7.4.1. Recorder SAML Configuration

7.4.1.1. Before You Begin

SAML Attribute Mapping

The default claim used for username is different depending on the IdP. To confirm the mapping matches your setup, the SAML attribute map can be viewed/edited on the recorder by navigating to System → Configuration Files → SAML attribute map and clicking View / Edit at the bottom of the page.

You should also confirm mappings for other values such as name and email are correct.

Verify User Groups in Configuration Manager

Begin by ensuring that your recorder has User Groups correctly set up. Log in to Configuration Manager and go to ‘Users and Security’, and select the ‘User Groups’ page. Here, you will find different groups with varying access levels. Some groups may have access only to the MWP (Media Workflow Platform), others solely to Configuration Manager, and some may have access to both.

Configure IdP User Groups

Next, make sure that your IdP has groups configured appropriately, aligning with those defined in the Configuration Manager. Refer to our IdP specific implementation guides for additional details.

7.4.1.2. Adding an Authentication Provider

Once the SAML IdP is configured, we can turn our attention to configuring SAML on the recorder itself.

Note

When accessing Configuration Manager, the login icon will not be available in the lower righthand corner. You’ll need to login by going to <host>/admin.

Once logged in as an administrator, you can select:

Users and Security → Authentication Providers

Auth Providers

Fig. 7.42 Auth Providers

Then click the Add Auth Provider button to add details about your IdP.

You will not be able to click on the Enabled button until certain fields are filled in. We’ll start from

top to bottom.

  • Type: Will default to SAML, but if it isn’t, click the Type drop down and choose SAML

  • Display Name: This can be any value and is simply a name to give to the configuration, for example “DISA”.

  • User Provisioning: Click this checkbox.

  • Active Directory Federation Services (ADFS): Click the checkbox if you followed the ADFS Configuration guide.

  • Display Order: Select a value, this allows you to set the list order of authentication providers configured.

  • Relying Provider Identifier: Recall from your IdP configuration, that the service provider is identified by an entityID. This field must match what was configured in your IdP. We’ll use the same value outlined in all of our example configurations: https://sp.nexlog.host/relyingidentifier

  • Recorders Fully Qualified Domain Name (FQDN): This is the FQDN configured on the recorder and matching the TLS certificate installed on the recorder.

  • Generate New x.509 Certification: You can leave this unchecked, however checking the box will trigger new certificates to be generated. The certificates are used in the SAML process itself. If you are editing a previously configured authentication provider, generating new certificates may require you to delete the old signing and encryption certificates for your IdP.

  • Identity Provider Metadata Configuration: To populate this box, use the file downloaded during the IdP configuration steps.

Click on the Enabled button on the top of the page.

Auth Provider Setting Full

Fig. 7.43 Auth Provider Setting Full

7.4.1.3. SAML Group Mapping

Mapping Recorder Groups to Directory Groups

On the ‘Groups’ page, you will see a list of ‘Recorder Group Name’ entries. These are the User Groups previously identified on the ‘User Groups’ page. Your task here is to map each ‘Recorder Group Name’ to the corresponding group configured in your IdP.

Groups Mapping

Fig. 7.44 Groups Mapping

Accurate Group Name Entry

It’s critical to enter the correct group name from your IdP with exactness. For instance, a group named ‘Instant Recall’ in the recorder should be mapped to its counterpart in your IdP, like ‘ADJJM123-NLInstant Recall’. Pay attention to punctuation and spaces in the names.

Finalizing the Process

This mapping ensures that when a SAML AD user is created and made a member of a group like ‘ADJJM123-NLInstant Recall’, the system correctly identifies the mapping. This allows the user to log in to the MWP with the appropriate ‘Instant Recall’ permissions.

Important

If the mapping is incorrect, the user may be authenticated but will not gain access to MWP functionalities.

Click the Save button, then OK to acknowledge the webserver restart. You will then be returned to the Authentication Providers list, where you will see your newly configured provider.

Webserver Restart

Fig. 7.45 Webserver Restart

SAML Complete

Fig. 7.46 SAML Complete

7.4.1.4. Verify MediaWorks Replay Configuration

After successfully configuring your authentication provider, log in to MediaWorks by navigating to the recorder and logging in using the Login with <Authentication Provider Name> option.

If there are any issues, you can still log in using the Use Local Login option.

MediaWorks Login

Fig. 7.47 MediaWorks Login