Configuring MCommunity Groups to Work With MiVideo Mediaspace

Environment

MiVideo Mediaspace (KMS)

Issue

How can Mediaspace admins create and configure additional MCommunity groups as needed to make it easier to manage users?

Resolution

Background

You will need the following to begin:

  • Shibboleth and MCommunity configuration has been set up in your Mediaspace site and tested by the ITS-MiVideo support team
  • You have been added as an owner of the “MiVideo SupportGroupsMaster” account for your Mediaspace by ITS MiVideo (in MCommunity click My Groups and look for your MiVideo group in the list)
  • You are familiar with MCommunity
  • You are a KMC admin and are familiar with the KMS admin for your Mediaspace at yoursite/admin

MiVideo Support Groups Master

This is a special MCommunity group that acts as the connection between Shibboleth (U-M Level 1 authentication) and your Mediaspace site. Your site’s MCommunity accounts must be added as members of this account (steps below). NEVER DELETE THIS ACCOUNT.

Creating MCommunity Group(s) for User Management 

Understanding Mediaspace Roles

A Mediaspace site role is assigned to a user at login. When using Shibboleth authentication with MCommunity groups, the site role assignment is automated. A user must only be a member in ONE associated MCommunity group.

  • The typical configuration assigns the viewerOnly role to logged in users who are not members of a designated MCommunity group
  • In most cases the only roles mapped to MCommunity groups are unmoderatedAdminRole and privateOnlyRole, but in some cases may have multiple groups assigned to the same role. 
  • When the defaultRole is disabled (No) in the SAML module, only members of the configured MCommunity groups will have access to the site.
  • The ITS-MiVideo support team has likely already added you to an MCommunity group mapped to the unmoderatedAdminRole.

In most cases you will add users to an MCommunity group mapped to either the unmoderatedAdminRole or privateOnlyRole, but here are all the Mediaspace roles and their capabilities:

  • anonymousRole

    • The non-logged in user; they can view public content but cannot interact with the site (upload, comment, create playlists, etc.)

  • viewerRole

    • Can browse public galleries
    • Is not authorized to upload/create/publish content
    • Does not have a My Media page
    • Can be a channel member, but cannot contribute content to channels

  • privateOnlyRole

    • Can upload content (My Media)
    • Cannot publish to galleries
    • Can add/publish media to channels if given appropriate channel permissions (contributor or manager)

  • adminRole

    • Can upload content (My Media)
    • Can publish their own content to gallery categories
    • Can add/publish media to channels if given appropriate channel permissions (contributor or manager)

  • unmoderatedAdminRole

    • Same as adminRole plus bypass content moderation settings (when moderation is enabled)

Naming Convention

  • You should follow the established naming convention for your Mediaspace’s MCommunity Master Group when creating groups specifically for your MiVideo site. However it’s also ok to use other established MCommunity groups.
  • The group name is usually MiVideo {Mediaspace identifier} {Mediaspace Role}
    • For example the Staging Mediaspace (https://staging.mivideo.it.umich.edu) groups are:
      • MiVideo Staging SupportGroupsMaster
      • MiVideo Staging unmoderatedAdminRole
      • MiVideo Staging privateOnlyRole

Tip: You can create multiple MCommunity groups all mapped to the same Mediaspace role, but users should only be a member of one group. Some admin may find this is a useful way to manage large numbers of MCommunity users.

Create a Group

  1. Log in to https://mcommunity.umich.edu 
  2. Click My Groups
  3. Scroll the list and find your MiVideo SupportGroupsMaster account and make note of the Mediaspace identifier between “MiVideo” and “SupportGroupsMaster”
  4. Back at the top of the page, click Create Group
  5. Enter the group name following the naming convention (e.g. MiVideo Staging privateOnlyRole)
    1. Tip: Check your spelling. You cannot rename your groups. If you make a mistake you have to delete the group and start over
  6. Create an email address for your group following your naming convention (e.g. mivideo-staging-privateonlyrole@umich.edu)
  7. Enter a description to help you remember what function this group serves (e.g. “staging.mivideo.it.umich.edu mcommunity integration”). You can be as detailed as desired to remind you of the group’s purpose in your Mediaspace
  8. Click Continue
  9. Complete the form with these settings:
    1. Only owners can add members (default)
    2. Membership view - members only
    3. Messages can be sent to the group by - anyone (default)
  10. Click Continue to add owner(s) and member(s)
    1. Your uniqname is automatically added as a group owner. If there are others who will manage the users in this group, add their uniqname(s) below yours
    2. Add members to the members text box (you must add at least one uniqname)

Important: Do NOT add yourself as a member UNLESS this is the role you should have when logging in to Mediaspace. Members should only belong to one MCommunity group. If you need to be a member in other groups, make sure the unModeratedAdmin group is the last one in the SAML roleAttributes list.

  1. Click Finish and wait for confirmation (it can take a few minutes)
  2. At the top of the group page, copy the group email address (NOT the request email address) so you can easily add it to the SupportGroupsMaster group
  3. Click My Groups at the top of the page and click your MiVideo SupportGroupsMaster group (e.g. MiVideo Staging SupportGroupsMaster)
  4. Click the Members tab
  5. Click Add Members
  6. Paste the copied email address into the Add Members box, then click Save Changes
  7. You should now see your new group listed as a sub-account. Highlight this sub-account group name and copy it (not its URL) so you can easily add it to your Mediaspace SAML module

Adding MCommunity Group(s) to Mediaspace Saml Module

  1. Log in your KMS admin and click the Saml module
  2. Scroll down to the roleAttributes section. You may see the unmoderatedAdminRole config that was created by the ITS MiVideo team
  3. Click + Add “roleAttributes” at the bottom right of this section
  4. Paste the copied group name into the value field
  5. Copy/paste the attribute text from the unModeratedAdmin role or copy/paste from here:

urn:oid:2.16.840.1.113719.1.1.4.1.25
Tip: This value is the same for all groups you add. It is the Shibboleth field that holds each user’s MCommunity group information

  1. Choose the appropriate role from the drop-down list (probably privateOnlyRole)
  2. Repeat steps 20-24 for each MCommunity group you want to associate to a Mediaspace role
  3. Click Save at the bottom of the page
  4. Make sure the unModeratedAdmin group is at the end. This means you will probably need to add one more group, then copy/paste the unModeratedAdmin group settings from further up in the list. Once you’ve done that, you can delete the configuration that is higher up in the list.
  5. Test the configuration:
    1. Have a group member login to the front end 
    2. In the KMS admin, click the Manage Users button and look for the group member in the list and verify they received the proper site role

Using MCommunity Groups for Channel Membership

MCommunity Channel Integration Requirements

  • The Mediaspace site must be configured with U-M Weblogin (Level 1) with MCommunity service entitlement (this is the default setup for most non-UMHS Mediaspaces).
  • Channels in the Mediaspace, typically restricted or private work best with this. 

Considerations

  • A user’s role in Mediaspace is configured in the Saml module. In this example, this site has a default role of viewRole and one MCommunity admin role configured. If the authenticated user is not in the MCommunity group, they will get the viewRole.

  • viewRole users cannot contribute to Mediaspace at all, so giving them a channel entitlement (permission) of anything other than member will not override their Mediaspace role, so they will not be able to contribute. 
  • (Optional) You can also use the MCommunity group with the Saml module if needed to set the user’s role to something other than the site’s default setting.

KMS Groups

KMS groups are internal to your Mediaspace and managed by Kaltura. Once MCommunity groups are mapped to KMS groups, KMS groups can be used as a channel entitlement role for individual channels.  All members of the group are given that entitlement role. For example if a KMS group is added as a channel manager, all members of the group will have the ability to edit the channel and create channel playlists.

Users should be added/removed from MCommunity groups only. There is no need to manually update users in KMS groups. The next time a new or former member of the AD groups logs into the site, Kaltura will automatically add/remove the user from the mapped KMS group.

Enabling the SamlGroupSync Module

  1. In the KMS admin, enable the SamlGroupSync module.
  2. Click the + Add "attributes" button
  3. Copy/paste this line in the attribute box, taking care not to add any spaces.

urn:oid:2.16.840.1.113719.1.1.4.1.25

  1. Set the valueMappingType to Map attribute’s value to a group.
  2. Save the changes (you will come back to this in a minute). Verify you got the Cache Cleared message.

Setting up a Channel Group

  1. If your group already exists in MCommunity, simply add it as a member to the sites’ SupportGroupsMaster group in MCommunity (see the Create A Group section steps 13-17 above), 
  2. If your group doesn’t exist yet, create one for the channel members and add the group as member to the site's SupportGroupsMaster group (see the Create A Group section steps 1-17 above). It’s recommended to give the group a meaningful name that includes the same prefix text to make it easy to find in MCommunity. You can use the description area to add context, which may be helpful for members when they are viewing the group info in Community.
  3. Make sure you add a test user or yourself to the group as a member so the configuration will process when you next login to Mediaspace. If you cannot add a user to the group, someone who is a member of the group will need to login after configuration to trigger the creation. Using your own login may not give the best results for testing as your channel owner role will supercede your MCommunity group membership entitlement, but it should still work for triggering the group creation by the KMS.

Example MComm Group:
Title: MiVideo LSA-DSS XYZ Channel Members.
Description: lsa-dss.mivideo.it.umich.edu XYZ Channel members
 

  1. Go to the  SamlGroupSync module and click the + Add "valueMapping" button. 
  2. Add the MCommunity group name in the value box.
  3. Create a new group name being certain not to use any spaces or special characters.
  4. Repeat steps 9-11 for each MCommunity group you want to associate to a KMS group. 
  5. Save

Example from MiVideo site:

  1. Trigger group creation in Mediaspace
    • If you are logged in to the front end of Mediaspace, either log out or open an incognito window.
    • Login or have another group member login. You/they should see a message about the database refreshing. This creates the Group and puts it in the user list.
    • If it’s not practical or convenient to have a group member login to trigger automatic group creation, you can manually create the KMS group in the Mediaspace admin.
  2. Now that the group exists in Mediaspace, edit the channel and add the new group with the desired membership role.

Mapping Groups to Shibboleth Attributes

You can create groups from Pre-Approved Shibboleth Attributes. For example, if you want to create a group of students only, you could use the eduPersonAffiliation attribute. To create a group limited to a particular campus use the eduPersonScopedAffliation attribute.

Edit the SamllGroupSync Module

  1. If not already present, add the new Shibboleth Attribute to the module. The Attribute’s value is the SAML2 value listed on the page linked above.

Example: eduPersonScopedAffilaation’s SAML2 attribute is urn:oid:1.3.6.1.4.1.5923.1.1.1.9

  1. Make sure it’s set to Map attribute’s value to Group ID
  2. Add the valueMapping and group names.

For eduPersonScopedAffiliation, the value mappings are like this (this is not an exhaustive list):
staff@annarbor.umich.edu (only AA staff, not faculty)
member@dearborn.umich.edu (any DBN affiliated user)
student@flint.umich.edu (only students affiliated with Flint)
affilaite@annarbor.edu (sponsored affiliate role at Ann Arbor)

  1. Note that while a user can have multiple affiliations, each affiliation you want to use in your config must be individually mapped to the the desired group. For example, if you want to limit access to just Ann Arbor and Flint students, you’d create two group valueMappings, one student@annarbor.umich.edu and one for student@flint.umich.edu, each configured for the same group (e.g. “Ann Arbor and Flint Students”). 

Example config for Ann Arbor Staff. Note NO special characters or spaces in the Group name:

  1. Save changes (be sure you get the Cache Cleared Message).

KMS Group Creation

KMS Groups can be created automatically when the first user with the configured attribute in their Shibboleth profile logs in, or you can create the group manually in the KMS admin. 

Automatic KMS Group Creation

Automatic group creation occurs in the KMS when the first user with the configured Shibboleth attribute in their profile logs in to KMS. 

  1. If necessary, use an incognito window to login to the KMS as the user who is a group member.
  2. You should get the “reaching out to database” message. 
  3. After a successful login, validate by visiting Manage Groups in the KMS admin and adding the new group to a channel with the desired membership role.

Manual Group Creation

If it’s not practical or convenient to have a group member log in to trigger automatic group creation, you can manually add the KMS group in KMS Admin.

Note: When setting up the valueMappings in the SAMLGroupSync module, take care to exactly use the Group ID value in the group box, NOT the group name.

  1. In the admin, go to Manage Groups > Add New Group button.
  2. Enter a friendly Group Name. Kaltura will generate a suggested Group ID. To accept this value, just tab through the field, otherwise you can create your own. Remember no special characters or spaces.
  3. There’s no need to add members. The SAMLGroupSync module will take care of that for you when users log in. 
  4. Click Add to save your changes.

Additional Information

For additional questions, please contact the ITS Service Center

Details

Article ID: 4735
Created
Tue 3/30/21 7:47 AM
Modified
Fri 9/22/23 1:05 PM