FAQ
How is access managed with SSO?
All access is managed from within Reduct as usual. Users must be invited to a project or workspace to access any content, and signing in with SSO does not grant any access by itself.
Does Reduct support just-in-time provisioning?
No, users must sign up or be invited from within Reduct to use the platform. SSO is only used for authentication, and does not grant access to the content in a workspace.
Can there be a mix of SSO and non-SSO accounts?
SSO is configured by domain, and enforced for all users with an email address at that domain. You can invite others (such as partners or contractors) with a different email domain, and they won’t be subject to SSO.
What SAML attributes does Reduct support?
Reduct currently uses only the NameID (email), but you’re encouraged to provide a full name, short (first) name, and profile image URL. There’s no spec for these attributes yet, but they may be used in the future.
Can I limit access to a specific domain?
A workspace may optionally be associated with a domain, which can be used to restrict who can access or join a project, or who can view a published reel.
Does Reduct SSO support SCIM?
Since organizations manage potentially-sensitive data in Reduct, we maintain our
own permissioning system at the project level. You can support “birthright-style” access to Reduct by configuring a starter project as sharable within your
organization: once a user visits that link and authenticates over SSO, they will be
given a Reduct account with commenter-level permissions to that project. Any
editor in your organization can increase their access to specific projects from there.
What happens if I can’t log in?
You can contact support@reduct.video for any problems with your login or SSO configuration.
SSO Configuration
The steps are as follows:
Your IT Department adds the application to your Identity Provider, using the details below.
Your IT Department provides us with an Identity Provider configuration. This is
an IdP Metadata XML file. It should be emailed to support@reduct.video.
Reduct will add the configuration and provide a testing URL.
Your IT Department tests SSO and confirms that all users have access.
If successful, Reduct turns on SSO enforcement for your domain.
Configuration details
Configure your Identity Provider using Reduct’s Service Provider configuration XML, located here: https://app.reduct.video/saml/metadata
Or manually, as follows:
Recipient/SSO URL: https://app.reduct.video/saml?acs
Audience: https://app.reduct.video/saml/metadata
NameID format: email
It’s best if your IdP is configured to allow all users to access the app. Users must be added from within Reduct to have access to content and use paid seats. Once they’re invited, though, your IdP should allow them access.
OneLogin example