Integrating with Google G Suite is a great way to provide the Single Sign-On experience to your Mediasite Users. Within this integration Google G Suite is the Identity Provider (IdP) and Mediasite is Service Provider (SP).
Setting up SSO with Google in Mediasite
1. Determine User and Group Attributes
When configuring the Google G Suite integration, it is necessary to know which user attributes (e.g. First Name, Last Name, E-Mail, Roles) are being used in your organization and available to be sent to Mediasite (the Service Provider). This is configured in Google G Suite Admin Panel under Apps – SAML Apps. Choose to Add an App and “Setup my own custom App” and Download IdP Metadata.
| Field | Sample Value | Notes |
|---|---|---|
| ACS URL | https://mediasite_server_name/mediasite/Login/SAML/POST | e.g. http://mediasite.company.com/mediasite/login/SAML/POST. Typically, this is the URL of your server or some other unique name. |
| Entity ID | https://mediasite_server_name/mediasite | e.g. http://mediasite.company.com/mediasite Typically, this is the URL of your server or some other unique name. |
| Start URL | https://mediasite_server_name/mediasite | e.g. http://mediasite.company.com/mediasite Typically, this is the URL of your server or some other unique name. |
| Signed Response | Unchecked | |
| Name ID | Account Info – Username or other field you would like to use as the Username in Mediasite | |
| Name ID Format | Unspecified |
Attribute Mapping
It is recommended to release fields for “mail” that will usually return the “Basic Information – Primary Email” and DisplayName which will release “Account Info – DisplayName” but that is configurable to your user contacts. “Roles” can also be released if you have a relevant field that includes information about the type of user this is. The role can be used to define permissions.
2. Configuring Google G Suite Attributes
Google G Suite is able to take user attributes and send them to Mediasite as “Attributes”. The User Attributes that are required for the integration are:
- User ID (e.g. robert.smith)
- Email address (e.g. robert.smith@company.com)
- Display Name (e.g. Robert Smith)
- Role (e.g. Student, Faculty, Instructor, HR, IT, Marketing)
3. Configure Mediasite to Connect to Google G Suite
- Browse to the Management Portal
- Click: Security > SAML 2.0 Configuration
- Complete the form using suggested values listed in the table below.
- Click: Save
Service Provider Settings (AKA Mediasite)
| Field | Sample Value | Notes |
|---|---|---|
| Entity ID | https://mediasite_server_name/mediasite/ | e.g. http://mediasite.company.com/mediasite. Typically, this is the URL of your server or some other unique name. |
| Use the NameID in the Assertion Subject as the UserID | Checked | Use the NameID in the Assertion Subject as the UserID – If you do not want to release a separate attribute to uniquely identify a user, you can enable this option. This tells Mediasite to check the IdP assertion subject for the Name Identifier (NameID) and use that as the UserID instead. In most cases with Google G Suite integration, you will use this option. Use an attribute in the Assertion as the UserID – This allows you to manually specify both the UserID attribute name and name format if selected. |
| UserID Attribute Name Format | If you have selected: Use an attribute in the Assertion as UserID, then leave this field blank. | |
| Role Attribute Name | Roles | Attribute used for retrieving security Roles from Google G Suite. This is configured on the G Suite side. In our example we will use the field name Roles |
| Role Attribute Name Format | This field should be left blank. | |
| Automatically create User Profiles on Login to My Mediasite or Management Portal | Enabled | This will automatically create new user Profiles for Management Portal and My Mediasite. |
| Display Name Attribute Name | DisplayName | |
| Display Name Attribute Name Format | This field should be left blank. | |
| Email Address Attribute Name | ||
| Email Address Attribute Name Format | This field should be left blank. | |
| Metadata URL | N/A | Once valid SAML 2.0 Configuration settings have been saved, this URL should reflect the generated metadata. You will send this URL to your Google G Suite administrator to use in step 1 above. |
| Cache Duration (Minutes) | 1440 | The length of time the SP will keep metadata and roles cached. The default is 1440 minutes (24 hours). |
| Certificate Source | Mediasite Self-Signed Certificates | Use the self-signed certificate unless the you have a requirement that a signed cert is used. |
| Signing/Encryption Key Length | 4096 | Standard for G Suite |
| Signing Hash | SHA-256 | Standard for G Suite |
Expiration Duration
| Field | Sample Value | Notes |
|---|---|---|
| Current Expiration Date | This displays the date when the current metadata is no longer valid and must be refreshed. This is automatically generated from the Expiration Duration setting. | |
| Expiration Duration | 1 Years, 0 Days | The time in years and days that the SP metadata will be valid. Save the Configuration Page so that the Current Expiration Date is populated. |
Identity Provider Settings (Google G Suite)
| Field | Sample Value | Notes |
|---|---|---|
| Entity ID | https://accounts.google.com/o/saml2?idpid=GSUITEACCOUNT | Get this value from the Google G Suite Administrator, or you can get it from the entityID field within the IdP’s metadata URL (See next row for details) Replace the GSUITEACCOUNT in sample value with actual information from G Suite. This is the identifier of the IdP and must be globally unique. |
| Metadata URL | Google G Suite does not currently allow direct URL access to this metadata. You must download the metadata from G Suite then manually copy it to a location that the SP can reach and enter the URL for that location here. | |
| Display Name | Google G Suite | Pick a friendly name that will display on the login page (e.g. Google G Suite) |
| Automatically Redirect to provider during login | Checked | When checked, the user will be redirected to your Google G Suite login page. When unchecked, all users will be directed to the standard Mediasite login form. This is useful for troubleshooting purposes. |
4. Update the Mediasite Login Form
After you have completed the SAML 2.0 Configuration form, you must update the Mediasite Video Platform to use the SAML based login form.
Self-Hosed Mediasite Video Platform
From within the Configuration Editor on the primary Web/Application server (e.g. http://localhost/mediasite/configure), update the login form to: https://<<MEDIASITE_SERVER>>/mediasite/login/SAML
Mediasite Cloud
Open a support case asking for the updates to be made.
5. Test
After Mediasite and Google G Suite have been configured, you can begin testing the integration. To test the integration, perform the following steps:
- Open a new web browser
- Browse to the Mediasite Management Portal (e.g. http://mediasite.company.com/mediasite/manage).
- You will be redirected to your Google G Suite login page. Enter your user credentials.
- The Mediasite Management Portal or My Mediasite portal should display.
- If you receive an error, the integration is not configured properly.
Was this Information helpful?
Let us know if you found this lesson helpful. That’s the only way we can improve.