This guide is intended for KMS administrators.
Activating the Kaltura Samlgroupsync Feature in Kaltura MediaSpace (KMS)
Kaltura Samlgroupsync is managed by KMS system administrators in the Admin area accessed from https://<Base_URL>/admin (e.g. https://videos.mediaspace.kaltura.com/admin). The Samlgroupsync module in KMS allows an admin to configure an automated assignment of a user to groups upon login.
Prerequisites
- The SAML module should be enabled and configured prior to setting up the Samlgroupsync module.
Recommendation: When expecting a large number of groups per user (in the hundreds), a first login for a user will be longer due to the synchronization of large number of groups. To speed up the first login time we recommend a pre-launch groups creation using the a-sync group creation. See the How to Create and Manage Groups Using a CSV File guide for information.
Configure the Kaltura Samlgroupsync in KMS
To enable the Samlgroupsync module in KMS
- Login to KMS and go to the Kaltura Configuration Management window.
- Scroll down and select the Samlgroupsync module in the Modules section.
The SAMLgroupsync Administration page is displayed. - In the Enabled field, select Yes and click Save to enable the Samlgroupsync module.
You must click on 'Save' after enabling the module, to have the attributes available. - Select or enter values for the relevant fields. This module ensures that SAML attributes containing multi-valued attributes use each value when syncing the groups to Kaltura.
- Repeat to Add Value Mapping or Add Attributes. Delete as necessary for your configurations.
- Click Save.
Field | Description |
Enabled | Enable the Samlgroupsync module. |
Attributes | |
Attribute | The SAML attribute name |
valueMappingType | Select the method in which KMS will handle the SAML groups’ names & IDs. You can choose to use the values of the attribute to become the name & ID of a group or can map a new group name & ID to each value. The following options are available:
Depending on which option you choose, enter the Value of the SAML attribute or the Value of the SAML attribute and the SAML group ID & name. |
removeFromGroups | Select ‘Yes’ to allow the removal of users from groups previously synced with this module. |
createNewGroups | Select ‘Yes’ to create new groups automatically. If ‘No’ is selected, manual creation of groups is needed for users to be added. |
Valid | Module is configured well and ready to use. |
Additional Information
- Remove from groups – Allows admins to remove users from groups previously synced with this module. If the Group is removed or the group ID & name is changed, and the removeFromGroups field is set to Yes, the group ID & name change or removal will be implemented on the next login. If the removeFromGroups field is set to No, and you save, the user will not be removed from groups, only added on the next KMS login.
- Create New Groups – Allows admins to create new groups automatically from the existing SAML groups. If ‘No’ is selected, you will need to manually create groups to add users.
- Valid – The Valid field is used to verify the values entered. If the values are valid the field is displayed as Yes. For invalid values, the field is displayed as No with a relevant error message.
- User will have to login to KMS/KAF for the changes to take effect.
- Group IDs should be constructed of English alphabet and numbers only. It cannot contain spaces.
Create a Group Name with Attribute Set
An administrator may configure group naming based on more than one SAML attribute.
For example, users logging in with SAML attributes school, location, job title can be mapped to a group “{school} - {location} - {job title}".
The configuration for using a set of attributes as the group ID & Name is as follows:
Curly brackets {} should be used to denote a SAML attribute value placeholder in the group ID and name.
For example, the string
{department} - {location}uses the values of the attributesdepartmentandlocationin the group ID and name.
Characters that are not allowed in the group ID will be replaced.
For example, if the mapping string is
{department} - {location}and the values aredepartment=HRandlocation=New York, the group ID will beHR_-_New_York.
The configuration allows specifying a default value for a mapping string, that will be used if an attribute is missing or empty. The default value will apply to any missing attribute. In the last example provided here, if the value of department is missing and the default value is “All”, the group ID will be All_-_New_York. The default value is optional.
