Single Sign-On
Last updated
Last updated
Streamwell offers an Enterprise License option that enables Single Sign-On for advanced and higher-scale user management. Our first supported identity provider is Microsoft Entra ID (formerly Azure Active Directory), and we plan to add support for other providers soon.
If you are interested in support for a particular provider, let us know!
Before you begin, make sure you have activated an Enterprise License and HTTPS on your server.
Log in to Microsoft Entra ID and create an App Registration in your directory. Streamwell only uses the 'User.Read' permission so no consents or special scopes are required. This also means Streamwell can be used entirely within the free tier of Microsoft Entra ID!
In most cases you'll want to use the default Single Tenant setting but you may choose another setting if appropriate for your organization.
Be sure to set your Web Redirect URI to your HTTPS-secured domain name followed by "/api/auth.php". For example, "https://mystreamwelldomain.com/api/auth.php".
Once the application has been created, take note of the Client ID and Tenant ID from the overview screen.
Under Certificates & Secrets, create a new Client Secret and take note of the value.
Finally, either create or designate groups for the three possible roles: Admins, Creators and Clients. Take note of the applicable group IDs (you can map multiple groups to a role). When users log into Streamwell, which group they are in determines which role they will get.
Under Administration -> Server -> Features, an 'Enable Single Sign-On' option will appear if you have an Enterprise License. With this option enabled, paste in the appropriate IDs and secret from the previous steps, then hit 'Confirm'. If you want to map multiple groups to a role, separate the IDs with a comma e.g. "myid-1,myid-2,my-id-3".
On the log-in screen, a fresh new "Sign in with Microsoft" button will appear. You can now go through your regular SSO workflow and sign into Streamwell! 🎉
Enterprise Licenses let you customize the user ID either when creating or editing a user. This means you can map existing Streamwell users to SSO users just by updating their ID - or you can pre-provision accounts and permissions in Streamwell so the new users can just log in and go.
Click this button and Streamwell will automatically check all local SSO users against the remote directory to make sure they still exist. Any users which don't exist in the remote directory will be removed from the local database.
Users with no matching AD group will automatically take a client role. If no channels have the "Allow all Clients" option enabled, the new user will have no channels available until access is granted by an admin.
Users in multiple groups will take the highest permission level available to them.
If a user is removed from a creator or admin group on AD, they will be demoted to being client on the next login.
Groups in Streamwell do not relate to groups on AD. They are simply a means of grouping users together to allow/disallow access to channels en masse.
Don't forget to update your client secret before it expires!