Configuring UMHS AD Groups to Work With MiVideo Mediaspace

Environment

MiVideo Mediaspace (KMS) on the med.umich.edu domain

Issue

How can Mediaspace admins create and configure additional Michigan Medicine (UMHS) Active Directory (AD) groups as needed to make it easier to manage users?

• Using AD Groups for User Management 
• Using AD Groups for Channel Membership

Resolution

Background

You will need the following to begin:

• Shibboleth (level 1 or level 2) and AD configuration has been set up in your Mediaspace site and tested by the ITS-MiVideo support team.  This is NOT the default setup for most UMHS Mediaspaces. If your site is not configured for Active Directory groups and you would like to utilize these groups contact ITS-MiVideo.
• You know your AD virtual group attribute. If you don't know your attribute contact ITS-MiVideo.
• You are familiar with active directory groups.
• You are a KMC admin and are familiar with the KMS admin for your Mediaspace at yoursite/admin.

Active Directory Virtual Group Attribute

This is a special virtual group that acts as the connection between Shibboleth and your Mediaspace site. Your site’s AD groups must be added as members of this virtual group (steps below). 

Using AD Groups for User Management 

Understanding Mediaspace Roles

A Mediaspace site role is assigned to a user at login. When using Shibboleth authentication with AD groups, the site role assignment is automated. A user must only be a member in ONE associated AD group.

• The typical configuration assigns the viewerOnly role to logged in users who are not members of a designated AD group.
• In most cases the only roles mapped to AD groups are unmoderatedAdminRole and privateOnlyRole, but in some cases may have multiple groups assigned to the same role. 
• When the defaultRole is disabled (No) in the SAML module, only members of the configured AD groups will have access to the site.
• The ITS-MiVideo support team has likely already added you to an AD group mapped to the unmoderatedAdminRole.

In most cases you will add users to an AD group mapped to either the unmoderatedAdminRole or privateOnlyRole, but here are all the Mediaspace roles and their capabilities:

• anonymousRole

  • The non-logged in user; they can view public content but cannot interact with the site (upload, comment, create playlists, etc.)

• viewerRole

  • Can browse public galleries
  • Is not authorized to upload/create/publish content
  • Doesn't have a My Media library
  • Can be a channel member, but cannot contribute content to channels

• privateOnlyRole

  • Can upload content (My Media)
  • Cannot publish to galleries
  • Can add/publish media to channels if given appropriate channel permissions (contributor or manager)

• adminRole

  • Can upload content (My Media)
  • Can publish their own content to gallery categories
  • Can add/publish media to channels if given appropriate channel permissions (contributor or manager)

• unmoderatedAdminRole

  • Same as adminRole plus bypass content moderation settings (when moderation is enabled)

Naming Convention

• The group name should follow a naming convention similar to mivideo-{Mediaspace identifier}-{Mediaspace Role}. However it's also ok to use other established AD groups.
  • For example a Test Mediaspace could have the following groups:
    • mivideo-test-unmoderatedadmins
    • mivideo-test-privateonly

Tip: You can create multiple AD groups all mapped to the same Mediaspace role, but users should only be a member of one group. Some admin may find this is a useful way to manage large numbers of AD users.

Create a Group

1. Place a request to HITS to create a new AD group. You will automatically become the owner of the group but can add additional owners as needed when placing the request.
2. Make note of your new group name.
3. Once your request is processed you can access the group and add additional members.
   • Navigate to https://idm.med.umich.edu/groups. Note: if you are off campus you will need to connect to a UMHS VPN.
   • Information about managing your AD group

Associate AD Group to Virtual Group

An AD virtual group attribute was already created when ITS-MiVideo configured Shibboleth for login on your site. If you don't know your site's virtual group, contact ITS-MiVideo.

4. Place a request to HITS to associate your new AD group (from the step above) to your site's virtual group attribute. Be clear that this group should be added as an additional group and does not replace any groups already associated with the virtual group.

Adding AD Groups to Mediaspace SAML Module

Once you have received confirmation that your new group has been added to your site's virtual group attribute you can add the group to the Mediaspace.

5. Log in your KMS admin and click the SAML module
6. Scroll down to the roleAttributes section. You will see the unmoderatedAdminRole config that was created by ITS MiVideo
7. Click + Add “roleAttributes” at the bottom right of this section
8. Add the new group name into the value field
9. Copy/paste the attribute text from the unModeratedAdmin role. It will look something like this only it will include your site's virtual group attribute instead of "MediaspaceVAttr":

/VirtualAttribute[@ldap:targetAttribute="MediaspaceVAttr"]
Tip: This value is the same for all groups you add. It is the Shibboleth field that holds each user’s AD group information

10. Choose the appropriate role from the drop-down list (probably privateOnlyRole)
11. Repeat steps 7-10 for each AD group you want to associate to a Mediaspace site role
12. Click Save at the bottom of the page
13. Make sure the unModeratedAdmin group is at the end. This means you will probably need to add one more group, then copy/paste the unModeratedAdmin group settings from further up in the list. Once you’ve done that, you can delete the configuration that is higher up in the list.
14. Test the configuration:
    1. Have a group member login to the front end 
    2. In the KMS admin, click the Manage Users button at the top and look for the group member in the list and verify they received the proper site role

Using AD Groups for Channel Membership

AD Channel Integration Requirements

• Shibboleth (level 1 or level 2) and AD configuration has been set up in your Mediaspace site and tested by the ITS-MiVideo support team.  This is NOT the default setup for most UMHS Mediaspaces. If your site is not configured for Active Directory groups and you would like to utilize these groups contact ITS-MiVideo.
• Channels in the Mediaspace, typically restricted or private work best with this. 

Considerations

• A user’s site role in Mediaspace is configured in the SAML module. In this example, the site has a default role of viewerRole and one AD admin role configured. If the authenticated user is not the AD group, they will get the viewerRole.

• viewerRole users cannot contribute to Mediaspace at all, so giving them a channel entitlement (permission) of anything other than member will not override their Mediaspace role, so they will not be able to contribute. 
• (Optional) You can also use the AD group with the Saml module if needed to set the user’s role to something other than the site’s default setting.

KMS Groups

KMS groups are internal to your Mediaspace and managed by Kaltura. Once AD groups are mapped to KMS groups, KMS groups can be used as a channel entitlement role for individual channels.  All members of the group are given that entitlement role. For example if a KMS group is added as a channel manager, all members of the group will have the ability to edit the channel and create channel playlists.

Users should be added/removed from AD groups only. There is no need to manually update users in KMS groups. The next time a new or former member of the AD groups logs into the site, Kaltura will automatically add/remove the user from the mapped KMS group.

Enabling the SamlGroupSync Module

1. In the KMS admin, enable the SamlGroupSync module.
2. Click the + Add "attributes" button
3. Copy/paste this line in the attribute box, taking care not to add any spaces, and replacing "MediaspaceVAttr" with your site's virtual attribute. You can also copy the attribute value from the roleAtrributes section in the Saml module. 

/VirtualAttribute[@ldap:targetAttribute="MediaspaceVAttr"]

4. Set the valueMappingType to Map attribute’s value to a group.
5. Save the changes (you will come back to this in a minute). Verify you got the Cache Cleared message.

Setting up a Channel Group

6. If your group already exists in Active Directory, contact HITS to add it as a member to the site's virtual group attribute (see the Associate AD group to Virtual Group section step 4 above), 
7. If your group doesn’t exist yet, create one for the channel members and add the group as a member to the site's virtual group attribute (see the Create A Group section steps 1-3 and the Associate AD group to Virtual Group section step 4 above). It’s recommended to give the group a meaningful name that includes the following prefix text to make it easy to find in Active Directory: mivideo-{Mediaspace identifier}
8. Make sure you add a test user or yourself to the group as a member so the configuration will process when you next login to the Mediaspace. If you cannot add a user to the group, someone who is a member of the group will need to login after configuration to trigger the creation. Using your own login may not give the best results for testing as your channel owner role will supercede your AD group membership entitlement, but it should still work for triggering the group creation by the Mediaspace.

mivideo-test-channel-members
 

9. Go to the SamlGroupSync module and click the + Add "valueMapping" button. 
10. Add the AD group name in the value box.
11. Create a new KMS group name in the group box being certain not to use any spaces or special characters.
12. Repeat steps 9-11 for each AD group you want to associate to a KMS group
13. Save

14. Trigger group creation in Mediaspace
    • If you are logged in to the front end of Mediaspace, either log out or open an incognito window.
    • Login or have another group member login. You/they should see a message about the database refreshing. This creates the KMS group and adds the user to the group.
    • If it’s not practical or convenient to have a group member login to trigger automatic group creation, you can manually create the KMS group in the Mediaspace admin.
15. Now that the KMS group exists in the Mediaspace, edit the channel and add the new KMS group with the desired membership role.

KMS Group Creation

KMS groups can be created automatically when the first user with the configured attribute in their Shibboleth profile logs in, or you can create the group manually in the Mediaspace admin. 

Automatic KMS Group Creation

Automatic group creation occurs in the Mediaspace when the first user with the configured Shibboleth attribute in their profile logs into the site. 

1. If necessary, use an incognito window to login to the Mediaspace as the user who is a group member.
2. You should get the “reaching out to database” message. 
3. After a successful login, validate by visiting Manage Groups in the Mediaspace admin and adding the new group to a channel with the desired membership role.

Manual Group Creation

If it’s not practical or convenient to have a group member log in to trigger automatic group creation, you can manually create the KMS group in Mediaspace admin.

Note: When setting up the valueMappings in the SAMLGroupSync module, take care to exactly use the Group ID value in the group box, NOT the group name.

1. In the admin, go to Manage Groups > Add New Group button.
2. Enter a friendly Group Name. Kaltura will generate a suggested Group ID. To accept this value, just tab through the field, otherwise you can create your own. Remember no special characters or spaces.
3. There’s no need to add members. The SamlGroupSync module will take care of that for you when users log in. 
4. Click Add to save your changes.

Additional Information

• Check out the Canvas and MiVideo tutorials

For additional questions, please contact the ITS Service Center