Configuring your Identity Provider for Single Sign On using SAML 2

This article explains how to set up your SAML 2 Identity Provider to authenticate your users to Digital Theatre+

Digital Theatre+ supports Single Sign On using a SAML 2 Identity Provider, allowing your users to sign in using your existing Identity solution.

This article contains general guidance steps for you to follow but we have also created specific guides for some popular Identity solutions; you can find links to these towards the bottom of this article.

Please go to sso.digitaltheatreplus.com and send us your metadata using the relevant form when you're ready to submit your Single Sign-On configuration request.

Step 1 - Configure a new SAML application in your identity solution

You will need set up a new SAML 2 application in your Identity solution. 

  • The Audience URI for your application will be: https://auth.digitaltheatreplus.com 

Your application will need to be configured to assert the following information:

    1. Subject Name ID
    2. Email address (if different from Subject Name ID)

Our service provider requires the following attributes by default, so if your Identity Provider has a different configuration, please let our Support team know by replying to your existing email thread with them or, if you have not yet started the process, by submitting a ticket to them.

<saml2:Assertion>
<saml2:Subject>
<saml2:NameID />
</saml2:Subject>
</saml2:Assertion>
<saml2:AttributeStatement>
<saml2:Attribute Name="email">
</saml2:AttributeStatement>

I need the ACS URL and Audience URI first!

Some Identity Solutions require the metadata (the Assertion Consumer Service URL (ACS URL) and Audience URI) to set-up the SAML application.

If this is the case, or if you require the metadata.xml file for importing, please let our Support team know by replying to your existing email thread with them or, if you have not yet started the process, by submitting a ticket to them.

Step 2 - Provide configuration information to Digital Theatre+

You will need to provide the following information:

  1. Issuer URI of the Identity Provider. This value is usually the SAML Metadata EntityID of the IdP EntityDescriptor.
  2. IdP Single Sign-On URL.  The binding-specific IdP Authentication Request Protocol endpoint that receives SAML AuthnRequest messages.
  3. IdP Signature Certificate. The PEM or DER encoded public key certificate of the Identity Provider used to verify SAML message and assertion signatures.
  4. Email domain(s).  The email domains which users who authenticate via your Identity Provider will use.
  5. Any changes required to the default attribute mapping.

Send this information to our Support team by visiting sso.digitaltheatreplus.com and submitting the relevant form.

Step 3 - Digital Theatre+ provides metadata information

You will need to update your SAML application configuration with the following information which will be supplied by our Support team:

  • Assertion Consumer Service URL: https://auth.digitaltheatreplus.com/sso/saml2/<unique-id-per-customer>
  • Audience URI: https://auth.digitaltheatreplus.com

Step 4 - Test that you can sign in using your new SAML 2 application configuration

  1. Go to https://edu.digitaltheatreplus.com
  2. Click 'Sign in'
  3. Enter your email address
  4. Click 'Next'
  5. You should be redirected to your Single Sign On Identity Provider
  6. Enter your credentials and authenticate
  7. You will be redirected to https://edu.digitaltheatreplus.com and will be signed in

Creating a SAML Deeplink or WAYfless URL

Please refer to our article detailing the ways SAML SSO users can sign in for information on creating a SAML Deeplink or WAYFless URL.

Set up guides for specific Identity solutions

Further assistance