OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol that allows secure authentication of users. With OIDC Single Sign-On (SSO), your organization can enable users to log in to Quickchannel using their corporate identity provider.
The Quickchannel Console supports Single Sign-On with OIDC for accessing Quickchannel Console. Quickchannel also supports access restrictions for watching videos using this integration*.

This article will guide you through the process of connecting OIDC SSO in the Quickchannel Console. We’ll cover both how to add single users and how to manage access via SSO groups.

Step-by-Step Guide

Step 1: Login to the Quickchannel Console

1. Go to https://console.screen9.com

2. Verify you are logged into the correct account by checking the account name in the top-right corner.

   

Step 2: Navigate to OIDC Settings

1. Go to Settings → Integrations → Single Sign-On

2. Click Connect OIDC

   

   
   

A popup will appear where you will configure the OIDC connection.

Configuring Azure AD for OIDC Integration

Follow the steps below in the Azure Portal to set up the integration with Quickchannel.

Step 1: Create App Registration

1. Sign in to the Azure Portal

2. Navigate to Azure Active Directory → App registrations

3. Click New registration

4. Configure the registration:

   • Name: Quickchannel Auth Integration (or a name of your choice)

   • Supported account types:

     • Accounts in this organizational directory only (Single tenant)

     • Accounts in any organizational directory (Multi-tenant)

   • Redirect URI:

     • Type: Web

     • URL: https://auth.screen9.com/oidc/authorized

5. Click Register

Step 2: Configure Authentication

1. Go to Authentication in your app registration

2. Verify your web redirect URI

3. Under Implicit grant and hybrid flows, enable:

   • ID tokens

4. Under Advanced settings:

   • Allow public client flows: No

   • Treat application as a public client: No

5. Click Save

Step 3: Create Client Secret

1. Go to Certificates & secrets

2. Click New client secret

3. Configure the secret:

   • Description: Quickchannel Auth Secret

   • Expires: Choose a suitable duration (24 months recommended)

4. Click Add

5. Important: Copy the secret Value immediately (it cannot be retrieved later).

6. Store the secret securely for federation configuration.

Step 4: Configure API Permissions

1. Go to API permissions

2. Click Add a permission

3. Select Microsoft Graph → Delegated permissions

4. Add these permissions:

   • openid

   • profile

   • email

   • User.Read (recommended)

5. If you need group information, also add:

   • GroupMember.Read.All

6. Click Add permissions

7. Click Grant admin consent (or ask an admin to approve).

Step 5: Configure Token Claims

1. Go to Token configuration

2. Click Add optional claim

3. Select ID token type

4. Add these claims:

   • email

   • given_name

   • family_name (optional)

   • upn (optional)

5. If you need group information:

   • Add groups claim

6. Click Add

Step 6: Configure Group Claims (Optional)

If you want to authorize via groups:

1. Go to Token configuration

2. Click Add groups claim

3. Select Security groups

4. For ID tokens, choose:

   • Group ID (recommended)

   • Or sAMAccountName (for on-prem sync)

5. Click Add

Step 7: Gather Configuration Information

From your Azure app registration, collect the following:

1. Application (client) ID

2. Directory (tenant) ID

3. Client secret (from Step 3)

4. OpenID Connect metadata document URL:

   https://login.microsoftonline.com/{tenant-id}/v2.0/.well-known/openid-configuration

The attribute value for a user can be either set to a single value or a mapping between accountid and Quickchannel access role.
A Quickchannel access role is one of the following: administrator, publisher, user, producer, readonly.

1. If single value is set, the same value will be used on all Quickchannel accounts that the federation has been enabled on.
2. Mappings are of the form accountid:role.
Multiple values are supported either as SAML multi-valued attributes or as a comma concatenated single value: accountid1:role1,accountid2:role2.
Groups The name of the user's groups attribute. This is only required for restricting media playback using SSO and the signed in users group membership. This can be a multi-valued attribute.

Step 8: Add the information in Quickchannel Console

1. Add the requested information in the popup in Quickchannel Console under Settings-Integrations-Single Sign on-Connect OIDC (Step 2)

Limitations

It is possible to have one OIDC-connection per e-mail domain name, in the case several domains is used please contact support.