SAML integration

These are some notes gathered through email responses.

This should be rewritten to a guide/article form at some point FIXME

You can se a list of the roles and what they can do here: Kaltura Knowledge Center

The solution for most is to create mappings for the URN:OID1) called “urn:oid:1.3.6.1.4.1.5923.1.1.1.9” (also known as eduPersonScopedAffiliation).

The usual values for eduPersonScopedAffiliation are usually like these three:

  • student@institution.tld
  • employee@institution.tld
  • member@institution.tld

These eduPersonScopedAffiliation seems to be somewhat default, but they may wary depending on your iDP2), so please check that you got the right values.

Depending on how you want your access control to work, you might want to allow a default role in the MediaSpace.

FIXME This last part is an extract from a mail, and should be integrated into the article in article form!

is to create an additional mapping in the SAML settings: https://MEDIASPACEURL/admin/config/tab/saml and change the one that is already there for “employee@domain.tld”. The attribute called “urn:oid:1.3.6.1.4.1.5923.1.1.1.9” (also called eduPersonScopedAffiliation) have these two possible values on your installation: “employee@domain.tld” and “student@bth.se”. It can also have a lot of other values, for instance if I login through SWAMID to your mediaspace, it will have the value “employee@nordu.net”.

If you change the role for employee@domain.tld to “privateOnlyRole” then you staff will get the “My Media” and be able to upload and see their media. In addition you should add a roleAttribute for your students, the values can be these:
attribute: “urn:oid:1.3.6.1.4.1.5923.1.1.1.9”
value: “ student@domain.tld”
role: “privateOnlyRole”
1)
Uniform Resource Names (URN) namespace that contains an Object Identifier (OID)
2)
Identity provider, ex: SWAMID, WAYF, Haka-käyttäjätunnistusjärjestelmä, Feide, Local shibboleth, ADFS or any other SAML Identity provider