Single Sign-On (SSO) with Cameyo

Cameyo uses the OpenID Connect (OIDC) standard when users sign in through a third-party cloud Single Sign-On (SSO) identity provider.

To sign into Cameyo using SSO:

  1. On the Cameyo Admin console, select Admin > Company Settings.
  2. Under Authentication, select your SSO from the SSO provider list.

    Not all SSO provider options will display if a Subdomain and Identity domain are not set for the account.

    Only the Identity domain of the main admin's email domain can be claimed by the customer. Subdomains need to be added separately.

    Any other identity domain needs to be requested to be added through Cameyo support.

  3. At the bottom, click Save.

Cameyo and different SSO providers

This list includes additional information about integrating Cameyo with different third-party SSO providers. Note that Cameyo uses the OpenID Connect (OIDC) standard when users sign in through a third-party cloud SSO identity provider.

Open all  |  Close all

SSO integration (Microsoft)

There are two ways to connect Cameyo to Microsoft SSO:

  • (Basic) Generic—quick and easy
  • (Advanced) Custom—allows more options

Integration prerequisites

You need to have the following:

  • Identity domain—This looks like company.cameyo.com
  • Subdomain—This looks like company.com

Note: To find your Subdomain and Identity domain, go to Admin > Company Settings > Authentication. If you don't have these ready, you should claim them first or contact Cameyo support to have them set up for you.

(Basic) Generic Microsoft SSO integration

The Generic method displays the Sign in with Microsoft page, which is not specific to your company yet allows connecting to it without much configuration.

To integrate Cameyo with Microsoft SSO:

  1. On the Cameyo Admin console, go to Admin > Company Settings > Authentication.
  2. Select Microsoft from the SSO provider list.
  3. At the bottom, click Save.

(Advanced) Custom Microsoft SSO integration

This mode of SSO connection is more advanced, and allows for a custom SSO dialog and rules for users reaching your Cameyo subdomain. It consists of adding a Microsoft Entra ID app and connecting Cameyo to it.

Create a Microsoft Entra ID App

Unless you already have a Microsoft Entra ID app, you need to create one to connect to Cameyo.

  1. In your Microsoft Azure portal, go to your Entra ID and click App Registrations.
  2. Click New registration to create a new app.
  3. Name the app and select the relevant account type (for example, Accounts in this organizational directory only).
  4. Under Redirect URI, add https://online.cameyo.com/oidc.
    Always use online.cameyo.com and never use your company subdomain.
  5. Click Register.

    Important: Take a note of your Application (client ID) and Directory (tenant ID) to use later. This won’t display again.

  6. Click Certificates & Secrets > New client secret.

    Important: Take a note of the new Client Secret to use later. This won’t display again.

Connect to Cameyo

Ensure you have your Directory (tenant) ID, Application (client) ID, and Client Secret ready for use.

  1. On the Cameyo Admin console, go to Admin > Company Settings > Authentication.
  2. Select Custom from the SSO provider list.
  3. For Issuer URL, enter your Directory (tenant) ID: https://login.microsoftonline.com/[directory (tenant) id]/v2.0

    For example, if your Directory (tenant) ID is 12345678-90ab-cdef-1234-567890abcdef, you should enter:  https://login.microsoftonline.com/12345678-90ab-cdef-1234-567890abcdef/v2.0

  4. For Client ID, enter your Azure Application (client) ID.
  5. For Client Secret, enter your app Client Secret.
  6. At the bottom, click Save.

You can check the result by navigating to your company subdomain (company.cameyo.com).

Configure group claims for Microsoft Entra SSO

To use Microsoft Entra ID groups in Cameyo, you have to configure group claims in your Microsoft Entra ID SSO app.

Note: Microsoft Entra ID only supports sAMAccountNames when connected to an on-premise active directory (AD) using Entry Connect. If using solely an Entra ID directory, only the group IDs are delivered.

  1. Sign in to your Microsoft Azure portal.
  2. Open your Entry ID.
  3. Go to App registrations.
  4. Click your [Cameyo SSO] app. The name of the app depends on what you called it when you created it, see Create a Microsoft Entra ID App.
  5. Go to Token configuration.
  6. Under Optional claims, click +Add groups claim.
  7. On the right panel, check boxes for all group types to include in Access, ID, and SAML tokens.
  8. Customize properties tokens by type. Select sAMAccountName for Access, ID, and SAML.
  9. Click Add.

To synchronize groups with Cameyo, enter groups in SSO claim for groups on the company page.

  1. Sign in to your Cameyo Admin console.
  2. Go to Admin > Company Settings.
  3. Under Authentication, set the SSO claim for groups to groups.
  4. Click Save.

Note: Only groups of users that sign in to Cameyo are synchronized. You need to wait a few minutes until the groups are visible.

Configure user or group restrictions for Microsoft SSO

To allow Cameyo access for certain users or groups only, you configure restricted access on your Microsoft Azure portal. 

  1. Sign in to your Microsoft Azure portal.
  2. Open your Microsoft Entra ID.
  3. Go to Enterprise applications.
  4. Click your [Cameyo SSO] app. The name of the app depends on what you called it when you created it, see Create a Microsoft Entra ID App.
  5. Go to Properties.
  6. Set User assignment required? to Yes.
  7. Go to Users and groups.
  8. Click +Add user/group and select the users and groups you want from the list.
  9. Click Assign.

Notes

  • Only users and groups assigned to the Cameyo SSO app can sign in to Cameyo. Users who haven’t been assigned to the Cameyo SSO app will receive an error message informing them that the role hasn’t been assigned to them.
  • Changes to users and groups on your Microsoft Azure portal can take up to 15 minutes to update.
SSO integration (PingID)

Prerequisites

  • A cloud SSO provider supporting OpenID Connect.
  • A subdomain and identity domain configured for your Cameyo account.

Integration steps

  1. Go to your identity provider's console and add an Application.
  2. If asked for an application type, Web App is usually the right choice.
  3. When asked for a redirect URL, enter: https://online.cameyo.com/oidc
    Always use online.cameyo.com and never use your company subdomain.
  4. Select the permissions needed by Cameyo, openid and email.
  5. Your application should now be created. Make sure it is enabled.
  6. Configure your application and copy the connection data
  7. In your application's configuration section, if Response Type is configurable, make sure it is set to Code.
  8. If Grant type is configurable, make sure it is set to Authorization Code.
  9. If the token endpoint authentication method is configurable, make sure it is either set to Client Secret Post or None.
  10. To connect Cameyo to your provider, make note of these 3 items:
    • Issuer URL
    • Client ID
    • Client Secret
  11. Once you have these items, enter the values in the Company Settings page, under the Authentication field.

SSO is now enabled on your Cameyo subdomain (company.cameyo.com).

Configure group claims for PingID

To configure PingID group claims for Cameyo, add groups to the app attribute mappings.

  1. Sign in to your PingIdentity Console.
  2. Go to Connections > Applications.
  3. Click your Cameyo SSO app.
  4. Go to Attribute Mappings.
  5. Click Edit.
  6. For Application attribute, enter groups.
  7. For Outgoing Value, select Group Names.
  8. Click Save.
SSO integration (Okta)

Prerequisites

  • An account at Okta.
  • A subdomain and identity domain configured for your Cameyo account as shown below.

Integration steps

  1. Go to your Okta Admin console.

  2. Go to ApplicationsApplications.

  3. Click Create App Integration.
    1. For Sign-in method, select OIDC - OpenID Connect.
    2. For Application type, select Web Application.
    3. Click Next.
  4. Configure the New Web App Integration.
    1. Under General Settings, follow these steps:
      1. For App integration name, enter Cameyo.
      2. For Grant type, check only the Authorization Code box.
      3. For Sign-in redirect URIs, enter https://online.cameyo.com/oidc.
        Always use online.cameyo.com and never use your company subdomain.
    2. Under Assignments, provide access either to everyone or only certain groups by configuring: 
      1. Controlled access
      2. Selected group(s).
      3. Click Save.

  5. Copy the Issuer URL, Client id, and Client secret from your newly created app and enter it on your company page on the Cameyo Admin console.

Configure group claims for Okta SSO

To configure Okta SSO group claims for Cameyo, add groups to the Okta Sign On settings.

Note: To get user group info from Okta during the authentication flow, you must add the !SSO_MEMBEROF_SCOPE=1 PowerTag to your company in the Cameyo Admin console. This instructs Cameyo to request the necessary group data from Okta during login.
  1. Sign in to your Okta Administrator Console.
  2. Go to Applications > Applications.
  3. Click your Cameyo SSO app.
  4. Go to Sign On > OpenID Connect ID Token.
  5. On the right, click Edit.
  6. For Groups claim filter, enter groups.
  7. For Matches regex, enter .*
  8. Click Save.
SSO integration (OneLogin)

Prerequisites

  • A cloud Single-Sign-On (SSO) provider supporting OpenID Connect.
  • A subdomain and identity domain configured for your Cameyo account.

Integration steps

  1. Go to your identity provider's Portal > Administration > Applications.

  2. Click Add App.

  3. Search for openid and choose OpenId Connect (OIDC).

  4. Enter Display name.

  5. Click Save.

  6. Go to Configuration.

  7. Set Redirect URI's to https://online.cameyo.com/oidc.
    Always use online.cameyo.com and never use your company subdomain.

  8. Go to SSO.

  9. Set Application Type to Web.

  10. Choose Token Endpoint POST.

  11. Copy Issuer URL (A).

  12. Copy Client ID (B).

  13. Copy Client Secret (C).

  14. Click Save

  15. Go to your company page and set the SSO provider to Custom (and set the Friendly name to OneLogin, then take the copied data from above (A, B, C) and enter it.

Configure group claims for OneLogin SSO

To configure OneLogin SSO group claims for Cameyo, add the groups parameter and map it to the MemberOf user group claim in OneLogin.

Note: To get user group info from OneLogin during the authentication flow, you must add the !SSO_MEMBEROF_SCOPE=1 PowerTag to your company in the Cameyo Admin console. This instructs Cameyo to request the necessary group data from OneLogin during login.
  1. Sign in to your OneLogin Administration Portal.
  2. Go to Applications > Applications.
  3. Click your Cameyo SSO app.
  4. Go to Parameters.
  5. Go to OpenId Connect (OIDC) Field and, to the right, click + to add a new field.
  6. For New Field > Field name enter groups.
  7. Check the Multi-value parameter box.
  8. Click Save.
  9. For Edit Field Groups, go to Default if no value selected and choose these options:
    1. MemberOf
    2. Semicolon Delimited input (Multi-value output).
  10. Click Save.
SSO integration (Google)—Alternative (OAuth App)

Prerequisites

  • Google Cloud including Google Workspace.
  • A subdomain and identity domain configured for your Cameyo account as shown below.

Integration steps

  1. Go to your Google Cloud Console.

  2. Open OAuth consent screen.

  3. Choose User Type Internal.

  4. Enter the App information and if wanted additional scope restrictions

  5. Save the consent screen.

  6. Go to APIs & Services > Credentials.

  7. Click Create Credentials and select OAuth client ID.

  8. Select Application type Web Application and add https://online.cameyo.com/oidc to Authorized redirect URIs.
    Always use online.cameyo.com and never use your company subdomain.

  9. Click Create and you will get the Client id and Client secret that you need. You can download the JSON file for future reference.

  10. Select Custom (not Google in this case) as SSO provider and set the Issuer URL to https://accounts.google.com and enter the Client id and Client secret from above.

Google and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.

true
Search
Clear search
Close search
Main menu
9875073525238070048
true
Search Help Center
false
true
true
true
false
false
false
false