Skip to main content
All CollectionsAdmin Questions
SAML based SSO & Reduct
SAML based SSO & Reduct

Reduct supports SSO via SAML 2.0 as a Service Provider. It works with any compatible Identity Provider, such as Okta, OneLogin, Azure, etc.

Updated this week

FAQ

How is access managed with SSO?

All access is managed from within Reduct as usual. Users must be invited to a project or workspace to access any content, and signing in with SSO does not grant any access by itself.

Does Reduct support just-in-time provisioning?

No, users must sign up or be invited from within Reduct to use the platform. SSO is only used for authentication, and does not grant access to the content in a workspace.

Can there be a mix of SSO and non-SSO accounts?

SSO is configured by domain, and enforced for all users with an email address at that domain. You can invite others (such as partners or contractors) with a different email domain, and they won’t be subject to SSO.

What SAML attributes does Reduct support?

Reduct currently uses only the NameID (email), but you’re encouraged to provide a full name, short (first) name, and profile image URL. There’s no spec for these attributes yet, but they may be used in the future.

Can I limit access to a specific domain?

A workspace may optionally be associated with a domain, which can be used to restrict who can access or join a project, or who can view a published reel.

Does Reduct SSO support SCIM?

Since organizations manage potentially-sensitive data in Reduct, we maintain our

own permissioning system at the project level. You can support “birthright-style” access to Reduct by configuring a starter project as sharable within your

organization: once a user visits that link and authenticates over SSO, they will be

given a Reduct account with commenter-level permissions to that project. Any

editor in your organization can increase their access to specific projects from there.


What happens if I can’t log in?

You can contact support@reduct.video for any problems with your login or SSO configuration.

SSO Configuration

The steps are as follows:

  1. Your IT Department adds the application to your Identity Provider, using the details below.

  2. Your IT Department provides us with an Identity Provider configuration. This is

    an IdP Metadata XML file. It should be emailed to support@reduct.video.

  3. Reduct will add the configuration and provide a testing URL.

  4. Your IT Department tests SSO and confirms that all users have access.

  5. If successful, Reduct turns on SSO enforcement for your domain.

Configuration details

Configure your Identity Provider using Reduct’s Service Provider configuration XML, located here: https://app.reduct.video/saml/metadata

Or manually, as follows:

It’s best if your IdP is configured to allow all users to access the app. Users must be added from within Reduct to have access to content and use paid seats. Once they’re invited, though, your IdP should allow them access.

OneLogin example

Okta example

Did this answer your question?