Kaltura MediaSpace Authentication and Authorization Solutions – Overview

Printer-friendly version

This article provides an introduction to generic solutions for authenticating and authorizing Kaltura MediaSpace users.

This document is intended for Kaltura partners, community members, and customers who wish to understand and deploy out-of-the-box authentication and authorization methods for MediaSpace.

To understand this document, you need to be familiar with authentication and authorization terminology.

Kaltura MediaSpace Authentication and Authorization Methods – Overview

Kaltura offers the following solutions for permitting user access to MediaSpace (authentication), and for enabling user actions within MediaSpace (authorization).

A user's application role determines the MediaSpace actions that the user is authorized to do. To learn more, refer to Understanding Application Roles in the Kaltura MediaSpace Setup Guide.

Method

Authentication

Authorization

Integration Scope

Advantages

Limitations

Licensing

Single Sign-on (SSO) Gateway

Enables end users to access both the customer site and MediaSpace when they log in. Uses existing customer user management systems and authentication methodologies (for example, LDAP, CAS, and local DB).

The user’s application role is passed to MediaSpace as part of the customer-specific login and authentication implementation, which is set through the Kaltura SSO gateway interface.

Select configuration settings in the MediaSpace Configuration Manager.

Make minor modifications to the customer-side login code.

Enables a single sign-on user experience.

Utilizes existing customer systems.

Integrates easily with MediaSpace.

Allows the login page to appear in the customer site.

Allows flexibility in the user information passed to MediaSpace.

Avoids costly login customization.

SSO Gateway authentication can be used with any generic authorization method.

Requires minor login page coding.

SSO Gateway authorization can be used only with SSO Gateway authentication.

Free with user-based licensing. Professional Service support available for a fee.

Kaltura Authentication/Authorization

Enables end users to log into MediaSpace using credentials stored in Kaltura.

The user’s application role is stored in Kaltura.

Select configuration settings in the MediaSpace Configuration Manager.

Built-in user management screen.

Requires no integration effort and only minimal configuration.

Kaltura authorization can be used with any generic authentication method.

Requires a separate user management system. Organizations with an existing user management system are required to manage users in two places.

Requires creating MediaSpace user accounts that include a MediaSpace Application Role.

Free with user-based licensing. Ask your Kaltura Project Manager about costs for other licensing models.

Generic Lightweight Directory Access Protocol (LDAP)

Enables end users to log into the MediaSpace login screen using credentials from the organizational LDAP or Active Directory (AD) server.

The user’s application role is based on membership in organizational groups, which are managed in the organization’s LDAP server.

Select configuration settings in the MediaSpace Configuration Manager.

Enables using organizational system credentials for MediaSpace login.

Utilizes existing customer systems.

Integrates easily with MediaSpace.

Allows flexibility in the user information passed to MediaSpace.

Avoids costly login customization.

LDAP authentication and authorization methods work well together.

LDAP authentication can be used with any generic authorization method except SSO Gateway authorization.

LDAP authorization can be used with any generic authentication method.

Does not enable a single sign-on user experience.

Configuration settings depend on LDAP server capabilities. Before configuring authentication, determine your LDAP bind method (search before bind or direct bind). Before configuring authorization, determine your LDAP method for user groups searches (get user from groups or get groups from user).

Free with user-based licensing. Available for a fee for other licensing models. Designed to work “out of the box” with generic LDAP installs.

Header Authentication

Enables end-users to log into MediaSpace seamlessly (SSO user experience) based on network/software components (for example, load balancer) that automatically add a custom HTTP header when the user opens MediaSpace in the browser.

N/A (Authentication method only)

Select configuration settings in the MediaSpace Configuration Manager.

Enables a single sign-on user experience.

Utilizes existing customer systems.

Requires no integration effort and only minimal configuration.

Header authentication can be used with generic LDAP and Kaltura authorization methods.

Requires a separate authorization method.

Free with user-based licensing.

NOTE: To learn about common authentication and authorization scenarios and how to configure them, refer to Authenticating and Authorizing Users.

(15030 reads)