Authbroker Module

About

AuthBroker is a "gateway" that sits on the partner (account) level and manages authentication to Kaltura via external Identity providers (IdP). AuthBroker works with the Security Assertion Markup Language (SAML) and Open Authorization (OAuth 2.0) protocols. AuthBroker users are "shared users" (users who are shared between applications / instances in the partner).

AuthBroker works with a higher version of SAML and you no longer need to set up a new profile for each new account. You can set up profile(s) just once and easily use them in multiple applications/instances.

Prerequisite

Before connecting the KMC and Event accounts to AuthBroker, you must have created a SAML profile using the steps in Create and Manage SAML Profiles.  

Configure

This module lets you enable new authentication methods by registering with the available Auth profiles on your account. Once subscribed, ensure to set up the Auth method in the Auth module. Remember to set a main alias and register your application in the Application module first.

Go to your Configuration Management console, and navigate to the Authbroker module. Your link should look like this: https://{your_KMS_URL}/admin/config/tab/authbroker. 

The Authbroker window displays.

Enable the module

enabled - Set to 'Yes' to enable the module. When enabled, admins can activate new authentication methods by registering with the available Auth profiles on the account.

Link to page

1. Click Subscription page. (Please note that you must enable the module first in order to access the Subscription page.)
   The authentication profile subscription window displays. Here you can view all the authentication profiles that were created on your account in KMC.

If there are no profiles on the subscription page, you can learn how to create them in our article Create and manage SAML profiles.

2. To subscribe, just click the toggle on.
   When toggled on, your Kaltura Video Portal (aka MediaSpace) can now use that authentication profile. If a few profiles were created, you have the option to subscribe to as many as you want.

Once you have subscribed to a profile, you can configure the settings for it, as follows:

defaultRole - Choose a default role from the drop-down menu for all users authenticating via the authentication profile(s) selected in the subscription page:

• viewerRole
• privateOnlyRole
• adminRole
• unmoderatedAdmin

rolesMapping

Role mapping lets you assign specific application roles to users based on their profile information, rather than only relying on a default role. With role mapping, you can link users to designated roles by setting values in their profiles. When users log in, the system checks for these values and assigns the appropriate role. If no specific value is found, it falls back to the default role.

1. Click +Add "rolesMapping".
   The rolesMapping section displays.
   
2. fieldLocation - Select where the IDP attribute is stored on the Kaltura partner level - within the User object or User profile. (An IDP attribute refers to specific information or data associated with a user's identity within an Identity Provider system. This attribute could include details such as the user's first name, last name, email address, country, or any other information relevant to their identity and access privileges.)
3. fieldName - Enter the name of the field you want to use for mapping the respective object, for example, 'country'.
4. fieldValue - Enter the value that should map to an application role, for example, 'US'.
5. applicationRole - Choose a role from the drop-down menu that will be assigned if there’s a match for the value in the field.
   • viewerRole
   • privateOnlyRole
   • adminRole
   • unmoderatedAdmin

defaultGroups

Set default groups for all users authenticated via the Auth profiles selected in this module.

1. Click +Add "defaultGroups".
   
2. Type in a label, for example, 'AB_users', so that everyone who logs in will be added to this group ID.

useInternalLogoutPage - Select 'Yes' or 'No' to use Kaltura's internal logout page instead of redirecting the user to the IDP once logout from the video portal has finished.

If you select 'No', a window will appear prompting you to enter the URL where the user should be redirected after logging out, for example, 'video.kaltura.com/logout'.

Finally, click Save to save your configuration settings.

Quick start instructions for using Authbroker login

Pre-start

1. Create a SAML profile in the KMC.
2. Navigate to the Application module (https://{your_KMS_URL}/admin/config/tab/application). Enter a virtual event Id and subscribe to the applicationRegistry. 

Step 1: Authbroker module 

1. Navigate to the Authbroker module (https://{your_KMS_URL}/admin/config/tab/authbroker).
2. Click Subscription page. (Please note that you must enable the module first in order to access the Subscription page.)
   The Authentication profile subscription page displays.
3. Next to the desired profile, click the toggle on.
   
   
4. Click Save.

Step 2: Auth module

1. Navigate to the Auth module (https://{your_KMS_URL}/admin/config/tab/auth).
2. authNAdapter - set to Kaltura Auth Broker - {name of your application}
   
3. authZAdapter - set to Kaltura Auth Broker
   
4. Click Save.

To learn more about the Auth module and its capabilities, check out our article Auth Module.