Understanding Mediasite security. Technical planner: TP-03

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Understanding Mediasite security. Technical planner: TP-03"

Transcription

1 Understanding Mediasite security Technical planner: TP-03

2 2010 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the consent of Sonic Foundry, Inc. Additional copies may be obtained by contacting Sonic Foundry. Sonic Foundry, the Sonic Foundry logo, Mediasite, and the Mediasite logo are registered trademarks of Sonic Foundry, Inc. All other trademarks are the property of their respective owners. Sonic Foundry, Inc. 222 W. Washington Avenue Madison WI toll free from the US and Canada Sonic Foundry. Since For more information, please contact Version: 5.4, April 2010 Sonic Foundry, Inc. Page 2 of 32

3 Table of Contents Overview... 4 Document organization... 4 Audience... 4 Fundamentals of Mediasite access control... 5 Directories... 6 Benefits of Directory Integration... 7 Roles... 7 Resources... 8 Authentication Authorization access control playback management recording moderation Media streams Folder and catalog access control System policies Owner Planning directory integration Integrating with an Active Directory Integrating with an LDAP-based directory Using directory search in Mediasite Adding Mediasite roles from a directory Single sign-on (SSO) using SAML Implementing SAML 2.0 integration Single sign-on (SSO) using custom development Sample permission templates Mediasite Administrators role Course Administrators role Media Specialists role Faculty role Sonic Foundry, Inc. Page 3 of 32

4 Overview Mediasite Access Control is the means by which a Mediasite user is granted or denied the right to see or edit presentations and use applications. A user first signs in using their username and password and is authenticated on the Mediasite system and then, based on permissions, is authorized to access certain resources in the system. In short, we re talking about securing resources on the Mediasite Server, which include presentations, recorders, encoding profiles, and pages in Mediasite web applications. This document provides an overview of access control in Mediasite and the manner in which an external directory can be set up to work with Mediasite in an enterprise. Document organization In Fundamentals of Mediasite access control, we discuss directories and roles and list the Mediasite resources, which can be secured. We then describe how authentication and authorization are implemented in Mediasite access control. In Planning directory integration we describe the concepts behind connecting Mediasite to an external directory. In Single signon (SSO) using SAML 2.0 and Single sign-on (SSO) using custom development we provide an overview of single sign on ability in Mediasite using Security Assertion Markup Language (SAML) 2.0 and an overview of implementing SSO solutions using custom development, respectively. Finally, we provide sample permission templates for typical roles found in an educational organization with an on-premise Mediasite solution. Audience Readers of this document should include Mediasite Administrators responsible for managing access control for a Mediasite installation, and enterprise Directory Administrators. The Mediasite Administrator is responsible for a number of operations that relate to Mediasite security and will require the administrator to work with other people in the organization including: Network/Firewall Administrators to configure firewalls and network switches for Mediasite to operate across organization boundaries. IT Administrator to set up the Database Server, Media Server, Web Server, File Server and FTP Server and set it up in a topology that works for the organization in terms of scale and management. Directory Administrator to configure external directories. Mediasite Users Sonic Foundry provides additional documentation like Network and Firewall Considerations and Mediasite for the Enterprise that assist a Mediasite Administrator in working with the Network and IT Administrators. Mediasite is offered as an on-premise solution as well as a hosted solution. Overall, the functionality offered by both solutions is similar. However, there are some differences with administration and security for the two solutions: Some administrative functions managed by IT and Mediasite Administrators in an onpremise solution are managed by Sonic Foundry Hosting Administrators for the hosted solution. Sonic Foundry, Inc. Page 4 of 32

5 The security functions available to on-premise customers in the Portal are slightly different than those available to hosted customers. The section on resources explains these differences. The diagram below lists the security functions of a Mediasite Administrator as well the roles of other people involved in the successful deployment of Mediasite. Medias ite Administrator Works with directory administrator to add external directories Adds relevant roles to Mediasite from external directories Manages users and groups in Mediasite directory Adds roles for users in Mediasite directory Sets up system policies Sets up access control for root folder Sets up access control for operations Sets up access control for Portal access Manages access to system resources, streaming profiles, server groups, viewers, and recorders Manages access to presentations, folders, pres entation templates, schedules, and presenters Works with IT Administrators to set up content servers for media streaming and slides, and to set up Mediasite data location for viewer, and catalog graphics S pecifies content servers for media streaming and slides using System Manager Power Users Manage access to presentations, folders, presentation templates, schedules, and presenters they own Manage access to presentations, folders, presentation templates, schedules, and presenters that they have write access to IT Administrator Works with Mediasite Administrator to set up streaming servers Works with Mediasite Administrator to set up permissions on network shares where slides, media and Mediasite data is stored Sets up Server topology for Mediasite (e.g. High Availability) Sets up the database for Mediasite Sets up File Servers, FTP Server and Web Server for Mediasite Directory Administrator Works with Mediasite Administrator to configure external directories Network Administrator Works with Mediasite Administrator to configure firewall and network switches Works with Mediasite Administrator to set up Mediasite on the DMZ (Demilitarized Zone) Fundamentals of Mediasite access control To understand access control in Mediasite, you must understand the use of directories, roles, resources, authentication, and authorization. Mediasite uses a directory for authentication and role-based access control for authorization. Role-based access control is an industry standard for restricting system access to authorized users using roles. The diagrams below explain the relationship between directories, users and groups in directories, and roles and resources in the Mediasite Database: Sonic Foundry, Inc. Page 5 of 32

6 External Directories Active Directory Users Groups Medias ite Directory Users Groups Medias ite LDAP Directory Users Groups Medias ite Database Roles Resources Fig 2: Mediasite directory, Mediasite database, and external directories Users, Groups and Roles Mediasite Database Roles assigned to roles Normally, Roles map to groups Roles may also map to users Role1 Group1 Directory Users Groups collection of users Group2 Has Role2 1 User1 Presenter1 Role3 User2 Fig 3: Relationship between users, groups, and roles Directories A directory is used to store users and groups based on well-defined standards. Mediasite Server does not store users and groups within the Mediasite database but relies on the Mediasite Directory or an external directory for this information. The Mediasite Directory, based on Sonic Foundry, Inc. Page 6 of 32

7 Roles Microsoft s Active Directory Application Mode (ADAM) on Windows 2003 platform and Active Directory Lightweight Directory Services (AD LDS) on Windows 2008 platform, contains predefined users and groups that are configured during installation. The user typically used to connect to the Mediasite Directory is MediasiteAdmin. This user is generated when installing or adding a new site and is maintained in the Mediasite Directory. The Mediasite Configuration Editor is used to manage connections to directories. This includes an external directory like a corporate Active Directory or an organization-wide LDAP directory implementation. Users and groups are created in the Mediasite Directory using System Manager or the Portal. However, Mediasite applications cannot be used to create users and groups in external directories. Directory Administrators create users and groups in external directories using standard directory management tools. Once Mediasite is connected to an external directory, Mediasite applications can authenticate users in these directories when they log onto them. Benefits of Directory Integration Connecting to an external directory allows Directory Administrators to take advantage of groups and users on their network to grant access to the Mediasite system. Groups in the external directory are already defined and users can log into the Mediasite system using the same credentials they use to log into computers and other servers on their network. Mediasite stores access control information in the Mediasite database. Access control information is stored in the form of permissions on Mediasite resources, which are assigned to roles. A role is either granted or denied access to resources using permission assignments. Each role in the database maps to a group (a collection of users) or at times to a single user in the directory. As a result, access control is still applied to groups and users. Roles are automatically created when a group is created in the Mediasite Directory using either System Manager or the Portal. Roles are not created when a user is created in the Mediasite Directory. The System Manager and Portal can search for users and groups in the directory. Both applications have the ability to use the search results to add roles in the Mediasite database. Roles can be added in this manner for users in the Mediasite Directory as well as groups and users in an external directory. In a directory, groups may be organized in a hierarchy. Roles do not have a corresponding hierarchy, and are therefore flat. The default Mediasite installation has the following predefined roles: Role Authenticated Users Anonymous Everyone MediasiteAdministrators MediasitePresenters MEDIASITESYSTEM Description Any user that has successfully authenticated with Mediasite. A user that has not authenticated with Mediasite. A user that is either an Authenticated User or an Anonymous user Users that have administrative rights in a default Mediasite installation Users that can manage presentations in a default Mediasite installation The context under which a Mediasite Server runs Sonic Foundry, Inc. Page 7 of 32

8 The user mapped to MEDIASITESYSTEM is created in the Mediasite Directory. This user is called <sitename>system and the password is auto-generated. This role has special privileges and cannot be used to log into Mediasite applications. This user is generated when installing or adding a new site and is maintained in the Mediasite Directory. Resources The following table shows the permissions that can be defined as part of access control for resources, operations, and Portal user interface elements. The permissions are: Read permission: allows a user to see the resource Write permission: allows a user to modify/change or delete the resource View permission: allows a user to playback a presentation or see a folder in a Catalog Execute permission: allows a user to click on a link to perform an action Moderate permission: allows a user to view and answer questions from the audience for a presentation The table below lists the permissions for various resources available to on-premise and/or hosted customers. For hosted customers, permissions on some resources are managed by the Hosting Administrators at Sonic Foundry s Data Center and are noted in the table as Unavailable to hosted customers. Secured Item Unavailable to hosted customers Resources Read Write View Execute Moderate Shortcut Folder Template Schedule Presenter Player Server Group Encoding Profile Recorders Caption Project Caption Provider Settings Podcasts Catalogs Operations Read Write View Execute Create s Create Folders Create Presenters Sonic Foundry, Inc. Page 8 of 32

9 Secured Item Unavailable to hosted customers Resources Read Write View Execute Moderate Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal Read Write View Execute User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Sonic Foundry, Inc. Page 9 of 32

10 Secured Item Unavailable to hosted customers Resources Read Write View Execute Moderate Statistics User Statistics Presenter Statistics Server Statistics Authoring Statistics What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page A user can either be allowed or denied permission to a resource with a denied permission overriding an allowed one. For example, if a group is allowed read permissions to a resource and a user in the group is denied read permission to that same resource, everyone in the group except that user can see it. We recommend setting access control up for groups because managing permissions for each user can be tedious. Some of the operations listed above are explained below: Run System Manager: Allows a user to connect the System Manager to a Mediasite Server Manage Auth Tickets: Authorization tickets are used for single sign on when integrating Mediasite with another system like a Learning System. Permission to this operation allows a user to create and delete Authorization Tickets. Search Directories: Allows a user to search a directory when adding presenters or roles in Mediasite from the directory. API Access: Allows a user to connect to External Data Access Service (EDAS) to programmatically perform certain operations in Mediasite from a third party system. Recorder Operator: Allows users to connect to the Mediasite Server using the Recorder or Editor application. Sonic Foundry, Inc. Page 10 of 32

11 Read FTP Storage Settings: Allows users to query the FTP storage location and credentials for Mediasite presentations via the External Data Access Service. Caption s: Allows users to use the Captioning Manager to transfer media files for captioning to a third-party captioning provider like Automated Sync Technologies. Authentication When a user first signs in using their username and password, they are authenticated on the Mediasite system. The authentication process is initiated when a user logs into a Mediasite application using the login page. A default login page is bundled with Mediasite and is specified in the Configuration Editor that is packaged as part of the Mediasite E Server. The user is redirected to the login page to enter her credentials when: The user attempts to log in to a Mediasite web application The user attempts to access a secured page or resource and the user has not yet logged-in The user has logged out and tries to access a secured page or resource Authentication is based on cookies and a unique authentication cookie is created by the login page when a user logs into a particular Mediasite. The default login page has a Remember me check box that remembers both the username and password on a computer by persisting the authentication cookie. Once users check this box and log in, they do not have to log into any of the Mediasite applications until they explicitly sign out or the persisted authentication cookie expires. By default, the authentication cookie expires in 90 days. Sonic Foundry offers services to implement an alternate login page that authenticates users based on alternate schemes like: Single Sign-On (SSO) based on integrated authentication with Internet Information Services (IIS) Single Sign-On (SSO) from a content portal like a content management system In such cases, the new login page is specified as part of the ASP.NET forms authentication settings for the Mediasite E Server and Mediasite uses it instead of the default one. Customers with the on-premise solution can change this setting using the IIS Manager. Hosted customers need to contact the Hosting Administrators to make this change. Authorization Once a user is authenticated, the authorization process determines which resources can be accessed by the user. For example, if user Joe belongs to the Marketing, Product Marketing, and Field Marketing groups in an external directory, and roles have been added in the Mediasite directory for the Product Marketing and Field Marketing groups, then when Joe successfully logs in, only those two roles are returned for him. The authorization process uses these roles to determine permissions on the resource being accessed. If a user has permissions to read the resource then that resource will be displayed in the Mediasite interface. Similarly, with write permissions to a resource, the user can modify or delete it. The diagram below shows the authentication and authorization process for Mediasite. Sonic Foundry, Inc. Page 11 of 32

12 Authentication & Authorization using Mediasite 1 Tries to access a Mediasite resource User, not logged into Mediasite 5 Create a cookie LDAP/AD Server 2 Login request to directory server 3 Check if user exists 4 6 User logged in Get groups for the user Mediasite E Server 7 Groups the user belongs to 8 Check if role has permissions to a resource 0 Map groups in directory to Mediasite roles Mediasite Database Mediasite Administrator using Portal access control Fig 4: Authentication and Authorization in Mediasite access control is divided into five areas, playback, management, recording, moderation, and media streams. playback A Mediasite presentation is made up of: data (metadata) Video Slides Presenters Player Server Group Streaming or Encoding Profiles, when not recorded access control covers presentation data, video, and slides. The remaining items are secured resources and have their own access control set up. s can be managed, played back, and recorded. All other secured resources can only be managed. End users who have permissions to play back a presentation do not need permissions on a presenter or other secured resources. Granting users read access to resources like presenters or other secured Sonic Foundry, Inc. Page 12 of 32

13 resources would mean that all users who can playback a presentation could potentially gain access to secured resources in the Portal. This is highly undesirable so Sonic Foundry has defined two concepts: the MEDIASITESYSTEM role and View. MEDIASITESYSTEM is a built-in role that maps to the built-in <Sitename>SYSTEM user. The Player application uses the MEDIASITESYSTEM role to authorize access control on other secured resources that make up a presentation as well as the presentation data itself. View permissions can be configured for roles that need to watch the presentation By default, System Manager and the Portal both add this role to any entity created. management s are managed using the Portal. System Manager provides an alternate way to manage security for all resources in the Mediasite system. The Portal, on the other hand, uses access control information to show resources to the logged in user. The following table explains permissions required for most common presentation management operations. Operation Folder Other Inheritance, if any Notes Edit Read & Write Read Read on associated resources Associated resources include Player, Presenters, and Encoding Profile. Create Read & Write Create From Folder Create from Template Read & Write Create Read on Template From Folder or Template Associated resources include Player, Presenters, Encoding Profile, and Server Group. Read on associated resources in template Delete Read & Write Move Read & Write Read on Source Folder Read & Write on Destination Folder retains the original permissions and does not automatically inherit new permissions from the destination folder. Sonic Foundry, Inc. Page 13 of 32

14 Operation Folder Other Inheritance, if any Notes Create Shortcut Read & Write Read & Write on Destination Folder Add Like Read on Source Folder Read & Write on Destination Folder Read on associated resources in source presentation inherits permissions from the destination folder and not from the source presentation selected. Associated resources include Player, Presenters, and Encoding Profile. recording s are recorded using the Mediasite Recorder. There are a number of ways of recording a presentation. The table below explains permissions required for recording presentations: Operation Folder Other Resource Operation Notes Open an Existing on Server for Recording and Publish Read & Write Read Read on Encoding Profiles Recorder and Editor Access is created on server and selected for recording. Create a New on Server, Record and Publish Read & Write Create Read on Template Read on associated resources in template Recorder and Editor Access Associated resources include Player, Presenters, Encoding Profile, and Server Group. Sonic Foundry, Inc. Page 14 of 32

15 Operation Folder Other Resource Operation Notes Automated Recording and Publish Using a Schedule Read & Write Create Read on Schedule Read on associated resources in schedule Recorder and Editor Access Associated resources include Player, Presenters, Encoding Profile, and Server Group. Open a New on the Recorder for Recording and Publish to Server Read & Write Read Recorder and Editor Access A locally recorded presentation is published to a presentation created on the server. moderation s broadcast live normally need some level of moderation. There are times when a moderator only needs to interact with the audience for a presentation and does not need any other presentation permission. Moderate permission gives the user the ability to do this. Media streams Media streams for presentations are secured using the Mediasite Media Authorization Plug-in, which is applied to publishing points on the Microsoft Windows Media Server. Publishing points source media streams from Windows Media files or encoding devices for on-demand distribution and live broadcasts, respectively. When the Authorization plug-in is enabled and configured on the Media Server, it streams media only if the access control criteria have been satisfied. Mediasite implicitly applies a token-based access control mechanism for a presentation s media content. A token is generated for a presentation when an authorized user tries to playback a presentation in the Mediasite Viewer. The token is validated by the Authorization plug-in on the Media Server when it receives a request to stream the media from the Mediasite Viewer. Folder and catalog access control s are organized within folders. Hierarchical structure for folders is supported in Mediasite. Folders inherit permissions from their parent folder so the root folder must have appropriate permissions. Catalogs enable publishing a folder to the web. When a folder is included in a catalog, all presentations in the folder are listed in the catalog if the logged in user has view permissions to the presentation. The table below explains permissions required for common folder operations: Sonic Foundry, Inc. Page 15 of 32

16 Operation Folder Parent Folder Notes View Folders in the Portal Read Read Search for Folders Read Search results are displayed as a list and not a tree. As a result, parent folder permissions are not used. View Linked Folders in Catalog View for linked folders are managed on the folder in the Portal. View a Linked Catalog View for a linked catalog are managed on the folder in the Portal. Create s Read & Write By default, presentations inherit folder permissions. Create Folder Read & Write Folders inherit permissions from its parent folder. System policies All secured resources in Mediasite need an initial set of permissions when they are created, otherwise, no one will be able to access these resources. System policies define a secured resource s initial set of permissions. System policies exist for: Presenters Players Streaming/Encoding Profile Server Groups Recorders Podcasts Catalogs Templates Schedules Caption Projects Caption Provider Settings It is essential that Mediasite Administrators set up appropriate system policies for all the secured resources. You can change permissions on a secured resource. Sonic Foundry, Inc. Page 16 of 32

17 Owner By default, the owner of a secured resource is the user who created it. The owner of a secured resource can be changed using the System Manager or the Portal by picking another user from the directory using a directory search. Planning directory integration Mediasite Server includes a built-in Mediasite directory which can operate as a stand-alone directory, but that would fail to leverage your organization s existing external directory. Connecting Mediasite E Server to an external directory allows seamless integration into the enterprise. We recommend that the Mediasite Administrator work with the Directory Administrator to register and configure an external directory to work with Mediasite. The differences between using the integrated Mediasite directory and an external directory with Mediasite are highlighted in the table below: Feature Built-in Mediasite Directory External Directory Schema Role Creation Role Storage The schema is fixed as defined by Sonic Foundry. Roles are automatically added when groups are created. Roles are also created using the directory search operation. The role name is preset to use the user CN for users and the Group DN for groups. The schema varies. LDAP allows more variation than Active Directory. Roles are only created using the search directory operation. The role name is based on the User Display Name property or Group Display Name property as specified in a directory connection in the Mediasite system. Integrating with an Active Directory Mediasite E Server can connect to an Active Directory or a Global Catalog (an Active Directory forest). The following properties are needed to connect Mediasite Server to an Active Directory. Active Directory Properties Directory Server Path Base Distinguished Name (DN) Description This property identifies the location of the directory. Non-default ports are supported. SSL connection is also supported. Note: When connecting to a Global Catalog, use the GC: // scheme for the directory server path instead of the LDAP: // scheme. The Base DN is the starting point in the Active Directory hierarchy at which searches begin. Default Settings Sonic Foundry, Inc. Page 17 of 32

18 Active Directory Properties User credentials Users DN and Groups DN User Id Property and Group Id Property User Display Name Property and Group Display Name Property User Property Name Group Membership Property Name Group Member Property Name Group and User LDAP Search Filter Description This property contains a Username and password needed to connect to the directory and obtain user and group information from the directory. Anonymous connections to the Active Directory are not allowed. If the users and groups in the directory are in a specific sub-tree, these DNs must be provided. These locations are used when searching for groups and users to add Mediasite roles, or import Mediasite Presenters from the directory or change the owner of a resource. These properties are used to define the mapping for the role to the user or group in the directory. Mediasite uses the property specified in the User Id Property Name field in the cookie that is created after successful authentication by a user. These properties are used to name the role. The user name or group name is displayed in a Mediasite application using these properties. This property contains the primary address for the user. This property contains a list of groups that the user belongs to. This property contains a list of users that are members of the group. These properties are used to filter search results for groups and users in a directory. Default Settings User Id Property is set to userprincipalname Group Id Property is forced to distinguishedname User Display Name Property is forced to displayname Group Display Name Property is forced to cn Forced to mail Forced to memberof Forced to member User LDAP Search Filter is set to &(objectclass=user)(object Category=Person) Group LDAP Search Filter is set to (objectclass=group) Sonic Foundry, Inc. Page 18 of 32

19 Active Directory Properties Description Default Settings Group Membership Settings Search Result Size Group membership for Active Directories is determined by either using: User s Group Membership property: A user s group membership property contains a list of groups that the user belongs to. Nested groups are then found in a similar manner. This results in multiple lookups in the directory (one for each nesting level) Security Groups: Security Groups are stored in the tokengroups property set for each user in the Active Directory. This property includes nested groups and so all groups that a user belongs to are returned. Sonic Foundry recommends using this method because it requires fewer lookups in the directory. However, this method will not return distribution groups that the user is a member of. For unlimited search results to be returned, the directory must support paged searching. If paging is not supported, the option should be set to return Server limited search results. Active Directory supports paged searching Integrating with an LDAP-based directory The following information is needed to connect an E Server to an LDAP-based directory: LDAP Directory Properties Directory Server Path Base Distinguished Name (DN) User credentials Description This property identifies the location of the directory. Non-default ports are supported. SSL connection is also supported. The Base DN is the starting point in the Active Directory hierarchy at which searches begin. This property contains a Username and password needed to connect to the directory and obtain user and group information from the directory. An anonymous connection to the directory is also supported but not recommended in a secure environment. Default Settings Sonic Foundry, Inc. Page 19 of 32

20 LDAP Directory Properties Users DN and Groups DN User Id Property and Group Id Property User Display Name Property and Group Display Name Property User Property Name Group Membership Settings Group Membership Property Name Description If the users and groups in the directory are in a specific sub-tree, these DNs must be provided. These locations are used when searching for groups and users to add Mediasite roles, or import Mediasite Presenters from the directory or change the owner of a resource. These properties are used to define the mapping for the role to the user or group in the directory. Mediasite uses the property specified in the User Id Property Name field in the cookie that is created after successful authentication by a user. In most cases, the default values must be changed to match the LDAP directory configuration. These properties are used to name the role. The user name or group name is displayed in a Mediasite application using these properties. In most cases these values need to be changed to match the LDAP directory configuration. This property contains the primary address for the user. In most cases the default values must be changed to match the LDAP directory configuration. The method for accessing group membership in the directory schema. One of the two methods must be used: User s Group Membership Property: This property contains a list of groups that the user belongs to. Nested groups are then found in a similar manner. Group Membership Property: This property contains users and groups that are members of this group. Nested groups are then found in a similar manner. This property contains a list of groups that the user belongs to. In many directories, this property may not be defined. In such cases, the Group Membership Property method for accessing group membership should be enabled. In most cases the default value must be changed to match the LDAP directory configuration. Default Settings Both are set to cn Both are set to cn Set to mail Set to memberof Sonic Foundry, Inc. Page 20 of 32

21 LDAP Directory Properties Group Member Property Name Group and User LDAP Search Filter Search Result Size Description This property contains a list of users that are members of the group. By default, this is set to the member property. In most cases these value needs to be changed to match the LDAP directory configuration. These properties are used to filter search results for groups and users in a directory. In most cases the default values must be changed to match the LDAP directory configuration. For unlimited search results to be returned, the directory must support paged searching. Many LDAP directories support paged searching. If paging is not supported, the option should be set to return Server limited search results. Default Settings User LDAP Search Filter is set to (objectclass=user) Group LDAP Search Filter is set to (objectclass=group) Mediasite can perform a nested group search. However, nested group searches may affect performance depending on the depth of the sub-tree being searched. Using directory search in Mediasite Directory search is used in Mediasite to do the following: 1. Change the owner of a secured item. A search is done in the directory for a user that can be selected as the new owner. 2. Add presenters from a directory. A search is done in the directory for users that can be selected and imported into the Mediasite system as presenters. The address for a user is also imported as part of the presenter import. 3. Add roles from a directory. A search is done in the directory for users or groups that can be added as roles in the Mediasite system. Adding Mediasite roles from a directory Once Mediasite E Server is integrated with an external directory, roles are added to the Mediasite E Server by searching in the connected directory for users or groups. The following information can be specified for search operations: Role type (user or group) Name (exact name or beginning of name) The scope of the search. Scope can be: o o o Base level: a search of the location specified One-level: a search of the location specified and the immediate children of this location Sub-tree: a deep search that traverses the sub-tree starting at the location specified Sonic Foundry, Inc. Page 21 of 32

22 Global Catalog considerations When using a Global Catalog, the following best practices should be considered: A connection to the Global Catalog on the LDAP port of an Active Directory (e.g., 389) will not return groups from another domain in the forest. A Global Catalog is normally set up to run on port By default only universal groups are replicated to all Global Catalogs in a forest. Domain local and global groups will not be returned when Mediasite queries a Global Catalog if they are not in the same domain as the Global Catalog server. Single sign-on (SSO) using SAML 2.0 This section provides an overview of single sign on ability in Mediasite using Security Assertion Markup Language (SAML) 2.0. SAML 2.0 support was added in Mediasite 5.3. The use of federated identity solutions is becoming very popular in various organizations. Sonic Foundry decided to include support for generic standards based solution rather than independent federated identity solutions. SAML, developed by the Security Services Technical Committee of OASIS, is an ML-based framework for communicating user authentication, entitlement, and attribute information. SAML 2.0 comprises an Identity Provider and Service Providers. Systems like Shibboleth 2.0 that are SAML 2.0 compliant serve as an identity provider. Mediasite is designed to be a service provider. The diagram below provides an overview of Mediasite as a service provider. SSO using SAML 2.0 Configuration and Handshake SAML 2.0 Identity Provider e.g. Shibboleth 2.0 Service Provider Mediasite version 5.3 Configuration Specify Entity Id Specify metadata URL well known ML document that tells you how to communicate with identity provider Configuration Specify user Id & role name formats Generate metadata and a URL to get to the metadata how to communicate with service provider Get Identity Provider Metadata Get Service Provider Metadata Authentication Request (encrypted message) Authentication Response (encrypted Message) Message Handling Shibboleth 2.0 Service provider metadata contains a public key Encrypt HTTP messages to Mediasite using this key Message Handling Mediasite E Server Identity provider metadata contains a public key Encrypt HTTP messages to Shibboleth using this key Fig 5: Configuring Mediasite as a service provider when using SSO with SAML 2.0 SAML 2.0 support alleviates procedural issues with directory integration for hosted customers. Many organizations have a policy of not making their LDAP/Active directory accessible over the web. The diagram below explains how SSO using SAML 2.0 works with Mediasite. Sonic Foundry, Inc. Page 22 of 32

23 SSO using SAML 2.0 User, not logged into Shibboleth 3 Check if user exists in one of the stores Shibboleth Authentication request redirected to Shibboleth 2.0 Entitlements for the user 4 Map entitlements to Mediasite roles Mediasite Database 6 5 Parse entitlements for the user id and roles Update role cache in Mediasite Database 1 Tries to access a Mediasite resource Mediasite E Server 7 Check if entitlements for the user have permissions to a resource Implementing SAML 2.0 integration Mediasite Administrator using Portal Fig 6: SSO using SAML 2.0 Mediasite E Server can connect to an SAML 2.0 Identity provider. The following properties are needed to connect Mediasite Server to an Active Directory. Service Provider Settings User ID resolution User ID Name Format Description Defines how Mediasite will determine a username when reading a SAML assertion returned by an IdP. A username can be the NameID found in the subject or any other attribute in the assertion. Format of the attribute used to define a username. Default Settings Subject NameID User ID Name Role name Format Role Name The attribute in an assertion that defines a username. Format of the attribute that contains the roles for a user. The attribute in an assertion that contains the roles for a user. Sonic Foundry, Inc. Page 23 of 32

24 Service Provider Settings Metadata Expiration Duration Metadata cache duration Encryption Key length Description The duration for which the metadata for the service provider is valid. The duration in minutes for which the metadata for the service provider can be cached by the identity provider. The length of the encryption key. Supported lengths are 1024, 1536 and Default Settings 1 year Identity Provider Settings Entity ID Description The ID that identifies the Identity Provider. Default Settings Metadata URL A location where the SAML metadata and public keys can be retrieved for the Identity Provider. Friendly Name Auto Redirect to Provider The friendly name of the Identity Provider. This name will be displayed to users when logged in. Determines if users will be automatically redirected to the Identity Provider when the authentication process begins. If unchecked, users will be able to choose between authenticating directly with Mediasite or with the Identity Provider. Single sign-on (SSO) using custom development This section provides an overview of implementing SSO solutions using custom development, which is required when organizations require integration of Mediasite into their environment. Examples of such integration include developing Mediasite extensions for a learning management system or content management system or integrating Mediasite into a web portal. Mediasite includes the External Data Access Service (EDAS) that enables this form of integration. Custom development can be implemented by Sonic Foundry on an engagement basis or by a software developer with some Microsoft.NET platform experience. The diagram below explains SSO using custom development. Sonic Foundry, Inc. Page 24 of 32

25 SSO using custom development LDAP/AD Server LMS Server 4 Get groups for connecting user 5 Groups the user belongs to 1 3 Connect & login to Mediasite using EDAS Request Auth Ticket for user through EDAS 6 Do roles for user have permissions to resource 8 Auth Ticket 2 Tries to access a Mediasite resource 9 Pass Auth Ticket in requests 0 Map groups to Mediasite roles Mediasite E Server 7 Create ticket for user, that is valid for the resource. LMS User Mediasite Administrator using Portal Mediasite Database Fig 7: SSO using custom development The Mediasite Building Block for Blackboard and Mediasite extension for Moodle are developed using EDAS and support SSO in a similar manner. Sample permission templates This section provides sample permission templates for typical roles found in an educational organization with an on-premise Mediasite solution: Mediasite Administrators: Users in this role have access to all functions in a Mediasite system and are expected to have access to all Mediasite resources as well as every folder in the Mediasite presentation folder structure. Course Administrators: Users in this role have access to a subset of functions in a Mediasite system and a portion of the folder structure, typically a sub-folder and all folders under that sub-folder. Media Specialists: Users in this role have access to a set of functions that allow them to record presentations using the Mediasite Recorder as well as create presentations. As part of presentation creation, these users may need to create new players and presenters. Users in this role also have access to managing encoding profiles and recorders from the Portal. Faculty: Users in this role have access to a set of functions that allow them to manage catalogs, view, create, and run reports and manage as well as moderate presentations. These users cannot record presentations or manage other entities that make up a presentation. This user is also not given any access to system policies, because system policies are applied across the board. A faculty member would typically be given access to catalogs and presentations for their specific course. For example, for a catalog created Sonic Foundry, Inc. Page 25 of 32

26 for the course Physics101, only the faculty member teaching Physics101 should have permissions for it, not all faculty members. The sample permission templates are provided as an example only and should be modified as needed. Mediasite Administrators role Folder: root folder (e.g., //s) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories Manage API Access Recorder Operator Read FTP Storage Settings Portal User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Read Write View Execute Sonic Foundry, Inc. Page 26 of 32

27 Secured Item Statistics User Statistics Presenter Statistics Server Statistics Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Course Administrators role Folder: sub-folder (e.g., //s/physics101) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Sonic Foundry, Inc. Page 27 of 32

28 Secured Item Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Statistics User Statistics Presenter Statistics Server Statistics Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP Read Write View Execute Sonic Foundry, Inc. Page 28 of 32

29 Secured Item System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Media Specialists role Folder: root folder (e.g., //s) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal Read Write View Execute User Interface Catalog Presenter Sonic Foundry, Inc. Page 29 of 32

30 Secured Item Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Statistics User Statistics Presenter Statistics Server Statistics Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Sonic Foundry, Inc. Page 30 of 32

31 Faculty role Folder: sub-folder (e.g., //s/physics101) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal Read Write View Execute User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Statistics User Statistics Presenter Statistics Server Statistics Sonic Foundry, Inc. Page 31 of 32

32 Secured Item Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Sonic Foundry, Inc. Page 32 of 32

Mediasite for the enterprise. Technical planner: TP-05

Mediasite for the enterprise. Technical planner: TP-05 Mediasite for the enterprise Technical planner: TP-05 2011 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the consent of Sonic Foundry, Inc.

More information

Mediasite EX server deployment guide

Mediasite EX server deployment guide Mediasite EX server deployment guide 2008 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the consent of Sonic Foundry, Inc. Additional copies

More information

Mediasite. captioning

Mediasite. captioning Mediasite captioning 2013 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the consent of Sonic Foundry, Inc. Additional copies may be obtained

More information

Mediasite A Video Content Management & Distribution Platform. Technical planner: TP-10

Mediasite A Video Content Management & Distribution Platform. Technical planner: TP-10 Mediasite A Video Content Management & Distribution Platform Technical planner: TP-10 2012 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the

More information

Flexible Identity Federation

Flexible Identity Federation Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services

More information

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved.

Tenrox. Single Sign-On (SSO) Setup Guide. January, 2012. 2012 Tenrox. All rights reserved. Tenrox Single Sign-On (SSO) Setup Guide January, 2012 2012 Tenrox. All rights reserved. About this Guide This guide provides a high-level technical overview of the Tenrox Single Sign-On (SSO) architecture,

More information

CA Performance Center

CA Performance Center CA Performance Center Single Sign-On User Guide 2.4 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is

More information

Mediasite How-To Guide

Mediasite How-To Guide 2005 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the consent of Sonic Foundry, Inc. Additional copies may be obtained by contacting Sonic

More information

Authentication Integration

Authentication Integration Authentication Integration VoiceThread provides multiple authentication frameworks allowing your organization to choose the optimal method to implement. This document details the various available authentication

More information

Mediasite. captioning

Mediasite. captioning Mediasite captioning 2014 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the consent of Sonic Foundry, Inc. Additional copies may be obtained

More information

Mediasite. podcasting user guide

Mediasite. podcasting user guide Mediasite podcasting user guide Using Mediasite podcasting The Mediasite Podcast Generator converts on-demand Mediasite presentations to podcasts. In terms of Mediasite, a podcast is a collection of audio-only

More information

Introduction to Directory Services

Introduction to Directory Services Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory

More information

Single Sign-On in SonicOS Enhanced 4.0

Single Sign-On in SonicOS Enhanced 4.0 Single Sign-On in SonicOS Enhanced 4.0 Document Scope This document describes how to plan, design, implement, and maintain the Single Sign-On feature in the SonicWALL SonicOS Enhanced 4.0. This document

More information

Agenda. How to configure

Agenda. How to configure dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services

More information

MOC 6424A - Fundamentals of Windows Server 2008 Active Directory

MOC 6424A - Fundamentals of Windows Server 2008 Active Directory MOC 6424A - Fundamentals of Windows Server 2008 Active Directory Course Number: 6424A Length: 3 Day(s) Certification Exam This course is associated with Exam 70-640 TS: Windows Server 2008 Active Directory,

More information

Appendix E. Captioning Manager system requirements. Installing the Captioning Manager

Appendix E. Captioning Manager system requirements. Installing the Captioning Manager Appendix E Installing and configuring the Captioning Manager The Mediasite Captioning Manager, a separately sold EX Server add-on, allows users to submit and monitor captioning requests through Automatic

More information

Planning LDAP Integration with EMC Documentum Content Server and Frequently Asked Questions

Planning LDAP Integration with EMC Documentum Content Server and Frequently Asked Questions EMC Documentum Content Server and Frequently Asked Questions Applied Technology Abstract This white paper details various aspects of planning LDAP synchronization with EMC Documentum Content Server. This

More information

VMware Identity Manager Administration

VMware Identity Manager Administration VMware Identity Manager Administration VMware Identity Manager 2.6 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft

Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft 5.6 Copyright 2014 Jaspersoft Corporation. All rights reserved. Printed in the U.S.A. Jaspersoft, the Jaspersoft logo, Jaspersoft ireport Designer, JasperReports Library, JasperReports Server, Jaspersoft

More information

Single Sign-On. Document Scope. Single Sign-On

Single Sign-On. Document Scope. Single Sign-On Single Sign-On Document Scope This document describes how to plan, design, implement, and maintain the Single Sign-On feature in the SonicWALL SonicOS 5.1 Enhanced. This document contains the following

More information

User-ID Best Practices

User-ID Best Practices User-ID Best Practices PAN-OS 5.0, 5.1, 6.0 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers

More information

Security Provider Integration LDAP Server

Security Provider Integration LDAP Server Security Provider Integration LDAP Server 2015 Bomgar Corporation. All rights reserved worldwide. BOMGAR and the BOMGAR logo are trademarks of Bomgar Corporation; other trademarks shown are the property

More information

Content Filtering Client Policy & Reporting Administrator s Guide

Content Filtering Client Policy & Reporting Administrator s Guide Content Filtering Client Policy & Reporting Administrator s Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION

More information

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access

More information

User-ID Best Practices PAN-OS 4.1

User-ID Best Practices PAN-OS 4.1 User-ID Best Practices PAN-OS 4.1 Revision A 2011, Palo Alto Networks, Inc. www.paloaltonetworks.com Table of Contents PAN-OS 4.1 User-ID Functions... 3 User / Group Enumeration... 3 Using LDAP Servers

More information

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER Table of Contents Introduction.... 3 Requirements.... 3 Horizon Workspace Components.... 3 SAML 2.0 Standard.... 3 Authentication

More information

Authentication Methods

Authentication Methods Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the

More information

VMware Identity Manager Administration

VMware Identity Manager Administration VMware Identity Manager Administration VMware Identity Manager 2.4 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new

More information

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide Contact Information Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com Trademarks

More information

Protected Trust Directory Sync Guide

Protected Trust Directory Sync Guide Protected Trust Directory Sync Guide Protected Trust Directory Sync Guide 2 Overview Protected Trust Directory Sync enables your organization to synchronize the users and distribution lists in Active Directory

More information

Google Apps Deployment Guide

Google Apps Deployment Guide CENTRIFY DEPLOYMENT GUIDE Google Apps Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as a critical component of your corporate

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-04-08 SWD-20160408113328879 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

Single Sign On for ShareFile with NetScaler. Deployment Guide

Single Sign On for ShareFile with NetScaler. Deployment Guide Single Sign On for ShareFile with NetScaler Deployment Guide This deployment guide focuses on defining the process for enabling Single Sign On into Citrix ShareFile with Citrix NetScaler. Table of Contents

More information

Configuring Sponsor Authentication

Configuring Sponsor Authentication CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five

More information

Configuration Guide BES12. Version 12.3

Configuration Guide BES12. Version 12.3 Configuration Guide BES12 Version 12.3 Published: 2016-01-19 SWD-20160119132230232 Contents About this guide... 7 Getting started... 8 Configuring BES12 for the first time...8 Configuration tasks for managing

More information

CA Nimsoft Service Desk

CA Nimsoft Service Desk CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Configuring User Identification via Active Directory

Configuring User Identification via Active Directory Configuring User Identification via Active Directory Version 1.0 PAN-OS 5.0.1 Johan Loos johan@accessdenied.be User Identification Overview User Identification allows you to create security policies based

More information

Siteminder Integration Guide

Siteminder Integration Guide Integrating Siteminder with SA SA - Siteminder Integration Guide Abstract The Junos Pulse Secure Access (SA) platform supports the Netegrity Siteminder authentication and authorization server along with

More information

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001 Securing access to Citrix applications using Citrix Secure Gateway and SafeWord PremierAccess App Note December 2001 DISCLAIMER: This White Paper contains Secure Computing Corporation product performance

More information

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE Identity Management in Liferay Overview and Best Practices Liferay Portal 6.0 EE Table of Contents Introduction... 1 IDENTITY MANAGEMENT HYGIENE... 1 Where Liferay Fits In... 2 How Liferay Authentication

More information

BlackShield ID Agent for Remote Web Workplace

BlackShield ID Agent for Remote Web Workplace Agent for Remote Web Workplace 2010 CRYPTOCard Corp. All rights reserved. http:// www.cryptocard.com Copyright Copyright 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced,

More information

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN INTEGRATION GUIDE IDENTIKEY Federation Server for Juniper SSL-VPN Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is'; VASCO

More information

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support

SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support SonicOS Enhanced 3.2 LDAP Integration with Microsoft Active Directory and Novell edirectory Support Document Scope This document describes the integration of SonicOS Enhanced 3.2 with Lightweight Directory

More information

How To Integrate Cyberoam with LDAP Server

How To Integrate Cyberoam with LDAP Server Applicable to Version: 10.00 onwards Overview LDAP (Lightweight Directory Access Protocol) is an application layer protocol which is used over IP (Internet Protocol) to control directory services. Cyberoam

More information

Installation and Configuration Guide

Installation and Configuration Guide Installation and Configuration Guide BlackBerry Resource Kit for BlackBerry Enterprise Service 10 Version 10.2 Published: 2015-11-12 SWD-20151112124827386 Contents Overview: BlackBerry Enterprise Service

More information

The authentication process for validating a user using an external AD or LDAP provider is as follows.

The authentication process for validating a user using an external AD or LDAP provider is as follows. IntelligenceBank - External Authentication Active Directory Integration Overview The authentication process for validating a user using an external AD or LDAP provider is as follows. 1. The user accesses

More information

Copyright Pivotal Software Inc, 2013-2015 1 of 10

Copyright Pivotal Software Inc, 2013-2015 1 of 10 Table of Contents Table of Contents Getting Started with Pivotal Single Sign-On Adding Users to a Single Sign-On Service Plan Administering Pivotal Single Sign-On Choosing an Application Type 1 2 5 7 10

More information

Configuration Guide BES12. Version 12.2

Configuration Guide BES12. Version 12.2 Configuration Guide BES12 Version 12.2 Published: 2015-07-07 SWD-20150630131852557 Contents About this guide... 8 Getting started... 9 Administrator permissions you need to configure BES12... 9 Obtaining

More information

Single Sign-On Implementation Guide

Single Sign-On Implementation Guide Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,

More information

T his feature is add-on service available to Enterprise accounts.

T his feature is add-on service available to Enterprise accounts. SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need

More information

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé Internet Server FileXpress Internet Server Administrator s Guide Version 7.2.1 Version 7.2.2 Created on 29 May, 2014 2014 Attachmate Corporation and its licensors.

More information

Fireware XTM Advanced Active Directory Authentication

Fireware XTM Advanced Active Directory Authentication WatchGuard Certified Training Fireware XTM Advanced Active Directory Authentication Courseware: Fireware XTM and WatchGuard System Manager v11.7 Revised: January 2013 Updated for: Fireware XTM v11.7 Disclaimer

More information

Integrating Webalo with LDAP or Active Directory

Integrating Webalo with LDAP or Active Directory Integrating Webalo with LDAP or Active Directory Webalo can be integrated with an external directory to identify valid Webalo users and then authenticate them to the Webalo appliance. Integration with

More information

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

WirelessOffice Administrator LDAP/Active Directory Support

WirelessOffice Administrator LDAP/Active Directory Support Emergin, Inc. WirelessOffice Administrator LDAP/Active Directory Support Document Version 6.0R02 Product Version 6.0 DATE: 08-09-2004 Table of Contents Objective:... 3 Overview:... 4 User Interface Changes...

More information

Active Directory Integration 855.426.7227. www.onelogin.com twitter.com/onelogin ONELOGIN WHITEPAPER

Active Directory Integration 855.426.7227. www.onelogin.com twitter.com/onelogin ONELOGIN WHITEPAPER Active Directory Integration Even as enterprises continue to adopt more cloud applications, Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) still play a critical role in how information

More information

Getting Started with Clearlogin A Guide for Administrators V1.01

Getting Started with Clearlogin A Guide for Administrators V1.01 Getting Started with Clearlogin A Guide for Administrators V1.01 Clearlogin makes secure access to the cloud easy for users, administrators, and developers. The following guide explains the functionality

More information

Skyward LDAP Launch Kit Table of Contents

Skyward LDAP Launch Kit Table of Contents 04.30.2015 Table of Contents What is LDAP and what is it used for?... 3 Can Cloud Hosted (ISCorp) Customers use LDAP?... 3 What is Advanced LDAP?... 3 Does LDAP support single sign-on?... 4 How do I know

More information

Web Applications Access Control Single Sign On

Web Applications Access Control Single Sign On Web Applications Access Control Single Sign On Anitha Chepuru, Assocaite Professor IT Dept, G.Narayanamma Institute of Technology and Science (for women), Shaikpet, Hyderabad - 500008, Andhra Pradesh,

More information

SAML SSO Configuration

SAML SSO Configuration SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting

More information

Managing Users and Identity Stores

Managing Users and Identity Stores CHAPTER 8 Overview ACS manages your network devices and other ACS clients by using the ACS network resource repositories and identity stores. When a host connects to the network through ACS requesting

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

WINDOWS 2000 Training Division, NIC

WINDOWS 2000 Training Division, NIC WINDOWS 2000 Active TE Directory Services WINDOWS 2000 Training Division, NIC Active Directory Stores information about objects on the network and makes this information easy for administrators and users

More information

Deploying RSA ClearTrust with the FirePass controller

Deploying RSA ClearTrust with the FirePass controller Deployment Guide Deploying RSA ClearTrust with the FirePass Controller Deploying RSA ClearTrust with the FirePass controller Welcome to the FirePass RSA ClearTrust Deployment Guide. This guide shows you

More information

Dell Compellent Storage Center

Dell Compellent Storage Center Dell Compellent Storage Center Active Directory Integration Best Practices Guide Dell Compellent Technical Solutions Group January, 2013 THIS BEST PRACTICES GUIDE IS FOR INFORMATIONAL PURPOSES ONLY, AND

More information

DocuShare User Guide

DocuShare User Guide DocuShare User Guide Publication date: April 2011 This document supports DocuShare Release 6.6.1 Prepared by: erox Corporation DocuShare Business Unit 3400 Hillview Avenue Palo Alto, California 94304 USA

More information

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace INTEGRATION GUIDE DIGIPASS Authentication for VMware Horizon Workspace Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided 'as is';

More information

Denodo Data Virtualization Security Architecture & Protocols

Denodo Data Virtualization Security Architecture & Protocols Denodo Data Virtualization Security Architecture & Protocols XLS Security Architecture & Protocols We include hereinafter a description of the security support in the Denodo Platform. The following diagram

More information

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation

New Single Sign-on Options for IBM Lotus Notes & Domino. 2012 IBM Corporation New Single Sign-on Options for IBM Lotus Notes & Domino 2012 IBM Corporation IBM s statements regarding its plans, directions, and intent are subject to change or withdrawal without notice at IBM s sole

More information

QualysGuard SAML 2.0 Single Sign-On. Technical Brief

QualysGuard SAML 2.0 Single Sign-On. Technical Brief QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,

More information

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information

User Management Guide

User Management Guide AlienVault Unified Security Management (USM) 4.x-5.x User Management Guide USM v4.x-5.x User Management Guide, rev 1 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,

More information

800-782-3762 www.stbernard.com. Active Directory 2008 Implementation. Version 6.410

800-782-3762 www.stbernard.com. Active Directory 2008 Implementation. Version 6.410 800-782-3762 www.stbernard.com Active Directory 2008 Implementation Version 6.410 Contents 1 INTRODUCTION...2 1.1 Scope... 2 1.2 Definition of Terms... 2 2 SERVER CONFIGURATION...3 2.1 Supported Deployment

More information

Centrify Cloud Connector Deployment Guide

Centrify Cloud Connector Deployment Guide C E N T R I F Y D E P L O Y M E N T G U I D E Centrify Cloud Connector Deployment Guide Abstract Centrify provides mobile device management and single sign-on services that you can trust and count on as

More information

SAML application scripting guide

SAML application scripting guide Chapter 151 SAML application scripting guide You can use the generic SAML application template (described in Creating a custom SAML application profile) to add a SAML-enabled web application to the app

More information

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security FedGIS Conference February 24 25, 2016 Washington, DC ArcGIS Server and Portal for ArcGIS An Introduction to Security Michael Sarhan & Bill Major Using Portal with ArcGIS Server Portal Server Portal and

More information

Xerox DocuShare Private Cloud Service. Security White Paper

Xerox DocuShare Private Cloud Service. Security White Paper Xerox DocuShare Private Cloud Service Security White Paper Table of Contents Overview 3 Adherence to Proven Security Practices 3 Highly Secure Data Centers 4 Three-Tier Architecture 4 Security Layers Safeguard

More information

EPM Performance Suite Profitability Administration & Security Guide

EPM Performance Suite Profitability Administration & Security Guide BusinessObjects XI R2 11.20 EPM Performance Suite Profitability Administration & Security Guide BusinessObjects XI R2 11.20 Windows Patents Trademarks Copyright Third-party Contributors Business Objects

More information

Taking Advantage of Active Directory Support in GroupWise 2014

Taking Advantage of Active Directory Support in GroupWise 2014 White Paper Collaboration Taking Advantage of Active Directory Support in GroupWise 2014 Flexibility and interoperability have always been hallmarks for Novell. That s why it should be no surprise that

More information

Using LDAP Authentication in an Informatica Domain

Using LDAP Authentication in an Informatica Domain Using LDAP Authentication in an Informatica Domain Copyright Informatica LLC 2016. Informatica LLC. Informatica, the Informatica logo, Informatica Big Data Management, and Informatica PowerCenter are trademarks

More information

CIFS Permissions Best Practices Nasuni Corporation Natick, MA

CIFS Permissions Best Practices Nasuni Corporation Natick, MA Nasuni Corporation Natick, MA Overview You use permissions to control user access to data. There are two basic considerations when using permissions to control user access to data: Which users have access

More information

Configuring and Using the TMM with LDAP / Active Directory

Configuring and Using the TMM with LDAP / Active Directory Configuring and Using the TMM with LDAP / Active Lenovo ThinkServer April 27, 2012 Version 1.0 Contents Configuring and using the TMM with LDAP / Active... 3 Configuring the TMM to use LDAP... 3 Configuring

More information

Configuration Guide. BES12 Cloud

Configuration Guide. BES12 Cloud Configuration Guide BES12 Cloud Published: 2016-07-20 SWD-20160718120737425 Contents About this guide... 6 Getting started... 7 Configuring BES12 for the first time...7 Administrator permissions you need

More information

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam

CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam CA Single Sign-On r12.x (CA SiteMinder) Implementation Proven Professional Exam (CAT-140) Version 1.4 - PROPRIETARY AND CONFIDENTIAL INFORMATION - These educational materials (hereinafter referred to as

More information

Version 1.0. 2012 Devolutions inc.

Version 1.0. 2012 Devolutions inc. Version 1.0 2 Remote Desktop Manager Server (Version 1.0) Table of Contents Foreword Part I Getting Started 0 4 1 What is... Remote Desktop Manager Server? 4 2 Features... 5 3 System... Requirements 6

More information

KZO Video Suite. LMS Integration

KZO Video Suite. LMS Integration KZO Video Suite KZO Innovations provides an Enterprise class video platform solution to Government, Commercial, Non-profit and Education markets. The KZO Video Suite is a web based application that can

More information

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server INTEGRATION GUIDE DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is

More information

ISSUE TRACK FOR WINDOWS INSTALLATION GUIDE VERSION 4.0.0.XX

ISSUE TRACK FOR WINDOWS INSTALLATION GUIDE VERSION 4.0.0.XX ISSUE TRACK FOR WINDOWS INSTALLATION GUIDE VERSION 4.0.0.XX Contents CONTENTS Chapter 1 Introduction 1-1 Welcome to Issue Track for Windows 1-1 About this Guide 1-1 Product Name 1-1 Documentation Roadmap

More information

Getting Started with AD/LDAP SSO

Getting Started with AD/LDAP SSO Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories

More information

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 Configuring Single Sign-On from the VMware Identity Manager Service to Office 365 VMware Identity Manager JULY 2015 V1 Table of Contents Overview... 2 Passive and Active Authentication Profiles... 2 Adding

More information

SafeNet Authentication Manager

SafeNet Authentication Manager SafeNet Authentication Manager TECHNICAL BRIEF Using SafeNet Authentication Manager as Identity Provider for AirWatch Contents Description... 2 Single Sign-On Dataflow... 2 Identity Provider Configuration...

More information

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, 2016. Integration Guide IBM

IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, 2016. Integration Guide IBM IBM Campaign Version-independent Integration with IBM Engage Version 1 Release 3 April 8, 2016 Integration Guide IBM Note Before using this information and the product it supports, read the information

More information

Deploying ModusGate with Exchange Server. (Version 4.0+)

Deploying ModusGate with Exchange Server. (Version 4.0+) Deploying ModusGate with Exchange Server (Version 4.0+) Active Directory and LDAP: Overview... 3 ModusGate/Exchange Server Deployment Strategies... 4 Basic Requirements for ModusGate & Exchange Server

More information

Use Enterprise SSO as the Credential Server for Protected Sites

Use Enterprise SSO as the Credential Server for Protected Sites Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured

More information

NSi Mobile Installation Guide. Version 6.2

NSi Mobile Installation Guide. Version 6.2 NSi Mobile Installation Guide Version 6.2 Revision History Version Date 1.0 October 2, 2012 2.0 September 18, 2013 2 CONTENTS TABLE OF CONTENTS PREFACE... 5 Purpose of this Document... 5 Version Compatibility...

More information

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist

BlackBerry Enterprise Service 10 version 10.2 preinstallation and preupgrade checklist BlackBerry Enterprise Service version.2 preinstallation and preupgrade checklist Verify that the following requirements are met before you install or upgrade to BlackBerry Enterprise Service version.2.

More information

Using LDAP Authentication in a PowerCenter Domain

Using LDAP Authentication in a PowerCenter Domain Using LDAP Authentication in a PowerCenter Domain 2008 Informatica Corporation Overview LDAP user accounts can access PowerCenter applications. To provide LDAP user accounts access to the PowerCenter applications,

More information

Single Sign-on (SSO) technologies for the Domino Web Server

Single Sign-on (SSO) technologies for the Domino Web Server Single Sign-on (SSO) technologies for the Domino Web Server Jane Marcus December 7, 2011 2011 IBM Corporation Welcome Participant Passcode: 4297643 2011 IBM Corporation 2 Agenda USA Toll Free (866) 803-2145

More information

CA Technologies SiteMinder

CA Technologies SiteMinder CA Technologies SiteMinder Agent for Microsoft SharePoint r12.0 Second Edition This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to

More information

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal SafeNet Authentication Service Integration Guide Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1 Document Information

More information