Enhanced Settings for Secure Embed in KMS/KAF

Embed Module Enhancements

Kaltura has enhanced the current Embed module beyond its current Secure Embed mode. You can now select to perform an extra server-side check before rendering the Kaltura Video Player. 

This feature provides KMS/KAF customers, specifically category/channel managers in KMS, an additional level of control, beyond the one provided by the current Secure Embed configuration.

When using the secureEmbed option, three layers of security for the content are created.

  1. Authentication
  2. Category-user entitlement
  3. Category-level check (new)

The new security option (category-level check) checks if the entry is allowed to be embedded when grabbed from the context of a specific category.

Example of Category-level Check

A manager of a private category in KMS allows grabbing of embeds off the category (entry page with a category context). A video embed from that private category has been placed on an internal CMS.

The video will play if accessed by a user who’s both authenticated via the customer’s SSO AND is a member of this category.

Next, the manager turns off the ability to grab an embed off  their category (for reasons such as copyright changes, now limiting who can consume this content outside of MediaSpace, completely unrelated to category/group membership).

The same user who was able to play the content via the secured embed on the internal CMS, will no longer be able to play the content, despite being both authenticated and authorized (user passed through ‘first two layers’ but failed on the 3rd).

A message specific to this use-case will be displayed to the user. The message is configured via a new back-office parameter in the Embed module called noCategoryPlayAccessHTML.

For the KMS Admin

If secureEmbed=yes then the following new fields are displayed:

categoryLevelEmbed - Allow KMS category/channel managers to prevent grabbing and playing embed content from a specific category. Depends on CategoryEmbed/ChannelEmbed modules.

requireCategoryContext - Set to Yes, in conjunction with categoryLevelEmbed=Yes, to make sure embeds are only grabbed from category/gallery contexts. Grabbing an embed from a regular (context-less) entry page (like from My Media) are not allowed.

Setting requireCategoryContext to Yes will cause secured embeds that lack a category context to stop authorizing playback.



The requireCategoryContext field should only be enabled for customers not already using the secureEmbed feature.  Otherwise, secured embeds already embedded will play content that was previously accessible.

The noCategoryEmbedAccessHTML field sets the text that is presented as follows:


The noCategoryAccessHTML field sets the text presented when the secure embed content is attempted to be played and does not play.

As with any other texts in MediaSpace, language can be altered locally via the <language> module


Related article - Enhanced settings for Channel and Category Embed



In This Article
Was this article helpful?
Thank you for your feedback!