Kaltura SAML group sync administrator's guide

Last Modified on 07/24/2025 7:11 pm IDT


About

Kaltura Samlgroupsync is managed by KMS system administrators in the Admin area accessed from https://<Base_URL>/admin (e.g. https://videos.mediaspace.kaltura.com/admin). The Samlgroupsync module in KMS allows an admin to configure an automated assignment of a user to groups upon login.

Before you start

The SAML module should be enabled and configured prior to setting up the Samlgroupsync module. 

Recommendation: When expecting a large number of groups per user (in the hundreds), a first login for a user will be longer due to the synchronization of large number of groups. To speed up the first login time we recommend a pre-launch groups creation using the a-sync group creation. See the What are user groups in Kaltura? guide for information. 

Configure the Kaltura Samlgroupsync

  1. Login to your video portal's Configuration Management console.
  2. Scroll down and select the Samlgroupsync module in the modules section.
    The SAMLgroupsync Administration page is displayed.
  3. In the enabled field, select 'Yes' and click Save to enable the Samlgroupsync module.
    You must click on 'Save' after enabling the module to have the attributes available.
  4. Select or enter values for the relevant fields. This module ensures that SAML attributes containing multi-valued attributes use each value when syncing the groups to Kaltura.
  5. Repeat to Add Value Mapping or Add Attributes. Delete as necessary for your configurations.
  6. Click Save.

Field

Description

Enabled

Enable the Samlgroupsync module.

Attributes

Attribute

The SAML attribute name

valueMappingType

Select the method in which KMS will handle the SAML groups’ names & IDs.  You can choose to use the values of the attribute to become the name & ID of a group or can map a new group name & ID to each value.

The following options are available:

  • Create group name with attribute set. 

  • Use attribute's value as group ID & name 

  • Map attribute's value to a group ID & name

Depending on which option you choose, enter the Value of the SAML attribute or the Value of the SAML attribute and the SAML group ID & name.

removeFromGroups

Select ‘Yes’ to allow the removal of users from groups previously synced with this module.

createNewGroups

Select ‘Yes’ to create new groups automatically. If ‘No’ is selected, manual creation of groups is needed for users to be added.

Valid

Module is configured well and ready to use.

Additional information

  • Remove from groups  Allows admins to remove users from groups previously synced with this module.  If the Group is removed or the group ID & name is changed, and the removeFromGroups field is set to Yes, the group ID & name change or removal will be implemented on the next login. If the removeFromGroups field is set to No, and you save, the user will not be removed from groups, only added on the next KMS login.
  • Create New Groups – Allows admins to create new groups automatically from the existing SAML groups.  If ‘No’ is selected, you will need to manually create groups to add users.  
  • Valid – The Valid field is used to verify the values entered. If the values are valid the field is displayed as Yes. For invalid values, the field is displayed as No with a relevant error message
  • User will have to login to KMS/KAF for the changes to take effect.
  • Group IDs should be constructed of English alphabet and numbers only. It cannot contain spaces.

Create a group name with attribute set

An administrator may  configure group naming based on more than one SAML attribute.

For example, users logging in with SAML attributes school, location, job title can be mapped to a group “{school} - {location} - {job title}".

The configuration for using a set of attributes as the group ID & Name is as follows:

  • Curly brackets {} should be used to denote a SAML attribute value placeholder in the group ID and name.

    • For example, the string {department} - {location} uses the values of the attributes department and location in the group ID and name.

  • Characters that are not allowed in the group ID will be replaced.

    • For example, if the mapping string is {department} - {location} and the values are department=HR and location=New York, the group ID will be HR_-_New_York.

The configuration allows specifying a default value for a mapping string, that will be used if an attribute is missing or empty. The default value will apply to any missing attribute. In the last example provided here, if the value of department is missing and the default value is “All”, the group ID will be All_-_New_York. The default value is optional.


Was this article helpful?
Thank you for your feedback!
User Icon

Thank you! Your comment has been submitted.

In this article
Related articles
Back to top

Never miss a thing!

Subscribe to our customer newsletter and our release notes updates, so you always get the best out of Kaltura.
Newsletter