Kaltura MediaSpace 4.0 Setup Guide
Contents
1. Save amp Close Previous Category Next Category gt The category is displayed in MediaSpace navigation When a user who is not in the category s Users List tries to access the category an Access Denied message is displayed NOTE This method is different from the Restricting Categories configuration for Using Ne MediaSpace without Entitlement Features Setting up MediaSpace Channels Setting up MediaSpace channels in the KMC is similar to setting up galleries creating categories assigning content To learn about what s unique for channels see Assigning User Permissions to MediaSpace Channels in the KMC Defining MediaSpace Channel Types in the KMC Channel managers can define a channel type Open Restricted Private in MediaSpace The KMC admin can also define a channel type under Content gt Categories gt Edit Category window gt Entitlements tab See Understanding Channel Types Displaying Channels in MediaSpace To add a link to the Channels page and My Channels in the top MediaSpace navigation 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Navigation tab Kaltura MediaSpace Setup Guide 23 Setting up MediaSpace 2 Under pre a Inthe tyoe menu select Channels Page or My Channels b Inthe name field enter the label to display Global Application Client Roles Auth Gallery Player Widgets Metadata Header Navigation2. Do one of the following e Use HTTPS for login only a Onthe Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab b Under httosLogin select Yes and click Save httpsLogin Enable a secure login page via https Your server must be configured accordingly Thal mn Tes Kaltura MediaSpace Setup Guide 28 Setting up MediaSpace C open the Client tab d Under serviceUrl enter an HTTP URL and click Save Client On the Configuration Management panel of the Kaltura MediaSpace Administration Area servicellrl KE www kaltura com The URL from which API calls will be serviced Change this if your are running Kaltura On prem Use HTTPS for your MediaSpace site NOTE To run MediaSpace on HTTPS contact your Kaltura Project Manager or Account Manager for assistance Do not attempt to run MediaSpace on HTTPS before consulting 5 your Kaltura representative Implement the following procedure when your Kaltura representative instructs you to do so a On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab b Under httosLogin select No and click Save httpsLogin Enable a secure login page via https Your server must be configured accordingly C On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Client tab d Under serviceUrl enter an HTTPS URL and click Save Cl
3. About this Guide This document details the setup required for Kaltura MediaSpace KMS Version 4 0 following installation or upgrade The document describes how to set up your site structure prepopulate Kaltura MediaSpace content assign user permissions and implement authentication and authorization NOTE You perform some setup steps in the Kaltura MediaSpace Administration Area and in the Kaltura Management Console KMO SS NOTE Please refer to the official and latest product release notes for last minute updates Ne Technical support may be obtained directly from Kaltura Support Contact Us Please send your documentation related comments and feedback or report mistakes to knowledge kaltura com We are committed to improving our documentation and your feedback is important to us Audience This document is intended for Kaltura MediaSpace site administrators Document Conventions Kaltura uses the following admonitions e Note e Workflow NOTE Identifies important information that contains helpful suggestions hS Kaltura MediaSpace Setup Guide 5 Preface __0 Workflow Provides workflow information Z 4 Step 1 2 Step 2 Related Documentation In addition to this guide the following product documentation is available e Kaltura MediaSpace e Kaltura Management Console KMC User Manual Kaltura MediaSpace Setup Guide Understanding the MediaSpace Setup SECTION 1 Understanding the MediaSpace
4. What is the name for the Unmoderated Admin role A user with unmoderatedAdminRole can upload content and bypass moderation when moderation is enabled for an account 10 Understanding the MediaSpace Setup Assigning Application Roles to Multiple Users in Bulk You can assign application roles to multiple users with a bulk action You use an End Users CSV that includes an option to assign roles To upload an End Users CSV Do one of the following o Inthe KMC upload the End Users CSV Refer to the Kaltura Management Console KMC User Manual o Onthe User Management panel of the Kaltura MediaSpace Administration Area Click Submit CSV Click Choose File to select the CSV file and click OK User Management By Name By Email ADD NEW USER DELETE CHECKED SUBMIT CSV i Fi UserID FirstName Submit Users CSV studentmember student Once you submit the CSV you can track the progress of your import from Kaltura Management Console KMC In KMC go to Content and click Upload Control Once import is processed refresh this page to view users and edit their properties No file chosen E E facultymember faculty Admin admin KMS version 4 0 4 build 83184 To learn more about the End Users CSV refer to the Kaltura Management Console KMC User Manual Understanding Permissions While an application role applies to your entire MediaSp
5. Categories Channels Debug pre Add items to the beginning of the main menu before the categories MediaSpace displays the items in the order you define here The first pre item must be a playlist type EEB type name Select one of the options Entry Id or Channels Pag My Media Enter the label for the me navigation bar en My Playlists Channels n laylists Link Category played in the main Add pre 3 Click Save to display the link in the top MediaSpace navigation bar To add a link to My Channels in the header menu 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Headermenu tab 2 Under enabled select Yes to enable the Headermenu module 3 Under menu a Inthe type menu select My Channels b Inthe abel field enter the label to display Modules Addcontent Addtoplaylists Channelmembers Channelmoderation Channelsettings Channelsettingsadvanced Channeltopics Embed Embedplaylist Headermenu 4 Click Save to display the link in the MediaSpace header menu Setting Permissions for Creating a MediaSpace Channel See Who can create a channel To define a user role that can create a channel For URL enter the URL label For a Menu enter the label 3 type Type can be My Media Myrteytista 1 or My Channels For a URL enter the URL label For a Menu
6. Authenticating and Authorizing Users and Kaltura MediaSpace SSO Integration Guide To configure user authentication using the MediaSpace SSO gateway 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab After you complete and verify the following steps click Save 2 Under authNAdapter select SSO Gateway AuthN authNAdapter Add custom value 3 Select your preferences for the common login options 4 Under refreshDetailsOnLogin select your preference This option affects the updating of the user s first name last name and email address when provided from your authentication system upon every login refreshDetailsOnLogin Should user details on Kaltura be updated through an external authentication provider Yes ten 1 sf an 1 eo 1 i i an a ot 5 Under sso select your preferences for integrating the MediaSpace SSO Gateway with your login implementation o secret Enter the secret string shared with the login page The default value uses your Kaltura Admin Secret accessible from KMC gt Settings gt Integration Settings o loginUrl Enter the absolute URL where you host the login page o logoutUrl Enter the URL to which MediaSpace redirects a user after invalidating the local MediaSpace session for example when a user clicks logout On your site you may use this page to invalidate other authenticated sessions if needed
7. Desktop Use this option to upload a small number of files o Under Submit Bulk select Entries CSV XML Use this option to upload a large number of files Using this option you also import metadata such as categories and tags Administration Upload Media Upload from Desktop 4 Record from Webcam Creat Import from Web Prepare Entry Video Entry Audio Entry Submit Bulk Select CSV AML 4 Entries CSV XML Categories CSV End Users CSV End User Entitlements CSV To learn more about uploading and ingestion refer to the Kaltura Management Console KMC User Manual Setting Up MediaSpace Galleries in the KMC Creating MediaSpace Gallery Categories in the KMC After you set up a MediaSpace category tree you can add categories to create galleries or channels To learn more about Creating and Managing Content Categories refer to the Kaltura Management Console KMC User Manual Kaltura MediaSpace Setup Guide 16 Setting up MediaSpace To add MediaSpace galleries manually in the KMC 1 Inthe KMC select the Content tab and then select the Categories tab 2 Click Add Category 3 Adda category for a gallery under MediaSpaceroot gt Site gt Galleries and save your new category You can create up to seven levels of sub categories To create MediaSpace galleries in bulk in the KMC In the KMC select the Upload tab and under Submit Bulk select Categories CSV Specify the path for
8. Entries tab 2 Inthe Entries table select one or more entries and click Bulk Actions Kaltura MediaSpace Setup Guide 25 Setting up MediaSpace 3 Select Edit Categories and click Add Categories CQ Refresh Entries Search Entries Categories Thumbnail ID Name Type Plays CreatedOn y Duration Status Actions iv All Categories No Filter gt gores hol Marco Tempest TH E 0 06 25 12 12 44 06 05 Converting Select Action v MediaSpace4 Peter Norvia The E 0 06 25 12 12 43 06 11 Converting Select Action Y Wolfgang Kessling H 0 06 25 12 12 42 11 35 Ready Select Action v kA 0_d11n1yi1 Excellent web quaj H 0 06 24 12 11 36 00 30 Ready Select Action v 0 ktm3bk5c Normal web quality i 0 06 24 12 11 36 00 30 Ready Select Action hal Set Scheduling Set Access Control Sample Big BuckB f 0 06 24 12 11 36 00 33 Ready Select Action v Edit Tags gt LETTES Edit Categories gt Remove Categories Add to New Category Playlist Sample Katura An fl 0 06 24 12 11 36 00 05 Ready Select Action v Change Owner Download Search Categories Delete pm 110 4 a anmann snn annn naa Additi I Filters Bulk Actions 1 14 27 of 27 Show rows 50 v 4 On the Select Categories window under the channels category select one or more categories and click Apply In the Entries table the entries are displayed when you filter for a category to which you assigned the entries Also see Assigning MediaSpace Content to Galleries Assig
9. Search before bind LDAP Server Configuration bindMethod selection bindMethod Direct Bind m directBind EE EG _cn USERNAME de exar Whatis the address of your LDAP Server What is the port of your LDAP Server What protocol does your LDAP server use Idap or Idaps What is the protocol version of your LDAP server V2 or V3 Whatis the base DN of your LDAP server Which mode of operation is used for authenticating with LDAP Search before bind means that the users DN is discovered by searching the LDAP ad server Direct bind means that the users DN is constructed automatically according to the format that you specify under userDnFormat displayed below when you select Direct Bind and no search is performed Which mode of operation is used for authenticating with LDAP Search before bind means that the users DN is discovered by searching the LDAP ad server Direct bind means that the users DN is constructed automatically according to the format that you specify under userDnFormat displayed below when you select Direct Bind and no search is performed Enter the DN format of the username Place the USERNAME token where the username should be in the string For example cn USERNAME ou somegroup dc example dc com LDAP Server Configuration Direct Bind options Kaltura MediaSpace Setup Guide 35 Authenticating and Authorizing Users searchUser Which mode of
10. Setup Kaltura MediaSpace features fine grained governance rules that grant specific permissions to content on the MediaSpace site To explain your options this document describes the different site sections roles and permissions that you can configure for MediaSpace This document focuses on setups that include user permissions referred to as entitlement enabled To start learning about MediaSpace refer to the Kaltura MediaSpace User Manual which describes channels and user permissions in terms of site features Enabling User Permissions Prerequisites Contact your Kaltura Project Account Manager to confirm that the following prerequisites are implemented e Entitlement services are enabled and enforce entitlement is set to true in your account settings e Optional The Like feature is enabled in your account settings e A root category is set up for MediaSpace in the KMC see To set up a MediaSpace category tree in the KMC Assigning user permissions usually is handled in bulk using a comma separated value CSV file To learn more about the End User Entitlements CSV refer to the Kaltura Management Console KMC User Manual This guide describes how to manually assign permissions for galleries and channels Understanding Content Collections Content collections in MediaSpace are defined as either galleries or channels Your MediaSpace instance can include one or both Understanding Galleries Galleries represent stru
11. administrative content owner of the media entry To change the owner of one or more entries 1 Inthe KMC select the Content tab and then select the Entries tab 2 Inthe Entries table select one or more entries click Bulk Actions and then select Change Owner 3 On the Change Owner window start typing a new owner name A list of suggestions is displayed after you type the third character Change Owner Set a new owner to this entry Adm Admin Admin 4 Onthe Change Owner window select a user from the suggestion list and click Save NOTE The content owner is the user to whom the media is assigned in MediaSpace S si Adding Contributors to MediaSpace Galleries By default only an end user with the Admin application role can publish media to a gallery To enable a user to add media to a particular gallery you add the user as a Contributor to a particular category under galleries Kaltura MediaSpace Setup Guide 20 Setting up MediaSpace S NOTE Manager and Moderator permissions are not relevant for MediaSpace galleries Users with these permissions will have only contribution rights and will not be able to administer the gallery in the MediaSpace site To add a user as a contributor to a MediaSpace gallery in the KMC K So YS NOTE You can add a contributor to a MediaSpace gallery only in the KMC In the KMC select the Content tab and then select the Categories tab In the Categories table click th
12. and enter the custom class name Kms Auth Authz Kalt Kms Auth AuthZ Kaltura LDAP AuthZ SSO Gateway AuthZ Add custom value LDAP Authorization The user s application role in MediaSpace is determined based on organizational groups in which the user is a member which are managed in the organization s LDAP server This authorization method usually is used together with the LDAP authentication method The method also can be selected when using other authentication methods SSO Gateway authentication Kaltura authentication and Header authentication SSO Gateway Authorization The user s application role in MediaSpace is set and passed to MediaSpace as part of the customer specific login and authentication implementation which is set through the Kaltura SSO gateway interface Always use this option with SSO Gateway authentication This option cannot be used with any authentication method besides SSO Gateway authentication Kaltura Authorization Manage user authorization to access MediaSpace and user MediaSpace application roles in Kaltura This authorization option can be used with any other authentication method SSO Gateway authentication Kaltura authentication and Header authentication Custom Authentication Methods For any other type of access and role authorization method custom adapters can be developed and added to the MediaSpace installation Setting Up Authentication and Authorization Config
13. authorization provider when e You have a large scale MediaSpace deployment You want all users to log into MediaSpace with their organizational credentials and to be authenticated by your centralized authentication system e You can provide access from the MediaSpace application to your authentication and group management systems e Authorization to access MediaSpace with a specific Application Role derive in most cases from user membership in organizational units or groups Who can access MediaSpace Only users who are authenticated and authorized by your systems can access MediaSpace Users who are not authenticated by your systems are denied access to MediaSpace and are not able to log In What user details are stored in Kaltura The user s identifier Application Role and first and last names optional but recommended must be stored in Kaltura After the user logs into MediaSpace for the first time administrators can view and manage the user record on the User Management panel of the Kaltura MediaSpace Administration Area The user s organizational password is not saved in Kaltura Kaltura MediaSpace Setup Guide 30 Authenticating and Authorizing Users Can you manually set different user details in Kaltura Yes you can manually set different user details in Kaltura After the user logs into MediaSpace for the first time administrators can manage the user record on the User Management panel of the Kaltura MediaSpace Admi
14. log in the user with the adminRole LDAP Authorization Options Get Groups from User S Kaltura MediaSpace Setup Guide 37 Authenticating and Authorizing Users Configure the LDAP options for group searches groupSearch Get user from groups Get user from groups Get groups from user byGroup groupSearchQueryPattern amp objectclass group GROU Enter the pattern for querying all groups in one query The GROUPS_REPLACEMENTS token will be replaced with the pattern that you specify under groupSearchEachGroupPattern displayed below The query results list all groups defined in the mapping settings groupSearchEachGroupPatte n GROUPNAME Enter the pattern for each group in the groupSearchQueryPattern displayed above This pattern is used multiple times one time for each group defined in the mapping settings The relation between the groups is OR groupSearchQuery Enter the LDAP query that finds all groups This query runs only one time so it returns all groups defined in the matching settings If you enter a value for this LDAP query the two settings displayed above groupSearchQueryPattern and groupSearchEachGroupPattern are not used groupMembershipAttribute member Enter the attribute on a group record that lists the users who are members in the group groupsMatchingOrder unmoderatedAdminRole adminRolt LDAP Authorization Options Get User from Groups
15. o Cannot publish to galleries o Can add media Admin o Can upload content to all galleries o Can upload content UnmoderatedAdmin Can upload content and bypass moderation when moderation is enabled for an account MediaSpace application roles are backward compatible Modifying Application Role Names You can modify MediaSpace application role names to match your institutional terminology To modify MediaSpace application role names 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Roles tab 2 Modify the label for one or more roles and click Save Roles anonymousRole anonymousRole viewerRole viewerRole adminRole adminRole unmoderatedAdminRole unmoderatedAdminRole Kaltura MediaSpace Setup Guide What is the name for the Anonymous User role user with anonymousRole can browse your site anonymously until trying to access pages actions that require login My Media My Playlists and Add New What is the name for the Viewer role A user with viewerRole can browse public galleries is not authorized to upload new content and does not have a My Media page What is the name for the Private uploads role A user with privateOnlyRole can upload content to My Media cannot publish to galleries and can add media What is the name for the Admin role A user with adminRole can upload content to all galleries and can upload content
16. user s role upon every login refreshRoleOnLogin y Should the user role on Kaltura be updated through an external authorization provider es Select No to allow overriding a role through Kaltura user management Yes Configuring Header Authentication To configure header authentication through the MediaSpace SSO gateway 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab After you complete and verify the following steps click Save 2 Under authNAdapter select Header AuthN authNAdapter Header Auth Add custom value 3 Select your preferences for the common login options 4 Under refreshDetailsOnLogin select your preference This option affects the updating of the user s first name last name and email address when provided from your authentication system upon every login refreshDetailsOnLogin Should user details on Kaltura be updated through an external authentication provider Yes Kaltura MediaSpace Setup Guide 40 Authenticating and Authorizing Users 5 Under headerAuth enter values for o headerName the ID of the authenticated user o logoutUrl headerAuth headerName sie is the name of the HTTP header that contains the user ID of the authenticated user logoutUrl When the allowAnonymous value is No you can specify a URL instead of an unauthorized page to which the user is redirected when logged o
17. with Kaltura do not enter an emailAttribute firstNameAttribute See What is the name ofthe attribute on the user record that contains the users first name If you do not want to sync the first name with Kaltura do not enter firstNameAttribute lastNameAttribute What is the name of the attribute on the user record that contains the user s last name If you do not want to sync the last name with Kaltura do not enter lastWameaAttribute LDAP Server Configuration Email options If you are using your LDAP server to authorize user access to MediaSpace with a specific application role continue with the next procedure If not select a different authorization method To configure user authorization through your LDAP server On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab After you complete and verify the following steps click Save 2 Under authZAdapter select LDAP AuthZ authZ Adapter LDAP Auth Kms Auth Auth Kaltura LDAP Authz Add custom value Kaltura MediaSpace Setup Guide 36 Authenticating and Authorizing Users 3 Under refreshRoleOnLogin select your preference This option affects the updating of the user s role from your LDAP system upon every login Should the user role on Kaltura be updated through an external authorization provider refreshRoleOnLogin she Select No to allow overriding a role through Kaltura user management 4 U
18. 0 33 Ready Select Action v Edit Tags gt Add Categories Add to New Category Playlist Sample Katura An E 0 06 24 12 11 36 00 05 Ready Select Action v Change Owner Download Search Categories Delete PE Poe K20020000000000 Additional Filters Bulk Actions v 1 14 27 of 27 Show rows 50 v 4 On the Select Categories window under the galleries category select one or more categories and click Apply select Categories gallery MediaSpaced site galleries Higher Education vf gallery2 gallery 1 gallery3 channels private archive Kaltura MediaSpace Setup Guide 19 Setting up MediaSpace In the Entries table the entries are displayed when you filter for a category to which you assigned the entries gallery CQ Refresh Entries Search Entries Categories Thumbnail ID Name Type Plays Created On EG Duration Status Actions All Categories No Filter eg att Marco Tempest Th H 0 06 25 12 12 44 06 05 Converting Select Action v MediaSpace4 Vv site Peter Norvia The1 0 06 25 12 12 43 06 11 Converting Select Action v galleries Higher Education v gallery2 Wolfgang Kessling qi 0 06 25 12 12 42 11 35 Ready Select Action gallery 1 gallery3 channels I private archive Additional Filters Bulk Actions v 1 1 30f3 Show rows 50 wv Also see Assigning MediaSpace Content to Channels To change an entry s MediaSpace content owner in the KMC Usually the user who uploads content in the KMC is not the
19. Enter the order in which to match MediaSpace roles to LDAP groups For example if a user belongs to a group that is mapped to the admin role enter adminRole before other roles adminRole viewerRole to find the admin role first and log in the user with the adminRole 5 Under dapGroups select your preferences to define the mappings between the groups defined in your LDAP server and the MediaSpace Application Roles Enter LDAP group names that match the MediaSpace adminRole Add adminRole Enter LDAP group names that match the MediaSpace viewerRole Add viewerRole Enter LDAP group names that match the MediaSpace privateOnlyRole Enter LDAP group names that match the MediaSpace unmoderatedAdminRole Add unmoderatedAdminRole IdapGroups Map your LDAP server groups to MediaSpace groups adminRole mediaSpaceFaculty X mediaSpaceAdmin X viswerRole mediaSpaceStudent X mediaSpaceUser X privateOnlyRole mediaSpacePrivateOnly x unmoderatedAdminRole mediaSpaceSuperAdmin X matchByPrimaryGroupid Match by primary group Id Add matchByPrimaryGroupld Configuring SSO Gateway Authentication and Authorization To learn more about integrating MediaSpace with your authentication systems using the MediaSpace SSO Gateway refer to Kaltura MediaSpace Introduction to Authentication and Authorization Solutions Kaltura MediaSpace Setup Guide 38
20. Kaltura MediaSpace Setup Guide Version 4 0 MZ OS Kaltura open source video Kaltura Business Headquarters 200 Park Avenue South New York NY 10003 USA Tel 1 800 871 5224 Copyright 2012 Kaltura Inc All Rights Reserved Designated trademarks and brands are the property of their respective owners Use of this document constitutes acceptance of the Kaltura Terms of Use and Privacy Policy Contents PY CTACS A E tedious 5 About ihis GUJE JE 5 MENE EN P A E oes A AE A E A EAEE A E E E E AA A E ees 5 Document CONV eg EE EN 5 Related IDC SI UI EE NE EE 6 Section 1 Understanding the MediaSpace Setup cccceeccccccceeceseeseeeeeeeeeeeeeeeeseceeeeeseeaaseeeeeeeeessaaeeeees Fi Enabling User Permissions PrereqQuiSit s ccccccssesceccseeeeeeseeeeeeseeeceesaeeeeessaeeeesaaeeeessaseeesnaeeees 7 Understanding Content Collections u ssssmmmrssemeerstieemsdrbtmndnkbnieensebnenaenmkhndndde bend nek enige skrent hetse ee F Understanding Galleries mnnenensrmearrdsemelnseeueedsndepeinistoi 7 Understanding 1 1 EE EE EEE 8 Understanding Application RIP Lageret 10 Modifying Application Role NAMES sisicrisivaicensstandeessdsdencnsieaiernavadenrtabaadueasissuesnaidandessavavenstd ucdeensias 10 Assigning Application Roles to Multiple Users in Bulk rrrrrrnnnrnrrnrrnnnnnrrrrnnnnnrrrnrrnnnnnrnnnnnnnnnr 11 Understanding Permissions cccccssssccccccseeseceecceesecceecaaeseceeseaauseeeeessaaeceessea
21. MediaSpace Channel rrrnnnnnnnnnnnnnnnnnvvennrnnnnnnrrrrrennnnnnnn 24 Assigning MediaSpace Content to Channels rrrnnrnnnrrnnnnnnnnnrnvnrrnnnnnnnnrrnnnnrnnnnnnnnssnnnrnnnnnsnnnee 25 Assigning User Permissions to MediaSpace Channels ccccccecccsseeeeeeeeeeeeeeueseeeeeeeeessaeaaenes 26 Assigning User Permissions to MediaSpace Channels in the KMC c ccscceeeseeeeeeeeeeeeees 26 Assigning Managers and Moderators to a MediaSpace Channel ccccccecessseeeeeeeaeeeeeees 26 Listing MediaSpace Channels 2c lt cccc c0scssscenniteccsossveaderscessccesssenderestadeesssseesersctindeesdesearersenes 27 Assigning User Permissions to a Channel in MediaSpace rrrrrrrrrnnnnnnnvrnnrrrnnnnnnnnvrnnnrrnnnnnnnnee 28 Setting Up MediaSpace to RUN ON HTTPS rrrrrnnrrnnnrrnnnnnnnnrrnnnrrnnnnnnnnsnnnnrnnnnnnnsssnnnnnnnnnsnnnssnnnnrnnnnn 28 Section 3 Authenticating and Authorizing USOPS 2 0 lt c cccccnces tsececcceessceenseenceecescecssecesneceescneessacneneesssnes 30 Understanding MediaSpace Authentication and Authorization Scenarios rrrrrrrrrnnnnnrrnnrnnnnnrenn 30 Scenario 1 Authentication and Authorization Are Managed in Organizational Systems 30 Scenario 2 Authentication and Authorization Are Managed in Kaltura cccccssseeeeeeeees 31 Scenario 3 Authentication Is Managed in an Organizational System Authorization Is Managed in 10 EEE 32 Configuring Authe
22. ace site and publishing rights apply to all galleries some permissions are gallery or channel specific You set user permissions to a specific content collection by applying the following permission levels e Member Can access a channel or gallery but cannot add new content e Contributor Can add content to a channel or gallery e Moderator Applies to channels only In addition to the Contributor permission can moderate content e Manager Applies to channels only In addition to the Contributor permission can moderate channel content and access channel settings including change metadata edit members change appearance and delete channel See Understanding Roles and Permissions Kaltura MediaSpace Setup Guide 11 Understanding the MediaSpace Setup NOTE In channels All permission levels are relevant for channels Xe In galleries Only the Contributor and Member permission levels are relevant to galleries NS Assigning a list of users as Members enables the users only to access a gallery Assigning a list of users as Contributors enables the users to access a gallery and add media A user with the Admin application role also can add media Understanding Roles and Permissions Who can upload content to MediaSpace A user with an application role of PrivateUpload and higher admin unmoderatedAdmin can upload content to MediaSpace Who can view galleries By default galleries can be accessed by all authorized users When A
23. aeeeeessueeeeeessaaeeeeessaaas 11 Understanding Roles and PENISSIONS ccsccscensncececwacdierensenedeenacsdanswsonaceengeensenndnina lentanbeananoereceemennenate 12 Section 2 Setting Up PW GC EE inaenda 14 Setting Up MediaSpace Content in the KMGC rrnrrrnrrrnnnnnnnnvvnnrrrnnnnnrnrrnnnrrnnnnnnnnsrennnrnnnnnnnnssnnnnnnnnnn 14 Uploading MediaSpace Content sates iesstecdedsdctinnnsisiineduesstadaersishecaapaniseiienssicloentenssidadennsicGeidersueaveredabaedenssdes 16 Setting Up MediaSpace Galleries in the KMC rrrernnrrrnnnnnrnnrvnnrrrnnnnnnnnrrnnvrnnnnnnnnsrnnnnnnnnnsnnnsrnnnnnnnnne 16 Creating MediaSpace Gallery Categories in the KMC rrrrrnnnnnrnnnrnrrrrnnnnnrnnrvrnnrrnnnnnnnnernnnnnnnnnn 16 Assigning MediaSpace Content to Galleries oiicncsccseccasdrnventwcreunecscsnudagescoarecadeeseudvccweneaacteitndnde 18 Adding Contributors to MediaSpace Galleries rrrrrrrrrrnnnnnnnvvrvrrrnnnnnnnnvrnnnrrnnnnnnnnrennnnnnnnnsnnnee 20 Restricting Access to MediaSpace Galleries in the KMC ccccccecceseeeceeeeeeeeeeessaeeeeeeeeas 22 Setting up MediaSpace Channels cccccccceeeecccccccceeeeseeceeeeeeceeeeeeeeeeeeeesaaeseeceeeeessuaaseeeeeeeessaaageees 23 Defining MediaSpace Channel Types in the KMC rrrsnrrrnrrrnnrrnnnnnnnnornnnrrnnnnnnnnsrnnnnnnnnnnnnnnnnnnn 23 Displaying Channels in MediaSpace rrrnnnnnrnnnnnnnnnvrnrnnnnnnennnnnnnnnennnnnnnnsrnnnnnnnnsennnnnnsneennnnnnnnsenn 23 Setting Permissions for Creating a
24. ctured centrally curated media galleries that are available from the MediaSpace top menu MediaSpace galleries can be organized around specific topics in either a hierarchal or a flat navigation layout When MediaSpace is used as a company institution wide media portal galleries usually are shared with the entire organization and also may be available to the public on the web Understanding Roles and Permissions for Galleries You usually enable permission to add content to galleries using application roles For example you enable a user to publish to a gallery by assigning the Admin role to the user The role applies to all galleries In addition to using roles to enable permissions for galleries you can use entitlement permissions See Understanding Permissions Kaltura MediaSpace Setup Guide 7 Understanding the MediaSpace Setup Understanding Channels Channels are media collections that can be accessed by a subset of users or all authenticated users Channels can be created and managed by authorized end users or can be provisioned centrally by a KMC admin Understanding Roles and Permissions for Channels Entitlement permissions are used to assign permissions to channels for example enabling a user to add content to a channel Application Roles apply globally while channel permissions are contextual An example of contextual channel permissions is a user with Manager permissions for one channel and lower level Contributor pe
25. dia player the Related playlist includes restricted content VE Kaltura MediaSpace Setup Guide 44
26. diaSpace channels are displayed on the Channels page when there is no restriction to channel listing in the KMC under Content gt Categories gt Edit Category window gt Entitlements tab See Understanding Channels To learn more about creating and moderating a channel refer to the Kaltura MediaSpace User Manual Kaltura MediaSpace Setup Guide 27 Setting up MediaSpace Assigning User Permissions to a Channel in MediaSpace Channel managers and owners can add members and change user permissions in MediaSpace To edit channel members and permissions in MediaSpace 1 In MediaSpace on the Channels page or your My Channels page click a channel to open the channel page and then click Settings First Settings Basic Members Advanced Pending 2 members Add Member Member UserID Permission faculty member facultymemwbaager You Owner student member studentm mb ibutor Change X Remove 2 Onthe Members tab o To modify the member s permission level next to the member s Permission column click Change select a new permission and click Done o To remove the member from channel membership click Remove o To add a member and assign a permission level to the new member click Add Member enter a user name and select a permission and click Add To learn more about editing channel users refer to the Kaltura MediaSpace User Manual Setting Up MediaSpace to Run on HTTPS You can configure MediaSpace to run on HTTPS To run MediaSpace on HTTPS
27. does a user become a manager A user can become a manager in the following ways e Bulk assignment of users to galleries and channels in the KMC The End User Entitlements CSV includes fields for assigning a manager contributors and member permissions for each user and channel e An authorized user who creates a channel is assigned as the channel owner with managerial rights An owner can add additional managers contributors and members to a channel How does a user join a channel Kaltura MediaSpace Setup Guide 12 Understanding the MediaSpace Setup An end user cannot join a channel The sys admin or channel manager must authorize the user An authenticated user can access channels that are Open or Restricted Who can create a channel A user with a role that is defined as a channel creator can create a channel You define the user roles that can create a channel See Setting Permissions for Creating a MediaSpace Channel Who can delete a channel The following are authorized to delete a channel e From MediaSpace The channel owner manager e From the KMC A KMC admin Kaltura MediaSpace Setup Guide 13 Setting up MediaSpace SECTION 2 Setting up MediaSpace Setting Up MediaSpace Content in the KMC To set up a MediaSpace category tree in the KMC 1 2 In the KMC create a MediaSpace root category a Select the Content tab and then select the Categories tab b Click Add Category c On the New Category win
28. dow select the position of the root category and save your new category New Category Select the parent caiegery usder which the new cacegory wi appear No Pani New Category gt Select place in tree d Inthe New Category window enter metadata for the new category and click Save New Category New Category gt Enter Details In MediaSpace define the root category a On the Configuration Management panel of the Kaltura MediaSpace Administration Area Kaltura MediaSpace Setup Guide 14 Setting up MediaSpace open the Categories tab b Under rootCategory select the category that you created and click Save Configuration Management Backup Actions Important Notice click to open Exportto a file Categories Import from a file Developer Tools a MediaSpaced Create uiConfs for Widgets Which root category does MediaSpace use for all categories and content A root Create Custom Metadata category must be defined in the KMC profiles Global restricted Application ss Restrict categories to specific roles Only users with the specified role can view media in the restricted Client unmoderatedAdminRole can add media to the restricted category Roles Auth Gallery Save Player Widgets 3 Inthe KMC verify your root category and sub categories a Select the Content tab and then select the Categories tab b Verify that the root category is displayed w
29. e category name On the Edit Category window select the Entitlements tab Under Specific End User Permissions click Manage Edit Category gallery2 Metadata Here you can manage entitlement settings and specific end user permissions to content in your application Entitlements 2 Privacy Context Label MediaSpace 2 0 Content Privacy T No Restriction Content in this category is visible to everyone with access to the application page F Requires Authentication Content in this category is visible in the application only to authenticated end users Private Visible only to users with specific permissions to access this category s content ra Category Listing i Ho Restriction Category is visible to everyone with access to the application page Private Category is visible only to users with specific permission to access this category s content 2 Who Can Add Content to No Restriction Any authorized end user this Category C3 Private Only end users with specific permission to add content to this category 2 Inherit Specific End User No Set specific end user permissions for this sub category Permissions from Parent Category Yes Specific end user permissions of parent category will automatically apply to this sub category Specific End User Permissions Owner Not Specified Change Users 0 end users have permissions to this category Save Save amp Close Previous Category Next Category gt Kaltura MediaSpace Se
30. ediaSpace Administration Area you can create and manage MediaSpace user accounts Use the list to manually manage all users in the partner account that have a MediaSpace role for the specific MediaSpace instance MANAGE CONFIGURATION MANAGE USERS KNOWLEDGE BASE CLEAR THE CACHE ENABLE DEBUG MODE LOG VIEWER GOTO SITE LOGOUT es User Management 19 Show All Roles v By Name By Email ADD NEW USER DELETE CHECKED SUBMITCSV_ E User ID First Name Last Name ds Password Role Email Extra data Actions No data found e Submit a Kaltura end users CSV to create MediaSpace user accounts in bulk Use the following format oan A B D E F G H 1 action userld firstName lastName screenName metadata KMS USERSCHEMAT y role partnerData 2 6 Johns123 John Smith John Smith ViewOnly pw ecc94cd2e13ec3ae3ea30bdal 1e4fe 7 15f9f9d20 3 6 Dans123 Dan Smith Dan Smith ViewOnly pw ecc94cd2e13ec3ae3ea30bdal 1e4fe7 15f9f9d21 4 6 Danas123 Dana Smith Dana Smith AdminRole pw ecc94cd2e13ec3ae3ea30bdal 1e4fe 7 15f9f9d22 5 6 4 7 4 To learn more about the end user CSV schema refer to End Users CSV Usage and Schema Description O o The userld field must include a minimum of three characters o The MediaSpace Application Role is managed within the MediaSpace user metadata schema Adjust the schema name in the example to include your MediaSpace instanceld You can copy the M
31. ediaSpace instanceld from the Configuration Management panel Application tab of the Kaltura MediaSpace Administration Area o Set the role names in the CSV according to the role labels you set in the Configuration Management panel Roles tab of the Kaltura MediaSpace Administration Area o When using Kaltura to authenticate users you may populate a shal hashed password in the CSV as part of the partnerData field as in the example MediaSpace administrators are responsible for managing password hashing and distribution to users The un hashed password must include a minimum of six characters o When using Kaltura only for authorizing user access to MediaSpace with a specific application role do not populate the password in the CSV You can remove the partnerData column in the example from the CSV since it is not required Kaltura MediaSpace Setup Guide 42 Authenticating and Authorizing Users o You can submit the end users CSV in the following ways On the User Management panel of the Kaltura MediaSpace Administration Area click Submit CSV Inthe KMC select the Upload tab and then under Submit Bulk select End Users CSV Administration n123 account Upload Media Upload from Desktop Record from Webcam Import from Web Prepare Entry eg Video Entry ap navigation Learn More Audio Entry Submit Bulk Select CSV XML Entries CSV XML Categories CSV End Users CSV Embed Player End User Ent
32. enter the label 1 Onthe Configuration Management panel of the Kaltura MediaSpace Administration Area open the Channels tab 2 Under channelCreator select one of the following roles and click Save o Sys Admin Channels can be created only from the KMC by the KMC admin user o Viewer All authenticated users o privateOnly All users with upload permissions Kaltura MediaSpace Setup Guide 24 Setting up MediaSpace o admin All users with permission to upload and publish to galleries o unmoderatedAdmin All users with permission to upload and publish to galleries and to bypass moderation if moderation is enabled Channels Debug tti i s S channelCreator Ge Moderation Select the minimal role thi No Role Sys Admin only Modules orivateOnlyRole ME ES panien E Addtoplaylists Channelmembers Channelmoderation Channelsettings Channelsettingsadvanced NOTE We do not recommend allowing the Viewer role to create channels since users Xe with a Viewer role cannot add content to channels they create When a user has a role that can create a channel a Create Channel button is displayed on Channel Listing pages Create Channel My Channels Q View 2asManager 0 as Member by Date Alphabetical Members Assigning MediaSpace Content to Channels To manually assign content to a MediaSpace channel in the KMC 1 Inthe KMC select the Content tab and then select the
33. es You can assign entry content to categories in the KMC on the Upload tab s Submit Bulk menu using the Entries CSV XML option Categories that do not exist are created when you submit the file To display these categories as MediaSpace galleries specify the MediaspaceRoot gt site gt galleries path To learn more about Assigning Content to Categories refer to the Kaltura Management Console KMC User Manual This section describes how to manually assign content to galleries To manually assign content to a MediaSpace gallery in the KMC 1 Inthe KMC select the Content tab and then select the Entries tab 2 Inthe Entries table select one or more entries and click Bulk Actions Kaltura MediaSpace Setup Guide 18 Setting up MediaSpace 3 Select Edit Categories and click Add Categories Refresh Entri es Search Entries Ea Categories Thumbnail ID Name Type Plays CreatedOn y Duration Status Actions All Categories No Filter x pa 0_4t361su0 Marco Tempest TH E 0 06 25 12 12 44 06 05 Converting Select Action v gt MediaSpace4 i v 0 8ne53my4 Peter Norvig The i 0 06 25 12 12 43 06 11 Converting Select Action v l 0 4ne38180 Wolfgang Kessiing E 0 06 25 12 12 42 11 35 Ready Select Action v kA 0_d1intyi1 Excellent web qual H 0 06 24 12 11 36 00 30 Ready Select Action v 0_ktm3bkSc Normal web quality i 0 06 24 12 11 36 00 30 Ready Select Action ut Set Scheduling Sat Accesa Conio Sample Bia Bucka 0 06 24 12 11 36 0
34. for example CAS login A sessionKey URL parameter is automatically appended to the logout URL This parameter securely encapsulates the user information enabling you to know which user logged out The sessionKey parameter is constructed using the secret shared with the login page sso Configure the built in Single Sign On Gateway authentication class SSOAuth secret Enter a custom secret or enter default to use the Kaltura Admin Secret associated default with your Kaltura account loginUri What is the URL for the SSO gateway login page Note The ref parameter is added automatically logoutUrl What is the URL to which a user is redirected after logging out of MediaSpace Usually you enter your organization s login page 6 If you are using the MediaSpace SSO Gateway to authorize user access to MediaSpace with a specific application role continue with the next procedure To configure user authorization using the MediaSpace SSO gateway 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab Kaltura MediaSpace Setup Guide 39 Authenticating and Authorizing Users After you complete and verify the following steps click Save 2 Under authZAdapter select SSO Gateway AuthZ auth7Adapter 550 Gateway AuthZ Add custom value 3 Under refreshRoleOnLogin select your preference This option affects the updating of the
35. h specific permission to add content to this category Inherit Specific End User f No Set specific end user permissions for this sub category Permissions from Parent Category 0 Wes Specific end user permissions of parent category will automatically apply to this sub categony Specific End User Permissions Owner Not Specified Change Users 1 end users have permissions to this category Manage Save Save amp Close Previous Category Next Category gt NOTE If modifications are made in the KMC that do not correspond to one of the channel types MediaSpace behavior will follow the KMC definition not the designated type Understanding Channel Listings A company institution wide shared channel listing is available in MediaSpace for channel searching and content discovery Kaltura MediaSpace Setup Guide Understanding the MediaSpace Setup In addition each user has direct access to the list of all channels they belong to with permission of member and above To learn more refer to the Kaltura MediaSpace User Manual Understanding Application Roles MediaSpace application roles apply globally and include Anonymous Can browse your site anonymously until trying to access pages actions that require login My Media My Playlists and Add New Viewer o Can browse public galleries o Is not authorized to upload new content o Does not have a My Media page PrivateUpload o Can upload content to My Media
36. he Entitlements tab ag Kaltura MediaSpace Setup Guide 22 Setting up MediaSpace 5 Under Content Privacy select Private and click Save You can further restrict actions by applying rules for who can contribute to the gallery Edit Category gallery2 Here you can manage entitlement settings and specific end user permissions to content in your application Privacy Context Label MediaSpace 2 Content Privacy No Restriction Content in this category is visible to everyone with access to the application page D Requires Authentication Content in this category is visible in the application only to authenticated end users a Private Wisible only to users with specific permissions to access this category s content 2 Category Listing No Restriction Category is visible to everyone with access to the application page Private Category is visible only to users with specific permission to access this category s content 2 Who Can Add Content to No Restriction Any authorized end user this Category g Private Only end users with specific permission to add content to this category 2 Inherit Specific End User fm No Set specific end user permissions for this sub category Permissions from Parent Category F Yes Specific end user permissions of parent category will automatically apphy to this sub category Specific End User Permissions Owner Not Specified Change Users 0 end users have permissions to this category Manage Save
37. idation through direct access to the organizational LDAP or Active Directory server e SSO Gateway Authentication A Kaltura generic gateway for integrating with a customer specific login and authentication implementation while providing the user with a Single Sign On experience e Header Authentication User is authenticated through a request in the organizational authentication system The response includes the authenticated user ID in a specific HTTP header e Kaltura Authentication Manage MediaSpace users and their authentication in Kaltura e Custom Authentication Methods For any other type of authentication method custom adapters can be developed and added to the MediaSpace installation Enabling Authorization Methods On the Configuration Management panel Auth tab of the Kaltura MediaSpace Administration Area the Kaltura MediaSpace Setup Guide Ja Authenticating and Authorizing Users following authorization methods are supported as part of the MediaSpace standard installation When you select an authorization method a set of relevant configuration fields is displayed to fill in authZAdapter What is the name ofthe PHP class for handling authorization Authorization determines the users role KalturaAuth enables the built in User Management system located at admin users LdapAuth lets you use your organizational LDAP AD server to determine roles To use your own custom class click Add custom value
38. ient servicellrl HE www kaltura com The URL from which API calls will be serviced Change this if your are running Kaltura On prem Kaltura MediaSpace Setup Guide 29 Authenticating and Authorizing Users SECTION 3 Authenticating and Authorizing Users On the Configuration Management panel Auth tab of the Kaltura MediaSpace Administration Area you can configure the settings for the required user authentication method and the required method for authorizing a user s access to MediaSpace with a specific Application Role The following scenarios are supported e Scenario 1 Authentication and Authorization Are Managed in Organizational Systems e Scenario 2 Authentication and Authorization Are Managed in Kaltura e Scenario 3 Authentication Is Managed in an Organizational System Authorization Is Managed in Kaltura Usually both authentication and role authorization are set through integration with the organizational identity and group management systems scenario 1 Kaltura s authentication and or authorization options may be useful in the cases described in scenarios 2 and 3 NOTE User authorization to channel and content entitlements is handled separately NE Understanding MediaSpace Authentication and Authorization Scenarios Scenario 1 Authentication and Authorization Are Managed in Organizational Systems When does this scenario apply You can use your organizational system as your MediaSpace identity and role
39. ing the User Management panel of the Kaltura MediaSpace Administration Area to delete the user Kaltura MediaSpace Setup Guide 43 Using MediaSpace without Entitlement Features SECTION 4 Using MediaSpace without Entitlement Features You can use MediaSpace without using entitlement features In the KMC verify that your MediaSpace category tree does not have Privacy Context To verify that entitlement is not enabled confirm that in the KMC under Content gt Categories the Entitlements tab of your root category s Edit Category window is not displayed Restricting Categories If you do not want to create channels and restrict users using entitlement features you can restrict categories to specific roles in the MediaSpace Configuration Panel s Categories tab Only users with the specified role can view media in the restricted category Only users with adminRole or unmoderatedAdminRole can add media to the restricted category For example Category1 PrivateUploads PublicUploads Category2 PublicUploads NOTE Use the category name that is displayed in MediaSpace omitting the number Ls prefix used for setting the category order in the KMC For example use Sneak Peek not S 4 Sneak Peak To display only unrestricted categories to MediaSpace users who do not log in use restricted categories together with the Allow anonymous true option NOTE Known issue If your site contains a Related playlist that is displayed next to the me
40. ith new sub categories C at e g Or Q Search Categories Categories ID Name f All Categories No Filter yi 150071 archive 7 MediaSpace4 15004 galleries F site 150051 channels galleries channels 150061 private private i 150031 site archive 150021 MediaSpace4 I NOTE The Archive category is reserved for future versions The Private category contains all content uploaded to the MediaSpace site that has not been published to galleries and channels Do not change the Private category settings 4 Inthe KMC verify that the root category is assigned a Privacy Context A Privacy Context is defined during MediaSpace installation or using the KMC a Inthe KMC select the Content tab and then select the Categories tab b Inthe Categories table click the root category name c Onthe Edit Category window select the Entitlements tab Kaltura MediaSpace Setup Guide Setting up MediaSpace d Under Privacy Context Label confirm that a value is displayed Metadata ecific end user permissions to content in your application 2 Privacy Context Label MediaSpace Uploading MediaSpace Content To upload initial content for MediaSpace in the KMC In the KMG select the Upload tab and then do one of the following o Click Upload from
41. itlements CSV Embed Playlist To automate the update of the authorized MediaSpace users list When you manage MediaSpace authorization in Kaltura you can develop automated processes for updating the list of MediaSpace users based on changes in your organizational information system e You can develop a scheduled update process to periodically add or delete multiple users to the MediaSpace users list using the Kaltura end users CSV In your script you can call the user addfrombulkupload Kaltura API action to submit the CSV e Using Kaltura API actions you can develop a trigger based process to update the MediaSpace users list in real time when changes occur in your organizational information system You can call the user add user delete and user update Kaltura API actions to add delete and update specific user records You can call the metadata add metadata delete and metadata update Kaltura API actions to add delete and update the user s MediaSpace role NOTE Deleted users are also removed from all channels in which they are members hS Content ownership and analytics information of the deleted user are not deleted NOTE Since user records are shared by all Kaltura applications running on the same NN account we recommend that you delete records only of users who left the organization In sh other cases we recommend revoking the user s access to MediaSpace by using the Kaltura API to remove only the user s MediaSpace role or by us
42. ization for users to access MediaSpace and MediaSpace Application Roles is independent of their membership in organizational units or groups For example users who will be granted MediaSpace access do not belong to a specific organizational unit or group e You are not able to provide access to your group management system from the MediaSpace application for setting group based role authorization You want to set users application roles before their first login to MediaSpace Who can access MediaSpace Only users who are authenticated by your systems and have MediaSpace user accounts pre provisioned in Kaltura the user account includes MediaSpace Application Roles can access MediaSpace Users who are not authenticated by your systems are denied access to MediaSpace even if they are have a user account and a MediaSpace Application Role in Kaltura These unauthenticated users will not be able to log in Kaltura MediaSpace Setup Guide 32 Authenticating and Authorizing Users Configuring Authentication and Authorization for MediaSpace Enabling Common Login Configurations On the Configuration Management panel Auth tab of the Kaltura MediaSpace Administration Area the following MediaSpace login options are available for all authentication and authorization methods demoMode No Enable the demo login mode After entering any user or password combination the user has an admin role Can users access MediaSpace without logging in If you
43. llowing the completion of your pilot or when the IT integration with your user authentication and group management systems is completed on the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab and change the selected authentication authorization method In the Kaltura MediaSpace Administration Area you may override the Kaltura managed Application Roles from your system on the Configuration Management panel or by manually deleting existing MediaSpace user accounts on the User Management panel To override Kaltura managed Application Roles on the Configuration Management panel 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab 2 Set the following values and click Save a Under refreshDetailsOnLogin select Yes This option is displayed only when using an external authentication provider b Under refreshRoleOnLogin select Yes This option is displayed only when using an external role authorization provider Scenario 3 Authentication Is Managed in an Organizational System Authorization Is Managed in Kaltura When does this scenario apply You can use Kaltura as your MediaSpace access and role authorization provider when e You have a small to large scale MediaSpace deployment You want all users to log into MediaSpace with their organizational credentials and to be authenticated by your centralized authentication system e Author
44. nder dapOptions select your preferences for getting the list of groups in which the user is a member This option is used to determine the user s MediaSpace Application Role Under groupsMatchingOrder enter the order for matching MediaSpace roles to LDAP groups The order determines whether the strongest or weakest role is mapped first Your groupSearch selection will affect the information you need to provide IdapOptions Configure the LDAP options for group searches Get groups from user x Get groups from user byUser Enter the memberOf attribute to use the memberof search filter to map groups to users Note The memberof search filter is not enabled by default on all LDAP servers userSearchQueryPattern amp objectClass person uid U Enter the pattern for querying the LDAP server to find a user The USERNAME token will be replaced with the actual user name provided in the login window primaryGroupldAttribute Optional Enter the attribute name for the primary group ID usually primaryGroupld Use this field only to authorize by primary group ID when you are using AD groupsMatchingOrder Enter the order in which to match MediaSpace roles to LDAP groups For example if unmoderatedAdminRole adminRole a user belongs to a group that is mapped to the admin role enter adminRole before other roles adminRole viewerRole to find the admin role first and
45. ning User Permissions to MediaSpace Channels To assign user permissions in bulk use the End User Entitlements CSV To learn more about assigning end user permissions refer to the Kaltura Management Console KMC User Manual To learn more about entitlement services and how they apply to MediaSpace permissions refer to Introduction to the Kaltura Entitlement Infrastructure Assigning User Permissions to MediaSpace Channels in the KMC By default a channel that you create in the KMC is restricted to authorized users Handling permission restrictions for channels is similar to the way you handle permissions for galleries See Adding Contributors to MediaSpace Galleries In addition you perform the following important flows related to channels in the KMC e Assigning Managers and Moderators to a MediaSpace Channel e Listing MediaSpace Channels Assigning Managers and Moderators to a MediaSpace Channel To access channel settings in MediaSpace a user must have Manager or Moderator permissions for the channel To learn more about channel settings refer to the Kaltura MediaSpace User Manual To assign a manager to a MediaSpace channel in the KMC 1 In the KMC select the Content tab and then select the Categories tab Kaltura MediaSpace Setup Guide 26 Setting up MediaSpace oa e aoe Ss PS S h Sa In the Categories table click the channel category name On the Edit Category window select the Entitlements tab Under S
46. nistration Area An administrator can override the user details first and last name and the user MediaSpace Application Role This option is useful mainly for granting a higher or lower level Application Role to certain users For example you can set a Viewer Application Role to a large group of people within your organization and then manually assign the higher level MediaSpace Admin role to a few of them To enable manually overriding settings 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab 2 Set the following values and click Save a Under refreshDetailsOnLogin select No This option is displayed only when using an external authentication provider b Under refreshRoleOnLogin select No This option is displayed only when using an external role authorization provider refreshDetailsOnLogin No B Should user details on Kaltura be updated through an external authentication provider refreshRoleOnLogin N iS Should the user role on Kaltura be updated through an external authorization provider o Select No to allow overriding a role through Kaltura user management Scenario 2 Authentication and Authorization Are Managed in Kaltura When does this scenario apply You can use Kaltura as your MediaSpace identity and role authorization provider when e You want to launch a MediaSpace pilot in your organization without IT integration e You want to quickly go live wi
47. nnel type definitions are displayed in MediaSpace under Channel Settings gt Basic First Settings Basic Members Advanced Pending Title Open First Memdershap is open and non members Gan Wew Content and p rbdG p le Decniptian 7 H strictad Mon mambers can vea coeleri but Users must be invited to particpate rags 3 Private Membershes ia By Irrdlalion ond and ony members can view con ent and paricipaio E Moziorato contend Medes vill nol appear in Channel until Approved by channel manager Save KMC entitlement definitions are displayed in the KMC under Content gt Categories gt Edit Category window gt Entitlements tab Edit Category gallery2 Here you can manage entitlement settings and specific end user permissions to content in your application J Privacy Context Label MediaSpace 7 Content Privacy No Restriction Content in this category is visible to everyone with access to the application page i Requires Authentication Content in this category is visible in the application only to authenticated end users Private Visible only to users with specific permissions to access this category s content gt No Restriction Category is visible to everyone with access to the application page ry Private Category is visible onby to users with specific permission to access this category s content gt Who Can Add Content to No Restriction Any authorized end user this Category oe Private Onhy end users wit
48. nonymous mode is enabled galleries also can be viewed by anonymous users To enable Anonymous mode 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab 2 Under allowAnonymous select Yes and click Save Can users access MediaSpace without logging in Anonymous users will be able to browse the galleries and view videos Unlike viewerRole anonymousRole users WILL see links buttons to actions that require more qualified roles but upon clicking them will be presented with a login screen allowAnonymous How do restricted galleries behave If a gallery is restricted by entitlement in the KMC so that it is listed and restricts access to Private members only the gallery is displayed in navigation but unauthorized users cannot access the gallery If a gallery is restricted by entitlement in the KMC so that it is unlisted and restricts access to Private members only the gallery is displayed in navigation but unauthorized users have restricted access Who can add media to a gallery The following users can add media to a gallery e A user with an application role of Admin or UnmoderatedAdmin e A user who is assigned Contributor permission and above to a specific gallery Who can view a channel The following users can view a channel e A user who is authorized by entitlement permissions in the KMC e Auser who is added as a member by the channel manager in MediaSpace How
49. ntication and Authorization for MediaSpace cccccsseeeceeeceeeeeeeeeesaeeeeeeeeaaeees 33 Enabling Common Login Configurations rss toccadeicierenttineeoatstindustentticels ioe panenanhtasdibtentlindtnestanlsoeeiied tines 33 Kaltura MediaSpace Setup Guide 3 Preface Enabling Authentication Methods cccccccccsseeeceeeceeeeeceeeeeeeseceeeeseeseeeeesseaeeeeessaaeeeeeseaegeeeeeenas 33 Enabling Authorization MethodS ci tivassuiesinceneninnndtionsindielxinidionehnestisine bncicnneltooanlsdelnsniireshnniictlsestiaedivansl onnesect 39 Setting Up Authentication and Authorization rreorrrrrnnnnnnrorrnrrrrnnnnnnnrvrrnrrrnnnnnnrrnnnnnnnnnsnnsssnnnnnnnnnn 34 Configuring LDAP Authentication and Authorization rrronnrrrrrrrnnnrnrrrnrnnnnnvrnrrnnnnnernnrnnnnrennnnnnn 34 Configuring SSO Gateway Authentication and Authorization rrrrnrrnnnnrrrnrrnnnnnrrnnrnnnnnennnnnnn 38 Configuring Header Authentication cccccccccccccssseeeeeceeeeeceeeceeeeeeeeecseaeeeeeesseaaeeeessseeseeeeesaaaees 40 Configuring Kaltura Authentication and Authorization cccccseecceceeeeeeceeeeeceseeesaeeeeeesaeees 41 Section 4 Using MediaSpace without Entitlement Features rrrrrrrrrnnrrorrrrnnnnnvrnrrnnnnnrnnrrnnensennnnnnnnee 44 FS UIE 06 500 EE EEE 44 Kaltura MediaSpace Setup Guide 4 Preface This preface contains the following topics e About this Guide e Audience e Document Conventions e Related Documentation
50. operation is used for authenticating with LDAP Search before bind bindMethod l Search before bind x means thatthe user s DN is discovered by searching the LDAP ad server Direct bind means thatthe users DN is constructed automatically according to the format that you specify under userDnFormat displayed below when you select Direct Bind and no search is performed usemame If anonymous search is not allowed what is the DN ofthe account that should be used to bind for searching users For anonymous do not enter a username password If anonymous search is not allowed what is the password ofthe account that should be used to bind for searching users For anonymous do not enter a password userSearchQueryPattern amp objectClass person uid U_ Enter the pattern for querying the LDAP server to find a user The USERNAME token will be replaced with the actual username provided in the login screen LDAP Server Configuration Search before Bind options b Select the LDAP attributes for first name last name and email address Populating the user s first and last name is used for several MediaSpace options that require the user name The email address is optional This field is useful for user management and for future features Such as email notifications emailAttribute What is the name ofthe attribute on the user record that contains the user ID If you do not want to sync email
51. pecific End User Permissions click Manage On the Specific End User Permissions window do one or more of the following o Inthe user list select one or more users and change the user permission to Manager o Click Add Users On the Add Users window under Permission Level select Manager On the Add Users window under Select End Users start typing a user name A list of suggestions Is displayed after you type the third character On the Add Users window select a user from the suggestion list and click Save To assign a moderator to a MediaSpace channel in the KMC In the KMC select the Content tab and then select the Categories tab In the Categories table click the channel category name On the Edit Category window select the Entitlements tab Under Specific End User Permissions click Manage On the Specific End User Permissions window do one or more of the following o Inthe user list select one or more users and change the user permission to Moderator o Click Add Users Qn the Add Users window under Permission Level select Moderator On the Add Users window under Select End Users start typing a user name A list of suggestions Is displayed after you type the third character On the Add Users window select a user from the suggestion list and click Save NOTE A MediaSpace end user who creates a channel can assign permissions including adding managers and moderators Listing MediaSpace Channels In Me
52. rmissions for another channel For a user to perform an action that a permission allows the action must be allowed by the user s application role Therefore you must ensure that a user with a permission of Contributor or higher see Understanding Permissions is assigned a role of PrivateUpload or higher see Application Roles Otherwise the user is not able to upload content to MediaSpace despite the permission that entitles the user to contribute content A Channel Manager can assign permissions in MediaSpace The channel manager selects the kind of access that users have for the channel If the channel type is restricted or private the channel manager adds members and assigns member permissions To learn more refer to the Kaltura MediaSpace User Manual Understanding Channel Types MediaSpace supports the following types of channels e Open All authenticated users are entitled to access the channel and contribute content e Restricted All users are entitled to access the channel but only specific users are entitled to contribute content e Private Only specific users are entitled to access the channel and to contribute content MediaSpace Terminology KMC Properties Privacy Listing Who can add content Open Authenticated users No Restriction No Restriction Restricted Authenticated users No Restriction Private Private Authenticated users Private Private Kaltura MediaSpace Setup Guide 8 Understanding the MediaSpace Setup Cha
53. select yes anonymousRole users can browse the galleries and view videos For anonymousRole users links buttons for actions that require more advanced roles are displayed When an anonymousRole user clicks a link button that requires a more advanced role a login screen is displayed allowAnonymous anonymousGreeting What text should be used in the header instead of an actual user name sessionLifetime How long can MediaSpace user session last httpsLogin Enable a secure login page via https If you select yes your server must be configured to enable a secure login page Enabling Authentication Methods On the Configuration Management panel Auth tab of the Kaltura MediaSpace Administration Area the following authentication methods are supported as part of the MediaSpace standard installation When you select an authentication adapter a set of relevant configuration fields is displayed to fill in Whatis the name ofthe PHP class for handling authentication KalturaAuth enables the built in User Management system located at admin users LdapAuth lets you use your organizational LDAP AD server to authenticate users To use your own custom class click Add custom value and enter the custom class name authNAdapter Header AuthN lz Header AuthN Kms_Auth_AuthN_Kaltura LDAP AuthN SSO Gateway AuthN Add custom value e LDAP Authentication User authentication and credentials val
54. th your organizational video portal before performing IT integration with your organizational authentication and group management systems e Only a few users in your organization need to work with MediaSpace and there is no requirement or need for managing user authentication and credential validation in your organizational systems e You do not have a centralized authentication system or you are not able to provide access to your authentication system from the MediaSpace application Who can access MediaSpace Only users with a MediaSpace user account pre provisioned in Kaltura can access MediaSpace The user account must include a MediaSpace Role and a MediaSpace password If you want to revoke MediaSpace access from a specific user it is your responsibility to delete the user account in one of the following ways e Onthe User Management panel of the Kaltura MediaSpace Administration area select one or more users and click Delete or Delete Checked e Submit a Kaltura end users CSV to delete MediaSpace user accounts in bulk To learn more see the submit a Kaltura end users CSV procedure step e Use the Kaltura API to o Delete the user record o Remove the user s MediaSpace Role stored in a custom data profile Kaltura MediaSpace Setup Guide 31 Authenticating and Authorizing Users How do you switch from Kaltura managed authentication and authorization to managing MediaSpace authentication and authorization in your system Fo
55. the gallery categories under MediaSpaceroot gt Site gt Galleries To specify the order of MediaSpace gallery categories in the KMC By default categories in MediaSpace are displayed by creation date the most recent appears last To modify the gallery display order in MediaSpace you specify the order of your gallery categories in the KMC 1 Inthe KMC select the Content tab and then select the Categories tab 2 Click galleries in the Categories table to open the Edit Category window site C ot fa g O ri as Search Categories ge Categories ID Name ik a a All Categories No Filter 28 150041 galleries y MediaSpace4 150051 channels v iv ste gt galleries channels private archive Kaltura MediaSpace Setup Guide 17 Setting up MediaSpace 3 On the Edit Category window select the Sub Categories tab displayed only when there is more than one sub category Edit Category galleries Metadata Reorder this category s sub categories Entitiements arid Sub Category Position 7 I Sub Categories En gallery gallery3 Save Save amp Close Previous Category Next Category gt 4 Specify the order of the sub categories using the Up and Down arrows and click Save Repeat for additional sub category levels under galleries Assigning MediaSpace Content to Galleries After your gallery structure is set up you can assign content to your galleri
56. tup Guide 21 Setting up MediaSpace 5 On the Specific End User Permissions window click Add User gallery2 Specific End User Permissions Search End Users Additional Filters User Name lD Permission L Status Update M Updated Actions v AllPermission Levels Member Add Users From Parent Category Contributor Moderator Manager Y All Statuses Active Deactivated iY All Update Methods Manual Automatic Bulk Actions 6 On the Add Users window under Permission Level select Contributor 7 Onthe Add Users window under Select End Users start typing a user name A list of suggestions Is displayed after you type the third character gallery2 Add Users Here you can set end user permissions for this category Permission Level Contributor Update Method Manual Select End Users facu facultymember facultymember Save Save and Close 8 On the Add Users window select a user from the suggestion list and click Save In MediaSpace the selected user will have the Add Media option for the specified gallery Restricting Access to MediaSpace Galleries in the KMC To enable only a specified group of users to access a MediaSpace gallery 1 Add specific users as members to a gallery category See Adding Contributors to MediaSpace Galleries 2 Inthe KMC select the Content tab and then select the Categories tab In the Categories table click the category name 4 Onthe Edit Category window select t
57. uring LDAP Authentication and Authorization To learn more about integrating your LDAP server for authenticating users and authorizing user access to MediaSpace with a specific application role refer to Kaltura MediaSpace Introduction to Authentication and Authorization Solutions and Kaltura MediaSpace LDAP Integration Guide 1 To configure user authentication through your LDAP server On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab After you complete and verify the following steps click Save Under authNAdapter select LDAP AuthN authNAdapter Select your preferences for the common login options Kaltura MediaSpace Setup Guide 34 Authenticating and Authorizing Users 4 Under refreshDetailsOnLogin select your preference This option affects the updating of the user s first name last name and email address when provided from your LDAP system upon every login refreshDetailsOnLogin 5 Under dapServer Should user details on Kaltura be updated through an external authentication provider a Select the LDAP Server access and bind settings Your bindMethod selection will affect the information you need to provide for authenticating the user IdapServer Configure your LDAP Active Directory Server host Idap example com port 389 protocol ldap 3 protocolVersion baseDn de example dc com Search before bind
58. ut Configuring Kaltura Authentication and Authorization Authenticating or authorizing MediaSpace users in Kaltura requires creating MediaSpace user accounts that include a MediaSpace Application Role Only users with a MediaSpace user account and MediaSpace Application Role are able to log into MediaSpace Authenticating MediaSpace users in Kaltura also requires setting a password for each MediaSpace user Follow the procedure to create MediaSpace user accounts that include a MediaSpace Application Role To configure Kaltura authentication 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab After you complete and verify the following steps click Save 2 Under authNAdapter select Kms Auth AuthN EG Kms Auth AuthN Kalt Kms Auth AuthN Kaltura AP AuthN Add custom value 3 Select your preferences for the common login options To configure Kaltura authorization 1 On the Configuration Management panel of the Kaltura MediaSpace Administration Area open the Auth tab 2 Under authZAdapter select Kms_Auth AuthZ and click Save Kms Auth Authz Kalt Kms Auth Auth Kaltura LDAP Authz Add custom value Kaltura MediaSpace Setup Guide 41 Authenticating and Authorizing Users To create MediaSpace user accounts that include a MediaSpace Application Role Do one of the following e Onthe User Management panel of the Kaltura M
Download Pdf Manuals
Related Search