Integrating with Shibboleth is a great way to provide the Single Sign-On experience to your Mediasite Users. Within this integration Shibboleth is the Identity Provider (IdP) and Mediasite is Service Provider (SP).
Setting up SSO with Shibboleth in Mediasite
1. Determine User and Group Attributes
When configuring the Shibboleth integration, it will be necessary to know which user attributes (e.g. First Name, Last Name, E-Mail, Roles) are being used in your organization and available to be sent to Mediasite (the Service Provider).
2. Configuring Shibboleth Attributes
Shibboleth is able to take user attributes and send them to Mediasite as “Attributes”. The User Attributes that are required for the integration are:
- User ID (e.g. robert.smith)
- Email address (e.g. [email protected])
- Display Name (e.g. Robert Smith)
- Role (e.g. Student, Faculty, Instructor, HR, IT, Marketing)
3. Configure Mediasite to Connect to Shibboleth
Instructions:
- Browse to the Management Portal
- Click: Security > SAML 2.0 Configuration
- Complete the form using suggested values listed in the table below.
- Click: Save
Service Provider Settings
Field | Sample Value | Notes |
---|---|---|
Entity ID | https:// | e.g. http://mediasite.company.com/mediasite. Typically, this is the URL of your server or some other unique name. |
Use the NameID in the Assertion Subject as the UserID | Checked If you are not using the NameID, enter the SAML Attribute name. Below are a few of the most common names. • eduPersonPrincipalName (AKA ePPN): urn:oid:1.3.6.1.4.1.5923.1.1.1.6 • UID: urn:oid:0.9.2342.19200300.100.1.1 • Email/Mail: urn:oid:0.9.2342.19200300.100.1.3 • DisplayName: urn:oid:2.16.840.1.113730.3.1.241 • eduPersonScopedAffilation: urn:oid:1.3.6.1.4.1.5923.1.1.1.9 • sAMAccountName: urn:oid:1.2.840.113556.1.4.221 | Use the NameID in the Assertion Subject as the UserID – If you do not want to release a separate attribute to uniquely identify a user, you can enable this option. This tells Mediasite to check the IdP assertion subject for the Name Identifier (NameID), and use that as the UserID instead. If you are using ADFS 2.0, select this option. Use an attribute in the Assertion as the UserID – This allows you to manually specify both the UserID attribute name and name format if selected. Use an attribute in the Assertion as the UserID – This allows you to manually specify both the UserID attribute name and name format if selected. |
UserID Attribute Name Format | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | If you have selected: Use an attribute in the Assertion as UserID, specify the format of the user ID. |
Role Attribute Name | MemberOf urn:oid:1.2.840.113556.1.2.102 eduPersonAffiliation (e.g. student) urn:oid:1.3.6.1.4.1.5923.1.1.1.1 eduPersonScopedAffiliation (e.g. [email protected]): urn:oid:1.3.6.1.4.1.5923.1.1.1.9 EmployeeType: urn:oid:2.16.840.1.113730.3.1.4 OrganizationalStatus: urn:oid:0.9.2342.19200300.100.1.45 | Attribute used for retrieving security Roles from Shibboleth. |
Role Attribute Name Format | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | This field should be left blank. |
Automatically create User Profiles on Login to My Mediasite or Management Portal | Enabled | This will automatically create new user Profiles for Management Portal and My Mediasite users. |
Display Name Attribute Name | urn:oid:2.16.840.1.113730.3.1.241 | |
Display Name Attribute Name Format | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | |
Email Address Attribute Name | urn:oid:0.9.2342.19200300.100.1.3 | |
Display Name Attribute Name Format | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | |
Metadata URL | N/A | Once valid SAML 2.0 Configuration settings have been saved, this URL should reflect the generated metadata. You will send this URL to your Shibboleth administrator. |
Cache Duration (Minutes) | 1440 | The length of time the SP will keep metadata and roles cached. The default is 1440 minutes (24 hours). |
Certificate Source | Mediasite Self-Signed Certificate | Use the self-signed certificate unless the you have a requirement that a signed cert is used. |
Signing/Encryption Key Length | 1024, 1536, 2048, 3072 or 4096 | Get this value you’re your Shibboleth Administrator. This must match the length of the SSL certificate on the IdP. |
Signing Hash | SHA-1 or SHA-256 | Most likely SHA-256 |
Expiration Duration
Field | Sample Value | Notes |
---|---|---|
Current Expiration Date | This displays the date when the current metadata is no longer valid, and must be refreshed. This is automatically generated from the Expiration Duration setting. | |
Expiration Duration | 1 Years, 0 Days | The time in years and days the SP metadata will be valid. Save the Configuration Page so that the Current Expiration Date is populated. |
Identity Provider Settings (AKA Shibboleth)
Field | Sample Value | Notes |
---|---|---|
Entity ID | Get this value from the Shibboleth Administrator, or you can get it from the entityID field within the IdP’s metadata URL (See next row for details) This is the identifier of the IdP, and must be globally unique. |
|
Metadata URL | Get this value from the Shibboleth Administrator. This is the location of the IdP’s metadata. It may have a URL similar to: https://shibboleth.company.com/ metadata/idp-metadata.xml If your metadata has to be located somewhere that is not accessible by the Mediasite SP, then you must manually copy it to a location that the SP can reach. |
|
Display Name | Shibboleth | Pick a friendly name that will display on your corporate Shibboleth login page. |
Automatically Redirect to provider during login | Checked | When checked, the user will be redirected to your corporate Shibboleth login page. When unchecked, all users will be directed to the standard Mediasite login form. This is useful for troubleshooting purposes. When unchecked, all users will be directed to the standard Mediasite login form. This is useful for troubleshooting purposes. |
5. Update the Mediasite Login Form
After you have completed the SAML 2.0 Configuration form, you must update the Mediasite Video Platform to use the SAML based login form.
Self-Hosted Mediasite Video Platform
From within the Configuration Editor on the primary Web/Application server (e.g. http://localhost/mediasite/configure), update the login form to: https://<<MEDIASITE_SERVER>>/mediasite/login/SAML
Mediasite Cloud
Open a support case asking for the updates to be made.
6. Test
After Mediasite and Shibboleth have been configured, you can begin testing the integration. To test the integration, perform the following steps:
- Open a new web browser
- Browse to the Mediasite Management Portal (e.g. http://mediasite.company.com/mediasite/manage).
- You will be redirected to your enterprise Shibboleth login page. Enter your user credentials.
- The Mediasite Management Portal of My Mediasite portal should display.
- If you receive an error, the integration is not configured properly.
If you are prompted to complete your User Profile by entering your Name, Email and Time Zone, the User Profile Provisioning is incorrectly configured.