Authenticating and Authorizing MediaSpace Users

Printer-friendly version
Prerequisite Reading: 

On the Configuration Management panel Auth module of the Kaltura MediaSpace Administration Area, you can configure the settings for the required user authentication method and the required method for authorizing a user’s access to MediaSpace with a specific Application Role. The following scenarios are supported:

Usually, both authentication and role authorization are set through integration with the organizational identity and group management systems (scenario 1). Kaltura’s authentication and/or authorization options may be useful in the cases described in scenarios 2 and 3.

NOTE: User authorization to channel and content entitlements is handled separately.

Understanding MediaSpace Authentication and Authorization Scenarios

Scenario 1: Authentication and Authorization Are Managed in Organizational Systems

When does this scenario apply?

You can use your organizational system as your MediaSpace identity and role authorization provider when:

  • You have a large-scale MediaSpace deployment. You want all users to log into MediaSpace with their organizational credentials and to be authenticated by your centralized authentication system.
  • You can provide access from the MediaSpace application to your authentication and group management systems.
  • Authorization to access MediaSpace with a specific Application Role derive in most cases from user membership in organizational units or groups.

Who can access MediaSpace?

Only users who are authenticated and authorized by your systems can access MediaSpace. Users who are not authenticated by your systems are denied access to MediaSpace and are not able to log in.

What user details are stored in Kaltura?

The user’s identifier, Application Role, and first and last names (optional but recommended) must be stored in Kaltura. After the user logs into MediaSpace for the first time, administrators can view and manage the user record on the User Management panel of the Kaltura MediaSpace Administration Area. The user’s organizational password is not saved in Kaltura.

Can you manually set different user details in Kaltura?

Yes, you can manually set different user details in Kaltura. After the user logs into MediaSpace for the first time, administrators can manage the user record on the User Management panel of the Kaltura MediaSpace Administration Area. An administrator can override the user details (first and last name) and the user MediaSpace Application Role. This option is useful mainly for granting a higher- or lower‑level Application Role to certain users. For example, you can set a Viewer Application Role to a large group of people within your organization and then manually assign the higher level MediaSpace Admin role to a few of them.

To enable manually overriding settings

  1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth module.
  2. Set the following values and click Save.
    1. Under refreshDetailsOnLogin, select No.
      This option is displayed only when using an external authentication provider.
    2. Under refreshRoleOnLogin, select No.
      This option is displayed only when using an external role authorization provider.
       

Scenario 2: Authentication and Authorization Are Managed in Kaltura

When does this scenario apply?

You can use Kaltura as your MediaSpace identity and role authorization provider when:

  • You want to launch a MediaSpace pilot in your organization without IT integration.
  • You want to quickly go live with your organizational video portal before performing IT integration with your organizational authentication and group management systems.
  • Only a few users in your organization need to work with MediaSpace, and there is no requirement or need for managing user authentication and credential validation in your organizational systems.
  • You do not have a centralized authentication system or you are not able to provide access to your authentication system from the MediaSpace application.

Who can access MediaSpace?

Only users with a MediaSpace user account pre-provisioned in Kaltura can access MediaSpace. (The user account must include a MediaSpace Role and a MediaSpace password.) If you want to revoke MediaSpace access from a specific user, it is your responsibility to delete the user account in one of the following ways:

  • On the User Management panel of the Kaltura MediaSpace Administration area, select one or more users, and click Delete or Delete Checked.
  • Submit a Kaltura end-users CSV to delete MediaSpace user accounts in bulk.  To learn more, see the submit a Kaltura end-users CSV procedure step.
  • Use the Kaltura API to:
    • Delete the user record.
    • Remove the user's MediaSpace Role stored in a custom data profile.

How do you switch from Kaltura-managed authentication and authorization to managing MediaSpace authentication and authorization in your system?

Following the completion of your pilot, or when the IT integration with your user authentication and group management systems is completed, on the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab and change the selected authentication/authorization method. In the Kaltura MediaSpace Administration Area, you may override the Kaltura‑managed Application Roles from your system on the Configuration Management panel or by manually deleting existing MediaSpace user accounts on the User Management panel.

To override Kaltura-managed Application Roles on the Configuration Management panel

  1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.
  2. Set the following values and click Save.
    1. Under refreshDetailsOnLogin, select Yes.
      This option is displayed only when using an external authentication provider.
    2. Under refreshRoleOnLogin, select Yes.
      This option is displayed only when using an external role authorization provider.

Scenario 3: Authentication Is Managed in an Organizational System, Authorization Is Managed in Kaltura

When does this scenario apply?

You can use Kaltura as your MediaSpace access and role authorization provider when:

  • You have a small- to large-scale MediaSpace deployment. You want all users to log into MediaSpace with their organizational credentials and to be authenticated by your centralized authentication system.
  • Authorization for users to access MediaSpace and MediaSpace Application Roles is independent of their membership in organizational units or groups. For example, users who will be granted MediaSpace access do not belong to a specific organizational unit or group.
  • You are not able to provide access to your group management system from the MediaSpace application for setting group-based role authorization. You want to set users' application roles before their first login to MediaSpace.

Who can access MediaSpace?

Only users who are authenticated by your systems and have MediaSpace user accounts pre‑provisioned in Kaltura (the user account includes MediaSpace Application Roles) can access MediaSpace. Users who are not authenticated by your systems are denied access to MediaSpace, even if they are have a user account and a MediaSpace Application Role in Kaltura. These unauthenticated users will not be able to log in.

Configuring Authentication and Authorization for MediaSpace

Enabling Common Login Configurations

On the Configuration Management panel Auth tab of the Kaltura MediaSpace Administration Area, the following MediaSpace login options are available for all authentication and authorization methods. 

Enabling Authentication Methods

On the Configuration Management panel Auth tab of the Kaltura MediaSpace Administration Area, the following authentication methods are supported as part of the MediaSpace standard installation. When you select an authentication adapter, a set of relevant configuration fields is displayed to fill in. 

  • LDAP Authentication – User authentication and credentials validation through direct access to the organizational LDAP or Active Directory server.
  • SSO Gateway Authentication – A Kaltura generic gateway for integrating with a customer‑ specific login and authentication implementation, while providing the user with a Single Sign-On experience.
  • Header Authentication – User is authenticated through a request in the organizational authentication system. The response includes the authenticated user ID in a specific HTTP header.
  • Kaltura Authentication – Manage MediaSpace users and their authentication in Kaltura.
  • Custom Authentication Methods – For any other type of authentication method, custom adapters can be developed and added to the MediaSpace installation.

Enabling Authorization Methods

On the Configuration Management panel Auth tab of the Kaltura MediaSpace Administration Area, the following authorization methods are supported as part of the MediaSpace standard installation. When you select an authorization method, a set of relevant configuration fields is displayed to fill in.

  • LDAP Authorization – The user’s application role in MediaSpace is determined based on organizational groups in which the user is a member, which are managed in the organization’s LDAP server. This authorization method usually is used together with the LDAP authentication method. The method also can be selected when using other authentication methods (SSO Gateway authentication, Kaltura authentication, and Header authentication).
  • SSO Gateway Authorization – The user’s application role in MediaSpace is set and passed to MediaSpace as part of the customer-specific login and authentication implementation, which is set through the Kaltura SSO gateway interface. Always use this option with SSO Gateway authentication. This option cannot be used with any authentication method besides SSO Gateway authentication.
  • Kaltura Authorization – Manage user authorization to access MediaSpace and user MediaSpace application roles in Kaltura. This authorization option can be used with any other authentication method (SSO Gateway authentication, Kaltura authentication, and Header authentication).
  • Custom Authentication Methods – For any other type of access and role authorization method, custom adapters can be developed and added to the MediaSpace installation.

Setting up Authentication and Authorization

Configuring LDAP Authentication and Authorization

To learn more about integrating your LDAP server for authenticating users and authorizing user access to MediaSpace with a specific application role, refer to Kaltura MediaSpace Introduction to Authentication and Authorization Solutions and Kaltura MediaSpace LDAP Integration Guide.

To configure user authentication through your LDAP server

  1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.
    After you complete and verify the following steps, click Save.
  2. Under authNAdapter, select LDAP AuthN.
  3. Select your preferences for the common login options.
  4. Under refreshDetailsOnLogin, select your preference.
    This option affects the updating of the user’s first name, last name, and email address (when provided) from your LDAP system upon every login.
  5. Under ldapServer:
    1. Select the LDAP Server access and bind settings.
      Your bindMethod selection will affect the information you need to provide for authenticating the user.

      LDAP Server Configuration – bindMethod selection


      LDAP Server Configuration - Direct Bind options


      LDAP Server Configuration - Search before Bind options

    2. Select the LDAP attributes for first name, last name and email address.
      Populating the user’s first and last name is used for several MediaSpace options that require the user name.
      The email address is optional. This field is useful for user management and for future features (such as email notifications).

      LDAP Server Configuration - Email options
  6. If you are using your LDAP server to authorize user access to MediaSpace with a specific application role, continue with the next procedure. If not, select a different authorization method.

To configure user authorization through your LDAP server

  1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.
    After you complete and verify the following steps, click Save.
  2. Under authZAdapter, select LDAP AuthZ.
  3. Under refreshRoleOnLogin, select your preference.
    This option affects the updating of the user’s role from your LDAP system upon every login. 
  4. Under ldapOptions, select your preferences for getting the list of groups in which the user is a member.
    This option is used to determine the user's MediaSpace Application Role.
    Under groupsMatchingOrder, enter the order for matching MediaSpace roles to LDAP groups. The order determines whether the strongest or weakest role is mapped first.
    Your groupSearch selection will affect the information you need to provide.

    LDAP Authorization Options - Get Groups from User


    LDAP Authorization Options - Get User from Groups

  5. Under ldapGroups, select your preferences to define the mappings between the groups defined in your LDAP server and the MediaSpace Application Roles.
     

Configuring SSO Gateway Authentication and Authorization

To learn more about integrating MediaSpace with your authentication systems using the MediaSpace SSO Gateway, refer to Kaltura MediaSpace Introduction to Authentication and Authorization Solutions and Kaltura MediaSpace SSO Integration Guide.

To configure user authentication using the MediaSpace SSO gateway

  1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.
    After you complete and verify the following steps, click Save.
  2. Under authNAdapter, select SSO Gateway AuthN.
     
  3. Select your preferences for the common login options.
  4. Under refreshDetailsOnLogin, select your preference.
    This option affects the updating of the user’s first name, last name and email address (when provided) from your authentication system upon every login.
  5. Under sso, select your preferences for integrating the MediaSpace SSO Gateway with your login implementation:
  • loginUrl – Enter the absolute URL where you host the login page.
  • logoutUrl – Enter the URL to which MediaSpace redirects a user after invalidating the local MediaSpace session (for example, when a user clicks logout).
    • On your site you may use this page to invalidate other authenticated sessions, if needed (for example, CAS login).
    • A sessionKey URL parameter is automatically appended to the logout URL. This parameter securely encapsulates the user information, enabling you to know which user logged out. The sessionKey parameter is constructed using the secret shared with the login page.
  • If you are using the MediaSpace SSO Gateway to authorize user access to MediaSpace with a specific application role, continue with the next procedure.
  • To configure user authorization using the MediaSpace SSO gateway

    1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.
      After you complete and verify the following steps, click Save.
    2. Under authZAdapter, select SSO Gateway AuthZ.
       
    3. Under refreshRoleOnLogin, select your preference.
      This option affects the updating of the user’s role upon every login.

    Configuring Header Authentication

    To configure header authentication through the MediaSpace SSO gateway

    1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.
      After you complete and verify the following steps, click Save
    2. Under authNAdapter, select Header AuthN.
    3. Select your preferences for the common login options.
    4. Under refreshDetailsOnLogin, select your preference.
      This option affects the updating of the user’s first name, last name, and email address (when provided) from your authentication system upon every login.
    5. Under headerAuth, enter values for:
    • headerName – the name of the request header that contains the user ID (the value of the request header would be the user ID).
    • logoutUrl – where to send the user after logout.
       

    Configuring Kaltura Authentication and Authorization

    Authenticating or authorizing MediaSpace users in Kaltura requires creating MediaSpace user accounts that include a MediaSpace Application Role. Only users with a MediaSpace user account and MediaSpace Application Role are able to log into MediaSpace.

    Authenticating MediaSpace users in Kaltura also requires setting a password for each MediaSpace user. Follow the procedure to create MediaSpace user accounts that include a MediaSpace Application Role.

    To configure Kaltura authentication

    1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.
      After you complete and verify the following steps, click Save.
    2. Under authNAdapter, select Kms_Auth AuthN.
    3. Select your preferences for the common login options.

    To configure Kaltura authorization

    1. On the Configuration Management panel of the Kaltura MediaSpace Administration Area, open the Auth tab.

    2. Under authZAdapter, select Kms_Auth AuthZ and click Save.
       

    To create MediaSpace user accounts that include a MediaSpace Application Role

    Do one of the following:

    • On the User Management panel of the Kaltura MediaSpace Administration Area, you can create and manage MediaSpace user accounts.
      Use the list to manually manage all users in the partner account that have a MediaSpace role for the specific MediaSpace instance.
    • Submit a Kaltura end-users CSV to create MediaSpace user accounts in bulk.  

      Note: There is a 5000 user limitation on channel and category members. If more members are expected, please use Kaltura Groups . See Group Support in Kaltura Applications and Kaltura Groups FAQ for additional information.

      Use the following format:

      • To learn more about the end-user CSV schema, refer to End-Users CSV – Usage and Schema Description.
      • The userId field must include a minimum of three characters.
      • The MediaSpace Application Role is managed within the MediaSpace user metadata schema. Adjust the schema name in the example to include your MediaSpace instanceId. (You can copy the MediaSpace instanceId from the Configuration Management panel Application tab of the Kaltura MediaSpace Administration Area.)
      • Set the role names in the CSV according to the role labels you set in the Configuration Management panel Roles tab of the Kaltura MediaSpace Administration Area.
      • When using Kaltura to authenticate users, you may populate a sha1 hashed password in the CSV as part of the partnerData field, as in the example. MediaSpace administrators are responsible for managing password hashing and distribution to users. The un-hashed password must include a minimum of six characters.
      • When using Kaltura only for authorizing user access to MediaSpace with a specific application role, do not populate the password in the CSV. (You can remove the partnerData column in the example from the CSV since it is not required.)
      • You can submit the end-users CSV in the following ways:
        • On the User Management panel of the Kaltura MediaSpace Administration Area, click Submit CSV.
        • In the KMC, select the Upload tab and then under Submit Bulk, select End-Users CSV.

    To automate the update of the authorized MediaSpace users list

    When you manage MediaSpace authorization in Kaltura, you can develop automated processes for updating the list of MediaSpace users based on changes in your organizational information system.

    • You can develop a scheduled update process to periodically add or delete multiple users to the MediaSpace users list using the Kaltura end-users CSV. In your script, you can call the  user.addfrombulkupload Kaltura API action to submit the CSV.
    • Using Kaltura API actions, you can develop a trigger-based process to update the MediaSpace users list in real time when changes occur in your organizational information system. You can call the user.adduser.delete and user.update Kaltura API actions to add, delete, and update specific user records. You can call the metadata.addmetadata.delete, and metadata.update Kaltura API actions to add, delete, and update the user's MediaSpace role. 

    Deleted users are also removed from all channels in which they are members. Content ownership and analytics information of the deleted user are not deleted.

    Since user records are shared by all Kaltura applications running on the same account, we recommend that you delete records only of users who left the organization. In other cases, we recommend revoking the user's access to MediaSpace by using the Kaltura API to remove only the user's MediaSpace role or by using the User Management panel of the Kaltura MediaSpace Administration Area to delete the user.  

    (21193 reads)