Skip to content

Identity provider setup

Setting up a single sign-on integration so your employees can access Shutterstock via federated identity management involves these main steps:

  1. Giving your identity provider (such as OneLogin, Auth0, or Ping Identity) information about Shutterstock's accounts service
  2. Providing information to Shutterstock about your identity provider so we can enable it in our accounts service

For information about setting up specific identity providers, see these pages:

General steps for setting up federated identity

Some identity providers (IdPs) have specific steps, but in general, setting up your identity provider to use Shutterstock as a service provider includes these steps:

  1. Contact your Shutterstock account representative and provide this information:

    • Your company name
    • The type of identity provider that you use
    • A list of all of the email domains that you use
    • The URL that Shutterstock should send users to for authentication in the Shutterstock-initiated login flow
    • Your IdP application's security certificate. In most cases, the IdP hosts security information in a metadata XML file in fields named SingleSignOnService and X509Certificate. In this case, you can send the URL of the metadata file to Shutterstock.
  2. Shutterstock sets up an identity provider configuration to allow your identity provider to use our SAML offering.

  3. Shutterstock provides a callback URL and other information that you need for your configuration. The callback URL looks like this example: https://accounts.shutterstock.com/saml/2t35e39b-a281-4q9d-g758-194b52749de5/callback.

  4. Add Shutterstock as a service provider or application to your identity provider using that callback URL.

    The identity provider might need other configuration information for the Shutterstock application, including these fields:

    • Shutterstock's SAML entity ID: https://accounts.shutterstock.com/saml/
    • Shutterstock's SAML audience ID: https://accounts.shutterstock.com/saml/
    • Shutterstock's SAML name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    • The signature algorithm: rsa-sha256
    • The relay state, or the URL to direct authenticated users to, such as https://www.shutterstock.com
  5. Configure your identity provider to pass the following attributes as part of the SAML assertion that it sends to Shutterstock. If the attributes are not included by default, you may need to add them as custom attributes. Check your identity provider's documentation for information about how to configure the SAML assertion.

    • email: The email for the authenticating user account
    • id or user_id: An identifier for the account, usually numeric; this ID must be unique within your identity provider system
    • name: A string that contains the authenticating user's first name and last name in the format FirstName LastName
    • roles: (Optional) The roles for the user; see Assigning permissions
    • team: (Optional) The organization for the user; see Assigning organizations

Now the integration is ready to use.

Next steps

Now that the federated identity integration is ready, you can test it to make sure that it works. Then you can have your users log in to Shutterstock services through your identity provider.

To verify that the integration is set up correctly or to troubleshoot problems, look at the SAML assertion that your IdP is sending to Shutterstock.

Some IdPs can generate a sample SAML assertion that you can view to verify that the custom attributes appear correctly or to help with debugging. You can also see the SAML assertion by launching the Shutterstock application through the IdP and using a tool such as SAML-tracer.

The SAML assertion should look like the following XML example. Make sure that your SAML assertion is formatted in a similar way.

If you can't log in to Shutterstock through your IdP, send your sample SAML assertion to your Shutterstock account representative with any other information you have on the problem.

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion ID="id467897227883162648067369" IssueInstant="2021-03-18T14:58:33.926Z" Version="2.0"
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer>
  <saml2:Subject>
    <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">userName</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml2:SubjectConfirmationData NotOnOrAfter="2021-03-18T15:03:33.930Z" Recipient="https://accounts.shutterstock.com/saml/453663451-3724-4761-828b-bbe31a27c9f7/callback"/>
    </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="2021-03-18T14:53:33.930Z" NotOnOrAfter="2021-03-18T15:03:33.930Z">
    <saml2:AudienceRestriction>
      <saml2:Audience>https://accounts.shutterstock.com/saml</saml2:Audience>
    </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AuthnStatement AuthnInstant="2021-03-18T14:58:33.926Z">
    <saml2:AuthnContext>
      <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
    </saml2:AuthnContext>
  </saml2:AuthnStatement>
  <saml2:AttributeStatement>
    <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.email
      </saml2:AttributeValue>
    </saml2:Attribute>
      <saml2:Attribute Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <saml2:AttributeValue
          xmlns:xs="http://www.w3.org/2001/XMLSchema"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.roles
        </saml2:AttributeValue>
      </saml2:Attribute>
    <saml2:Attribute Name="name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.email
      </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="team" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
      <saml2:AttributeValue
        xmlns:xs="http://www.w3.org/2001/XMLSchema"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">user.team
      </saml2:AttributeValue>
    </saml2:Attribute>
  </saml2:AttributeStatement>
</saml2:Assertion>

We have more than 475,000,000 assets on Shutterstock.com as of November 30, 2023.

© 2003-2024 Shutterstock, Inc.