Please see the Kaltura MediaSpace™ SAML Integration Guide for the setup configuration.
This module allows you to allow users to Authenticate into MediaSpace using the SAML 2.0 standard.
- In the SAML module configuration, select Yes to enable the SAML module.
- Enter values for the following:
name | The entity ID of the service provider (MediaSpace) as it was configured in your Identity Provider. For example: https://partner_id.mediaspace.kaltura.com (this will be used as the SP entity ID). |
host | The host of the MediaSpace instance. For example: partner_id.mediaspace.kaltura.com. NOTE: The host may be configured only with a single URL per KMS instance. If you are using your own alias for MediaSpace (for example: video.company.com) you should use that alias. |
relayState | The value for the relative URL to redirect the user after login if a relay state is not passed as part of the authentication request. The default is “/”. |
nameIdFormat |
|
certificate - (optional) | When encryption is required for the SAML response, enter the certificate information. Paste the content of the crt file without the comments line. See Generating a Certificate Workflow. NOTE: You should paste the content without the 2 comment lines: (----BEGIN… and -----END…) All text should be in a single line with no spaces, so remove all the breaklines in the generated file The certificate value is used to encrypt the response provided by the IdP. The following example shows how the crt file would look including the comment lines and the extra line breaks that should be removed: -----BEGIN CERTIFICATE----- MIICsDCCAhmgAwIBAgIJALM+uZK9gWbQMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX aWRnaXRzIFB0eSBMdGQwHhcNMTMwNDI0MDgzOTU1WhcNMjMwNDI0MDgzOTU1WjBF MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB gQC3Pkd3p+a9Yy0TFHuwy6trDlxhKwa0FAwrGlBnJCw4V+XgL5JaymRqICo1Vrk3 MEXFD1hf5GuG17Sm1CXA02XAdzJMemr8RcLjq5dqAPP+6ZZ+3JM9owjvy1LRhMMP wCUBDeCI3WNvmNDCpnoJp+mBIgyZpr87ecgaCt2626CRKQIDAQABo4GnMIGkMB0G A1UdDgQWBBTODBaXbjmbJUJ1+gnD7CFKECmp9jB1BgNVHSMEbjBsgBTODBaXbjmb JUJ1+gnD7CFKECmp9qFJpEcwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUt U3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZIIJALM+uZK9 gWbQMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAo6LDQVKjODxoL7N/ CXTDMDnZ74gXLnZfOWh4RSQZzg/N5JpHt7RH4KTKpc/uWf0cUVRhUED4Vx3K/hlO rr8I7ylh6hpD2T8Ecmimx8oXieGrVU5ZuIsMaFxDJFeIvzq6+KtYz+ZaIx2wc6tJ RCe3NZLDKW3WvwgjKdY+YyOkaTs= -----END CERTIFICATE----- |
privateKey - (optional) | (Optional) SP Private Key PEM format. The privateKey value is used to decrypt the response provided by the IdP. -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQC3Pkd3p+a9Yy0TFHuwy6trDlxhKwa0FAwrGlBnJCw4V+XgL5Ja ymRqICo1Vrk3MEXFD1hf5GuG17Sm1CXA02XAdzJMemr8RcLjq5dqAPP+6ZZ+3JM9 owjvy1LRhMMPwCUBDeCI3WNvmNDCpnoJp+mBIgyZpr87ecgaCt2626CRKQIDAQAB AoGAURW1+jTJ3bQtFexSb4EwcUcBid3IMZdNayVRvtI63xPGHNXwJUy58lwZUVD2 1Hz/4ptPt98T1a9NuSTXL+RbeXaOFI5nPXQvIV62IsOVrg1l1SkKedkWKM3EPesx iACqtC3xOaV+kjDS1R7x5MNXroMHM/tOKg9xfjmlmckisyECQQDwRh0NSTNGKHEA gNA6TqO3X4G9VkYWE1/KT9MQyc2k41LrKLXD9nd39kgHb7lkozq5r+KmVNo2nki3 mqijZ0aTAkEAwzyYQik8pRkFlBH/UDYLJ96wuGrqYjvQO+94WWzWCZPXBPBlOY5g KG+l5WMfIpvHwsbd0iPaZeCax0INW6LC0wJATRNAuIVVxFiuvymTIlEdpXImrTTi sKwwWza2DzmdFRqy+6qIfD8w3bOMMY5+WzEdYnlwbEjl4wVtcDBVjm1PrwJBALu/ VrAxFaeys0GcOQi6n+m8ZfdCoZjL6kjo1bQxTHczW4/dWYqK1v+rtj4sHvHaGrS9 Ju2BGvHjlxRM+amIkI8CQQCHQNwIyVzMvJxnlHGO0Sz04vKPs4xSVegYmOL3JPOt Rr7FMzBMRp46CSa6p38k4ZnAqP7LvoWWci/AvKvjz/xE -----END RSA PRIVATE KEY----- |
host | The entity ID of the identity provider. For example: https://openidp.feide.no |
issuer | The entity ID of the identity provider. For example: https://openidp.feide.no |
name | Friendly display name for the Identity |
certFilePath | Provider (only for self-hosted MediaSpace) The absolute file system path of the crt file provided by Identity Provider. |
certFileContent | The content of the certification file provided by Identity Provider that is used to validate the signature of the response. |
Complete the following values in the attributes section:
Parameter | Description |
userIdAttribute | The SAML attribute containing the user ID. When blank, NameID element will be used. |
firstNameAttribute | The SAML attribute containing the first name. |
lastNameAttribute | The SAML attribute containing the last name. |
emailAttribute | The SAML attribute containing the email. |
logoutUrlAttribute | The SAML attribute containing the logout URL. When configured, if useInternalLogoutPage is set to No, the value passed in the attribute will be used instead of the value set in logoutRedirectUrl. |
Complete the following values in the defaultRole section:
Parameter | Description |
defaultRole | The default role for authenticated SAML user. |
allowDefaultRole | Select Yes or No. |
role | Select the default role that should be assigned to each user that is authenticated. |
Complete the following values in the roleAttributes section:
Parameter | Description |
roleAttributes | Map attribute values to KMS roles. |
attribute | The SAML attribute name. |
value | The SAML attribute value |
role | Mapped KMS role. |
If more than one attribute value is found (a user belongs to multiple groups) the user will be mapped to the role that was defined in the last roleAttribute found.
Complete the following values in the roleAttributesCsv section:
Parameter | Description |
roleAttributesCsv | Map attribute values to KMS roles. Each CSV row should contain 3 values: attributeName,attributeValue,mediaSpaceRole. Invalid MediaSpace roles would not be saved. |
Load new CSV | Click to upload a CSV with role attributes. |
storageDataEntryId | Data entry ID that stores the parsed csv data |
In the blockAuthorizationAttributes (optional) map individual groups and values that are returned in the SAML response and should lead to unauthorizing an authenticated user from using MediaSpace. Complete the following values in the blockAuthorizationAttributes section: (Optional)
Parameter | Description |
blockAuthorizationAttributes | Mapping of attributes and values that blocks authorization |
attribute | The SAML attribute name. |
value | The SAML attribute value |
The unauthorizedBehavior is applicable only if the blockAuthorizationAttributes is used. If usersuseInternalUnauthorizedPage is in use (set to ‘yes’) you can optionally set the text to be presented to the unauthorized user. If usersuseInternalUnauthorizedPage is not used, you can specify the URL where the user will be redirected to.Complete the following values in the unauthorizedBehavior section: (Optional)
Parameter | Description |
unauthorizedBehavior | Mapping of attributes and values that blocks authorization |
useInternalUnauthorizedPage | Default is 'Yes'. If set to 'No' unauthorizedRedirectUrl will be used. |
unauthorizedRedirectUrl | (Optional) The URL to redirect the authenticated, but unauthorized users. Should be used only in cases where the customer wants authenticated users to be redirected to his self hosted page. |
unauthorizedText | (Optional) Text to be shown in the internal unauthorized page, leave empty to use the default text. |
From the MediaSpace Configuration Management, Go to the Auth module.
For SP Initiated configuration enter:
- Saml_Model_SpInitiated in the authNAdapter text box and click Add custom value
- Saml_Model_SpInitiated in the authZAdapter text box and click Add custom value
For IdP Initiated configuration enter:
- Saml_Model_IdpInitiated in the authNAdapter text box and click Add custom value
- Saml_Model_IdpInitiated in the authZAdapter text box and click Add custom value