been implemented as an authentication-only method, meaning all the user privileges are still handled inside CasparCloud.  Therefore it is important for the nominated Super Administrator to follow the appropriate steps when adding further users or modifying their access levels. 

FURTHER CONSIDERATIONS AND IMPORTANT RESTRICTIONS

4. Once SSO is enabled for a customer site, only SSO authentication can be used. Therefore all users MUST use the email address associated with that user on their Azure AD. 
5. On sites with SSO enabled, Trojan Consultants can’t reset user passwords or enforce password complexity requirements. Therefore it is the responsibility of the Customer’s IT department to ensure appropriate password policies are in place and to reset forgotten passwords. 
6. Once SSO is enabled for a customer site, switching back to the built-in 2FA requires deleting all users from the system therefore, switching back is NOT Recommended. 
7. Users who wish to access CasparCloud MUST be added to CasparCloud as well. If a user only exists on AZURE AD or Caspar they will not be able to access the system.
   

SETUP INSTRUCTIONS AND PRE-REQUISITES

USER GUIDANCE (SUPER ADMIN) 

1. Prerequisite: Super Admin with an email account present on the desired AZURE AD. 
2. Prerequisite: A list of additional users to be created, users must be present on the same domain as the Super Administrator
3. On the day of the handover/change to SSO, the Super Admin will be prompted to attempt to log in to CasparCloud on their designated web address. 
4. After entering a valid email address the user will be redirected to Microsoft for authentication and possibly prompted for their AZURE AD/Office 365 password, depending on local policies and browser session. 
5. After successful user authentication the following screen will be presented and the user will be prompted to request authorisation from their IT. 
6. Once the request is sent Local IT please close the browser and return to CasparCloud after Local IT have approved the request. 
7. Once the request is approved the user will be able to authenticate with SSO. 
   

IT GUIDANCE

1. Once the user requests access for the first time, please navigate to Azure Enterprise Applications and click on the overview menu option on the left. 
2. New requests should be shown under the Admin consent request option, the counter depending on the settings of your organisation might show 0 as in the above image. 
3. Inside the Admin consent request the new request will show up under either My Pending or All. The name of the application will be different from the screenshot below: 
4. Click on the request and ensure the reply url contains caspar.cloud then select Review permission and consent 
5. Follow the authorisation steps if prompted: 
6. Review the permissions asked by the application and hit Accept: 
7. Once the request is Accepted please notify the user, and confirm they can log on to CasparCloud using SSO. 

For further information on Enterprise Application and user management please refer to Application management documentation - Microsoft Entra | Microsoft Learn