7.3.3. Entra ID Configuration

7.3.3.1. Prerequisites

Microsoft Entra ID Permissions

You will need the appropriate Microsoft Entra ID permissions to create the enterprise application and groups for mapping recorder permissions.

TLS Certificate

A valid TLS certificate must be installed and enabled on the recorder.

Entity ID

The entity ID is a unique identifier for the service provider (SP) and the identity provider (IdP). The entity ID for the SP must be provided, and the entity ID for the IdP is programmatically pulled from its metadata file.

Metadata File

The metadata file is an XML document that contains information about the IdP. It includes the IdP’s entity ID, public key, and other relevant information. The metadata file is used to configure the SP to trust the IdP. This can be obtained from Microsoft Entra ID after configuring the enterprise application.

User Groups

User groups must be correctly set up on the recorder and Microsoft Entra ID. The groups in the recorder must align with those in Microsoft Entra ID to ensure proper group mapping for SAML authentication. Ensure groups in Microsoft Entra ID have been created and users assigned

Configuration Manager

Access to Configuration Manager is required to configure the SAML authentication provider on the recorder. The Configuration Manager login icon will not be available in the lower righthand corner when accessing Configuration Manager. You will need to log in by going to <host>/admin.

MediaWorks Replay

After successfully configuring Microsoft Entra ID, log in to MediaWorks by navigating to the recorder and logging in.

7.3.3.1.1. Configuration Steps

Within Microsoft Entra ID navigate to Enterprise Applications and select New Application:

Add Enterprise Application

Fig. 7.25 Add Enterprise Application

On the next page, select the option at the top titled Create your own application, enter a name and click Create:

Create your own application

Fig. 7.26 Create your own application

Once on the Overview page for the new application, click Manage → Single sign-on and then select SAML:

Enable SAML

Fig. 7.27 Enable SAML

Next select the Edit button in box 1 (Basic SAML Configuration), enter the required values and click Save.

Identifier (Entity ID) - This can be any value as long as it is unique within your Entra ID tenant. Standard practice is to make this a URL, though the URL does not have to point to anything, nor does it need to resolve. It’s simply used as a unique identifier. For this document, we will use the value, https://sp.nexlog.host/relyingidentifier. Make note of this value, as it will be used later to configure the recorder side of SAML.

Reply URL (Assertion Consumer Service URL (ACS)) - This will be https://<RECORDER_FQDN>/auth.sso/SAML2/POST – in the case of this example https://sp.nexlog.host/auth.sso/SAML2/POST.

If you elected to limit config access to port 8443 (On the recorder Users and Security → Encryption and TLS → Connection Settings), you can add an additional ACS URL. This will be the same value as the ACS value above above but specifying port 8443 (e.g. https://sp.nexlog.host:8443/auth.sso/SAML2/POST).

Configure SAML

Fig. 7.28 Configure SAML

The default SAML attribute mapping used by recorders utilize UPN for the username, stripping everything after the @ symbol. If you plan to add no other claims, you can edit the SAML Attribute Mapping on the recorder by logging into Configuration Manager, navigating to System → Configuration Files → SAML attribute map and clicking View / Edit at the bottom of the page. You should then adjust the remote_user mapping like shown below:

<Attribute name="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" id="remote_user"/>

Hint

The above mapping can also be used for the attr_email mapping if you chose to configure it on the recorder

Alternatively, you could add the default UPN claim or use any other claim you’d like but the SAML attribute mapping on the recorder would need to be updated to reflect this.

UPN Claim Creation

Back on the SAML-based Sign-on configuration page select edit for box 2 (Attributes & Claims). On this page, select Add new claim.

Add new claim

Fig. 7.29 Add a new claim

Configure the claim as shown below and click Save.

Configure new claim

Fig. 7.30 Configure new claim

Next, we will need to create a group claim so the groups the user belongs to are part of the assertion and can be used with the group to permission mapping on the recorder.

Back on the Attributes & Claims page, select Add a group claim and configure as shown below. If you have a Microsoft Entra ID tenant that is synchronized with on-premise you may want to chose a different option than shown such as sAMAccountName. It also is possible to leave the default of Group ID although the group mapping configuration on the recorder would be less clear than using names.

Add group claim

Fig. 7.31 Add a group claim

You will also need to edit the SAML attribute map (System → Configuration Files → SAML attribute map) for the group claim using the example below:

<Attribute name="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups" id="attr_group"/>

The last thing you will want from the SAML configuration page is to download the Federation Metadata XML, this is in box 3 (SAML Certificates):

Add download metadata

Fig. 7.32 Download metadata from Entra ID

If you do not have groups created, you should now create groups that can be mapped to one or more permissions on the recorder. These groups should then be added to the enterprise application.

Example group configuration

Fig. 7.33 Example group configuration

This completes the Microsoft Entra ID side of the configuration and you can now move on to Recorder SAML Configuration.