Understanding Mediasite security. Technical planner: TP-03

Transcription

1 Understanding Mediasite security Technical planner: TP-03

2 2010 Sonic Foundry, Inc. All rights reserved. No part of this document may be copied and/or redistributed without the consent of Sonic Foundry, Inc. Additional copies may be obtained by contacting Sonic Foundry. Sonic Foundry, the Sonic Foundry logo, Mediasite, and the Mediasite logo are registered trademarks of Sonic Foundry, Inc. All other trademarks are the property of their respective owners. Sonic Foundry, Inc. 222 W. Washington Avenue Madison WI toll free from the US and Canada Sonic Foundry. Since For more information, please contact Version: 5.4, April 2010 Sonic Foundry, Inc. Page 2 of 32

3 Table of Contents Overview... 4 Document organization... 4 Audience... 4 Fundamentals of Mediasite access control... 5 Directories... 6 Benefits of Directory Integration... 7 Roles... 7 Resources... 8 Authentication Authorization access control playback management recording moderation Media streams Folder and catalog access control System policies Owner Planning directory integration Integrating with an Active Directory Integrating with an LDAP-based directory Using directory search in Mediasite Adding Mediasite roles from a directory Single sign-on (SSO) using SAML Implementing SAML 2.0 integration Single sign-on (SSO) using custom development Sample permission templates Mediasite Administrators role Course Administrators role Media Specialists role Faculty role Sonic Foundry, Inc. Page 3 of 32

4 Overview Mediasite Access Control is the means by which a Mediasite user is granted or denied the right to see or edit presentations and use applications. A user first signs in using their username and password and is authenticated on the Mediasite system and then, based on permissions, is authorized to access certain resources in the system. In short, we re talking about securing resources on the Mediasite Server, which include presentations, recorders, encoding profiles, and pages in Mediasite web applications. This document provides an overview of access control in Mediasite and the manner in which an external directory can be set up to work with Mediasite in an enterprise. Document organization In Fundamentals of Mediasite access control, we discuss directories and roles and list the Mediasite resources, which can be secured. We then describe how authentication and authorization are implemented in Mediasite access control. In Planning directory integration we describe the concepts behind connecting Mediasite to an external directory. In Single signon (SSO) using SAML 2.0 and Single sign-on (SSO) using custom development we provide an overview of single sign on ability in Mediasite using Security Assertion Markup Language (SAML) 2.0 and an overview of implementing SSO solutions using custom development, respectively. Finally, we provide sample permission templates for typical roles found in an educational organization with an on-premise Mediasite solution. Audience Readers of this document should include Mediasite Administrators responsible for managing access control for a Mediasite installation, and enterprise Directory Administrators. The Mediasite Administrator is responsible for a number of operations that relate to Mediasite security and will require the administrator to work with other people in the organization including: Network/Firewall Administrators to configure firewalls and network switches for Mediasite to operate across organization boundaries. IT Administrator to set up the Database Server, Media Server, Web Server, File Server and FTP Server and set it up in a topology that works for the organization in terms of scale and management. Directory Administrator to configure external directories. Mediasite Users Sonic Foundry provides additional documentation like Network and Firewall Considerations and Mediasite for the Enterprise that assist a Mediasite Administrator in working with the Network and IT Administrators. Mediasite is offered as an on-premise solution as well as a hosted solution. Overall, the functionality offered by both solutions is similar. However, there are some differences with administration and security for the two solutions: Some administrative functions managed by IT and Mediasite Administrators in an onpremise solution are managed by Sonic Foundry Hosting Administrators for the hosted solution. Sonic Foundry, Inc. Page 4 of 32

5 The security functions available to on-premise customers in the Portal are slightly different than those available to hosted customers. The section on resources explains these differences. The diagram below lists the security functions of a Mediasite Administrator as well the roles of other people involved in the successful deployment of Mediasite. Medias ite Administrator Works with directory administrator to add external directories Adds relevant roles to Mediasite from external directories Manages users and groups in Mediasite directory Adds roles for users in Mediasite directory Sets up system policies Sets up access control for root folder Sets up access control for operations Sets up access control for Portal access Manages access to system resources, streaming profiles, server groups, viewers, and recorders Manages access to presentations, folders, pres entation templates, schedules, and presenters Works with IT Administrators to set up content servers for media streaming and slides, and to set up Mediasite data location for viewer, and catalog graphics S pecifies content servers for media streaming and slides using System Manager Power Users Manage access to presentations, folders, presentation templates, schedules, and presenters they own Manage access to presentations, folders, presentation templates, schedules, and presenters that they have write access to IT Administrator Works with Mediasite Administrator to set up streaming servers Works with Mediasite Administrator to set up permissions on network shares where slides, media and Mediasite data is stored Sets up Server topology for Mediasite (e.g. High Availability) Sets up the database for Mediasite Sets up File Servers, FTP Server and Web Server for Mediasite Directory Administrator Works with Mediasite Administrator to configure external directories Network Administrator Works with Mediasite Administrator to configure firewall and network switches Works with Mediasite Administrator to set up Mediasite on the DMZ (Demilitarized Zone) Fundamentals of Mediasite access control To understand access control in Mediasite, you must understand the use of directories, roles, resources, authentication, and authorization. Mediasite uses a directory for authentication and role-based access control for authorization. Role-based access control is an industry standard for restricting system access to authorized users using roles. The diagrams below explain the relationship between directories, users and groups in directories, and roles and resources in the Mediasite Database: Sonic Foundry, Inc. Page 5 of 32

6 External Directories Active Directory Users Groups Medias ite Directory Users Groups Medias ite LDAP Directory Users Groups Medias ite Database Roles Resources Fig 2: Mediasite directory, Mediasite database, and external directories Users, Groups and Roles Mediasite Database Roles assigned to roles Normally, Roles map to groups Roles may also map to users Role1 Group1 Directory Users Groups collection of users Group2 Has Role2 1 User1 Presenter1 Role3 User2 Fig 3: Relationship between users, groups, and roles Directories A directory is used to store users and groups based on well-defined standards. Mediasite Server does not store users and groups within the Mediasite database but relies on the Mediasite Directory or an external directory for this information. The Mediasite Directory, based on Sonic Foundry, Inc. Page 6 of 32

7 Roles Microsoft s Active Directory Application Mode (ADAM) on Windows 2003 platform and Active Directory Lightweight Directory Services (AD LDS) on Windows 2008 platform, contains predefined users and groups that are configured during installation. The user typically used to connect to the Mediasite Directory is MediasiteAdmin. This user is generated when installing or adding a new site and is maintained in the Mediasite Directory. The Mediasite Configuration Editor is used to manage connections to directories. This includes an external directory like a corporate Active Directory or an organization-wide LDAP directory implementation. Users and groups are created in the Mediasite Directory using System Manager or the Portal. However, Mediasite applications cannot be used to create users and groups in external directories. Directory Administrators create users and groups in external directories using standard directory management tools. Once Mediasite is connected to an external directory, Mediasite applications can authenticate users in these directories when they log onto them. Benefits of Directory Integration Connecting to an external directory allows Directory Administrators to take advantage of groups and users on their network to grant access to the Mediasite system. Groups in the external directory are already defined and users can log into the Mediasite system using the same credentials they use to log into computers and other servers on their network. Mediasite stores access control information in the Mediasite database. Access control information is stored in the form of permissions on Mediasite resources, which are assigned to roles. A role is either granted or denied access to resources using permission assignments. Each role in the database maps to a group (a collection of users) or at times to a single user in the directory. As a result, access control is still applied to groups and users. Roles are automatically created when a group is created in the Mediasite Directory using either System Manager or the Portal. Roles are not created when a user is created in the Mediasite Directory. The System Manager and Portal can search for users and groups in the directory. Both applications have the ability to use the search results to add roles in the Mediasite database. Roles can be added in this manner for users in the Mediasite Directory as well as groups and users in an external directory. In a directory, groups may be organized in a hierarchy. Roles do not have a corresponding hierarchy, and are therefore flat. The default Mediasite installation has the following predefined roles: Role Authenticated Users Anonymous Everyone MediasiteAdministrators MediasitePresenters MEDIASITESYSTEM Description Any user that has successfully authenticated with Mediasite. A user that has not authenticated with Mediasite. A user that is either an Authenticated User or an Anonymous user Users that have administrative rights in a default Mediasite installation Users that can manage presentations in a default Mediasite installation The context under which a Mediasite Server runs Sonic Foundry, Inc. Page 7 of 32

8 The user mapped to MEDIASITESYSTEM is created in the Mediasite Directory. This user is called <sitename>system and the password is auto-generated. This role has special privileges and cannot be used to log into Mediasite applications. This user is generated when installing or adding a new site and is maintained in the Mediasite Directory. Resources The following table shows the permissions that can be defined as part of access control for resources, operations, and Portal user interface elements. The permissions are: Read permission: allows a user to see the resource Write permission: allows a user to modify/change or delete the resource View permission: allows a user to playback a presentation or see a folder in a Catalog Execute permission: allows a user to click on a link to perform an action Moderate permission: allows a user to view and answer questions from the audience for a presentation The table below lists the permissions for various resources available to on-premise and/or hosted customers. For hosted customers, permissions on some resources are managed by the Hosting Administrators at Sonic Foundry s Data Center and are noted in the table as Unavailable to hosted customers. Secured Item Unavailable to hosted customers Resources Read Write View Execute Moderate Shortcut Folder Template Schedule Presenter Player Server Group Encoding Profile Recorders Caption Project Caption Provider Settings Podcasts Catalogs Operations Read Write View Execute Create s Create Folders Create Presenters Sonic Foundry, Inc. Page 8 of 32

9 Secured Item Unavailable to hosted customers Resources Read Write View Execute Moderate Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal Read Write View Execute User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Sonic Foundry, Inc. Page 9 of 32

10 Secured Item Unavailable to hosted customers Resources Read Write View Execute Moderate Statistics User Statistics Presenter Statistics Server Statistics Authoring Statistics What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page A user can either be allowed or denied permission to a resource with a denied permission overriding an allowed one. For example, if a group is allowed read permissions to a resource and a user in the group is denied read permission to that same resource, everyone in the group except that user can see it. We recommend setting access control up for groups because managing permissions for each user can be tedious. Some of the operations listed above are explained below: Run System Manager: Allows a user to connect the System Manager to a Mediasite Server Manage Auth Tickets: Authorization tickets are used for single sign on when integrating Mediasite with another system like a Learning System. Permission to this operation allows a user to create and delete Authorization Tickets. Search Directories: Allows a user to search a directory when adding presenters or roles in Mediasite from the directory. API Access: Allows a user to connect to External Data Access Service (EDAS) to programmatically perform certain operations in Mediasite from a third party system. Recorder Operator: Allows users to connect to the Mediasite Server using the Recorder or Editor application. Sonic Foundry, Inc. Page 10 of 32

11 Read FTP Storage Settings: Allows users to query the FTP storage location and credentials for Mediasite presentations via the External Data Access Service. Caption s: Allows users to use the Captioning Manager to transfer media files for captioning to a third-party captioning provider like Automated Sync Technologies. Authentication When a user first signs in using their username and password, they are authenticated on the Mediasite system. The authentication process is initiated when a user logs into a Mediasite application using the login page. A default login page is bundled with Mediasite and is specified in the Configuration Editor that is packaged as part of the Mediasite E Server. The user is redirected to the login page to enter her credentials when: The user attempts to log in to a Mediasite web application The user attempts to access a secured page or resource and the user has not yet logged-in The user has logged out and tries to access a secured page or resource Authentication is based on cookies and a unique authentication cookie is created by the login page when a user logs into a particular Mediasite. The default login page has a Remember me check box that remembers both the username and password on a computer by persisting the authentication cookie. Once users check this box and log in, they do not have to log into any of the Mediasite applications until they explicitly sign out or the persisted authentication cookie expires. By default, the authentication cookie expires in 90 days. Sonic Foundry offers services to implement an alternate login page that authenticates users based on alternate schemes like: Single Sign-On (SSO) based on integrated authentication with Internet Information Services (IIS) Single Sign-On (SSO) from a content portal like a content management system In such cases, the new login page is specified as part of the ASP.NET forms authentication settings for the Mediasite E Server and Mediasite uses it instead of the default one. Customers with the on-premise solution can change this setting using the IIS Manager. Hosted customers need to contact the Hosting Administrators to make this change. Authorization Once a user is authenticated, the authorization process determines which resources can be accessed by the user. For example, if user Joe belongs to the Marketing, Product Marketing, and Field Marketing groups in an external directory, and roles have been added in the Mediasite directory for the Product Marketing and Field Marketing groups, then when Joe successfully logs in, only those two roles are returned for him. The authorization process uses these roles to determine permissions on the resource being accessed. If a user has permissions to read the resource then that resource will be displayed in the Mediasite interface. Similarly, with write permissions to a resource, the user can modify or delete it. The diagram below shows the authentication and authorization process for Mediasite. Sonic Foundry, Inc. Page 11 of 32

12 Authentication & Authorization using Mediasite 1 Tries to access a Mediasite resource User, not logged into Mediasite 5 Create a cookie LDAP/AD Server 2 Login request to directory server 3 Check if user exists 4 6 User logged in Get groups for the user Mediasite E Server 7 Groups the user belongs to 8 Check if role has permissions to a resource 0 Map groups in directory to Mediasite roles Mediasite Database Mediasite Administrator using Portal access control Fig 4: Authentication and Authorization in Mediasite access control is divided into five areas, playback, management, recording, moderation, and media streams. playback A Mediasite presentation is made up of: data (metadata) Video Slides Presenters Player Server Group Streaming or Encoding Profiles, when not recorded access control covers presentation data, video, and slides. The remaining items are secured resources and have their own access control set up. s can be managed, played back, and recorded. All other secured resources can only be managed. End users who have permissions to play back a presentation do not need permissions on a presenter or other secured resources. Granting users read access to resources like presenters or other secured Sonic Foundry, Inc. Page 12 of 32

13 resources would mean that all users who can playback a presentation could potentially gain access to secured resources in the Portal. This is highly undesirable so Sonic Foundry has defined two concepts: the MEDIASITESYSTEM role and View. MEDIASITESYSTEM is a built-in role that maps to the built-in <Sitename>SYSTEM user. The Player application uses the MEDIASITESYSTEM role to authorize access control on other secured resources that make up a presentation as well as the presentation data itself. View permissions can be configured for roles that need to watch the presentation By default, System Manager and the Portal both add this role to any entity created. management s are managed using the Portal. System Manager provides an alternate way to manage security for all resources in the Mediasite system. The Portal, on the other hand, uses access control information to show resources to the logged in user. The following table explains permissions required for most common presentation management operations. Operation Folder Other Inheritance, if any Notes Edit Read & Write Read Read on associated resources Associated resources include Player, Presenters, and Encoding Profile. Create Read & Write Create From Folder Create from Template Read & Write Create Read on Template From Folder or Template Associated resources include Player, Presenters, Encoding Profile, and Server Group. Read on associated resources in template Delete Read & Write Move Read & Write Read on Source Folder Read & Write on Destination Folder retains the original permissions and does not automatically inherit new permissions from the destination folder. Sonic Foundry, Inc. Page 13 of 32

14 Operation Folder Other Inheritance, if any Notes Create Shortcut Read & Write Read & Write on Destination Folder Add Like Read on Source Folder Read & Write on Destination Folder Read on associated resources in source presentation inherits permissions from the destination folder and not from the source presentation selected. Associated resources include Player, Presenters, and Encoding Profile. recording s are recorded using the Mediasite Recorder. There are a number of ways of recording a presentation. The table below explains permissions required for recording presentations: Operation Folder Other Resource Operation Notes Open an Existing on Server for Recording and Publish Read & Write Read Read on Encoding Profiles Recorder and Editor Access is created on server and selected for recording. Create a New on Server, Record and Publish Read & Write Create Read on Template Read on associated resources in template Recorder and Editor Access Associated resources include Player, Presenters, Encoding Profile, and Server Group. Sonic Foundry, Inc. Page 14 of 32

15 Operation Folder Other Resource Operation Notes Automated Recording and Publish Using a Schedule Read & Write Create Read on Schedule Read on associated resources in schedule Recorder and Editor Access Associated resources include Player, Presenters, Encoding Profile, and Server Group. Open a New on the Recorder for Recording and Publish to Server Read & Write Read Recorder and Editor Access A locally recorded presentation is published to a presentation created on the server. moderation s broadcast live normally need some level of moderation. There are times when a moderator only needs to interact with the audience for a presentation and does not need any other presentation permission. Moderate permission gives the user the ability to do this. Media streams Media streams for presentations are secured using the Mediasite Media Authorization Plug-in, which is applied to publishing points on the Microsoft Windows Media Server. Publishing points source media streams from Windows Media files or encoding devices for on-demand distribution and live broadcasts, respectively. When the Authorization plug-in is enabled and configured on the Media Server, it streams media only if the access control criteria have been satisfied. Mediasite implicitly applies a token-based access control mechanism for a presentation s media content. A token is generated for a presentation when an authorized user tries to playback a presentation in the Mediasite Viewer. The token is validated by the Authorization plug-in on the Media Server when it receives a request to stream the media from the Mediasite Viewer. Folder and catalog access control s are organized within folders. Hierarchical structure for folders is supported in Mediasite. Folders inherit permissions from their parent folder so the root folder must have appropriate permissions. Catalogs enable publishing a folder to the web. When a folder is included in a catalog, all presentations in the folder are listed in the catalog if the logged in user has view permissions to the presentation. The table below explains permissions required for common folder operations: Sonic Foundry, Inc. Page 15 of 32

16 Operation Folder Parent Folder Notes View Folders in the Portal Read Read Search for Folders Read Search results are displayed as a list and not a tree. As a result, parent folder permissions are not used. View Linked Folders in Catalog View for linked folders are managed on the folder in the Portal. View a Linked Catalog View for a linked catalog are managed on the folder in the Portal. Create s Read & Write By default, presentations inherit folder permissions. Create Folder Read & Write Folders inherit permissions from its parent folder. System policies All secured resources in Mediasite need an initial set of permissions when they are created, otherwise, no one will be able to access these resources. System policies define a secured resource s initial set of permissions. System policies exist for: Presenters Players Streaming/Encoding Profile Server Groups Recorders Podcasts Catalogs Templates Schedules Caption Projects Caption Provider Settings It is essential that Mediasite Administrators set up appropriate system policies for all the secured resources. You can change permissions on a secured resource. Sonic Foundry, Inc. Page 16 of 32

17 Owner By default, the owner of a secured resource is the user who created it. The owner of a secured resource can be changed using the System Manager or the Portal by picking another user from the directory using a directory search. Planning directory integration Mediasite Server includes a built-in Mediasite directory which can operate as a stand-alone directory, but that would fail to leverage your organization s existing external directory. Connecting Mediasite E Server to an external directory allows seamless integration into the enterprise. We recommend that the Mediasite Administrator work with the Directory Administrator to register and configure an external directory to work with Mediasite. The differences between using the integrated Mediasite directory and an external directory with Mediasite are highlighted in the table below: Feature Built-in Mediasite Directory External Directory Schema Role Creation Role Storage The schema is fixed as defined by Sonic Foundry. Roles are automatically added when groups are created. Roles are also created using the directory search operation. The role name is preset to use the user CN for users and the Group DN for groups. The schema varies. LDAP allows more variation than Active Directory. Roles are only created using the search directory operation. The role name is based on the User Display Name property or Group Display Name property as specified in a directory connection in the Mediasite system. Integrating with an Active Directory Mediasite E Server can connect to an Active Directory or a Global Catalog (an Active Directory forest). The following properties are needed to connect Mediasite Server to an Active Directory. Active Directory Properties Directory Server Path Base Distinguished Name (DN) Description This property identifies the location of the directory. Non-default ports are supported. SSL connection is also supported. Note: When connecting to a Global Catalog, use the GC: // scheme for the directory server path instead of the LDAP: // scheme. The Base DN is the starting point in the Active Directory hierarchy at which searches begin. Default Settings Sonic Foundry, Inc. Page 17 of 32

18 Active Directory Properties User credentials Users DN and Groups DN User Id Property and Group Id Property User Display Name Property and Group Display Name Property User Property Name Group Membership Property Name Group Member Property Name Group and User LDAP Search Filter Description This property contains a Username and password needed to connect to the directory and obtain user and group information from the directory. Anonymous connections to the Active Directory are not allowed. If the users and groups in the directory are in a specific sub-tree, these DNs must be provided. These locations are used when searching for groups and users to add Mediasite roles, or import Mediasite Presenters from the directory or change the owner of a resource. These properties are used to define the mapping for the role to the user or group in the directory. Mediasite uses the property specified in the User Id Property Name field in the cookie that is created after successful authentication by a user. These properties are used to name the role. The user name or group name is displayed in a Mediasite application using these properties. This property contains the primary address for the user. This property contains a list of groups that the user belongs to. This property contains a list of users that are members of the group. These properties are used to filter search results for groups and users in a directory. Default Settings User Id Property is set to userprincipalname Group Id Property is forced to distinguishedname User Display Name Property is forced to displayname Group Display Name Property is forced to cn Forced to mail Forced to memberof Forced to member User LDAP Search Filter is set to &(objectclass=user)(object Category=Person) Group LDAP Search Filter is set to (objectclass=group) Sonic Foundry, Inc. Page 18 of 32

19 Active Directory Properties Description Default Settings Group Membership Settings Search Result Size Group membership for Active Directories is determined by either using: User s Group Membership property: A user s group membership property contains a list of groups that the user belongs to. Nested groups are then found in a similar manner. This results in multiple lookups in the directory (one for each nesting level) Security Groups: Security Groups are stored in the tokengroups property set for each user in the Active Directory. This property includes nested groups and so all groups that a user belongs to are returned. Sonic Foundry recommends using this method because it requires fewer lookups in the directory. However, this method will not return distribution groups that the user is a member of. For unlimited search results to be returned, the directory must support paged searching. If paging is not supported, the option should be set to return Server limited search results. Active Directory supports paged searching Integrating with an LDAP-based directory The following information is needed to connect an E Server to an LDAP-based directory: LDAP Directory Properties Directory Server Path Base Distinguished Name (DN) User credentials Description This property identifies the location of the directory. Non-default ports are supported. SSL connection is also supported. The Base DN is the starting point in the Active Directory hierarchy at which searches begin. This property contains a Username and password needed to connect to the directory and obtain user and group information from the directory. An anonymous connection to the directory is also supported but not recommended in a secure environment. Default Settings Sonic Foundry, Inc. Page 19 of 32

20 LDAP Directory Properties Users DN and Groups DN User Id Property and Group Id Property User Display Name Property and Group Display Name Property User Property Name Group Membership Settings Group Membership Property Name Description If the users and groups in the directory are in a specific sub-tree, these DNs must be provided. These locations are used when searching for groups and users to add Mediasite roles, or import Mediasite Presenters from the directory or change the owner of a resource. These properties are used to define the mapping for the role to the user or group in the directory. Mediasite uses the property specified in the User Id Property Name field in the cookie that is created after successful authentication by a user. In most cases, the default values must be changed to match the LDAP directory configuration. These properties are used to name the role. The user name or group name is displayed in a Mediasite application using these properties. In most cases these values need to be changed to match the LDAP directory configuration. This property contains the primary address for the user. In most cases the default values must be changed to match the LDAP directory configuration. The method for accessing group membership in the directory schema. One of the two methods must be used: User s Group Membership Property: This property contains a list of groups that the user belongs to. Nested groups are then found in a similar manner. Group Membership Property: This property contains users and groups that are members of this group. Nested groups are then found in a similar manner. This property contains a list of groups that the user belongs to. In many directories, this property may not be defined. In such cases, the Group Membership Property method for accessing group membership should be enabled. In most cases the default value must be changed to match the LDAP directory configuration. Default Settings Both are set to cn Both are set to cn Set to mail Set to memberof Sonic Foundry, Inc. Page 20 of 32

21 LDAP Directory Properties Group Member Property Name Group and User LDAP Search Filter Search Result Size Description This property contains a list of users that are members of the group. By default, this is set to the member property. In most cases these value needs to be changed to match the LDAP directory configuration. These properties are used to filter search results for groups and users in a directory. In most cases the default values must be changed to match the LDAP directory configuration. For unlimited search results to be returned, the directory must support paged searching. Many LDAP directories support paged searching. If paging is not supported, the option should be set to return Server limited search results. Default Settings User LDAP Search Filter is set to (objectclass=user) Group LDAP Search Filter is set to (objectclass=group) Mediasite can perform a nested group search. However, nested group searches may affect performance depending on the depth of the sub-tree being searched. Using directory search in Mediasite Directory search is used in Mediasite to do the following: 1. Change the owner of a secured item. A search is done in the directory for a user that can be selected as the new owner. 2. Add presenters from a directory. A search is done in the directory for users that can be selected and imported into the Mediasite system as presenters. The address for a user is also imported as part of the presenter import. 3. Add roles from a directory. A search is done in the directory for users or groups that can be added as roles in the Mediasite system. Adding Mediasite roles from a directory Once Mediasite E Server is integrated with an external directory, roles are added to the Mediasite E Server by searching in the connected directory for users or groups. The following information can be specified for search operations: Role type (user or group) Name (exact name or beginning of name) The scope of the search. Scope can be: o o o Base level: a search of the location specified One-level: a search of the location specified and the immediate children of this location Sub-tree: a deep search that traverses the sub-tree starting at the location specified Sonic Foundry, Inc. Page 21 of 32

22 Global Catalog considerations When using a Global Catalog, the following best practices should be considered: A connection to the Global Catalog on the LDAP port of an Active Directory (e.g., 389) will not return groups from another domain in the forest. A Global Catalog is normally set up to run on port By default only universal groups are replicated to all Global Catalogs in a forest. Domain local and global groups will not be returned when Mediasite queries a Global Catalog if they are not in the same domain as the Global Catalog server. Single sign-on (SSO) using SAML 2.0 This section provides an overview of single sign on ability in Mediasite using Security Assertion Markup Language (SAML) 2.0. SAML 2.0 support was added in Mediasite 5.3. The use of federated identity solutions is becoming very popular in various organizations. Sonic Foundry decided to include support for generic standards based solution rather than independent federated identity solutions. SAML, developed by the Security Services Technical Committee of OASIS, is an ML-based framework for communicating user authentication, entitlement, and attribute information. SAML 2.0 comprises an Identity Provider and Service Providers. Systems like Shibboleth 2.0 that are SAML 2.0 compliant serve as an identity provider. Mediasite is designed to be a service provider. The diagram below provides an overview of Mediasite as a service provider. SSO using SAML 2.0 Configuration and Handshake SAML 2.0 Identity Provider e.g. Shibboleth 2.0 Service Provider Mediasite version 5.3 Configuration Specify Entity Id Specify metadata URL well known ML document that tells you how to communicate with identity provider Configuration Specify user Id & role name formats Generate metadata and a URL to get to the metadata how to communicate with service provider Get Identity Provider Metadata Get Service Provider Metadata Authentication Request (encrypted message) Authentication Response (encrypted Message) Message Handling Shibboleth 2.0 Service provider metadata contains a public key Encrypt HTTP messages to Mediasite using this key Message Handling Mediasite E Server Identity provider metadata contains a public key Encrypt HTTP messages to Shibboleth using this key Fig 5: Configuring Mediasite as a service provider when using SSO with SAML 2.0 SAML 2.0 support alleviates procedural issues with directory integration for hosted customers. Many organizations have a policy of not making their LDAP/Active directory accessible over the web. The diagram below explains how SSO using SAML 2.0 works with Mediasite. Sonic Foundry, Inc. Page 22 of 32

23 SSO using SAML 2.0 User, not logged into Shibboleth 3 Check if user exists in one of the stores Shibboleth Authentication request redirected to Shibboleth 2.0 Entitlements for the user 4 Map entitlements to Mediasite roles Mediasite Database 6 5 Parse entitlements for the user id and roles Update role cache in Mediasite Database 1 Tries to access a Mediasite resource Mediasite E Server 7 Check if entitlements for the user have permissions to a resource Implementing SAML 2.0 integration Mediasite Administrator using Portal Fig 6: SSO using SAML 2.0 Mediasite E Server can connect to an SAML 2.0 Identity provider. The following properties are needed to connect Mediasite Server to an Active Directory. Service Provider Settings User ID resolution User ID Name Format Description Defines how Mediasite will determine a username when reading a SAML assertion returned by an IdP. A username can be the NameID found in the subject or any other attribute in the assertion. Format of the attribute used to define a username. Default Settings Subject NameID User ID Name Role name Format Role Name The attribute in an assertion that defines a username. Format of the attribute that contains the roles for a user. The attribute in an assertion that contains the roles for a user. Sonic Foundry, Inc. Page 23 of 32

24 Service Provider Settings Metadata Expiration Duration Metadata cache duration Encryption Key length Description The duration for which the metadata for the service provider is valid. The duration in minutes for which the metadata for the service provider can be cached by the identity provider. The length of the encryption key. Supported lengths are 1024, 1536 and Default Settings 1 year Identity Provider Settings Entity ID Description The ID that identifies the Identity Provider. Default Settings Metadata URL A location where the SAML metadata and public keys can be retrieved for the Identity Provider. Friendly Name Auto Redirect to Provider The friendly name of the Identity Provider. This name will be displayed to users when logged in. Determines if users will be automatically redirected to the Identity Provider when the authentication process begins. If unchecked, users will be able to choose between authenticating directly with Mediasite or with the Identity Provider. Single sign-on (SSO) using custom development This section provides an overview of implementing SSO solutions using custom development, which is required when organizations require integration of Mediasite into their environment. Examples of such integration include developing Mediasite extensions for a learning management system or content management system or integrating Mediasite into a web portal. Mediasite includes the External Data Access Service (EDAS) that enables this form of integration. Custom development can be implemented by Sonic Foundry on an engagement basis or by a software developer with some Microsoft.NET platform experience. The diagram below explains SSO using custom development. Sonic Foundry, Inc. Page 24 of 32

25 SSO using custom development LDAP/AD Server LMS Server 4 Get groups for connecting user 5 Groups the user belongs to 1 3 Connect & login to Mediasite using EDAS Request Auth Ticket for user through EDAS 6 Do roles for user have permissions to resource 8 Auth Ticket 2 Tries to access a Mediasite resource 9 Pass Auth Ticket in requests 0 Map groups to Mediasite roles Mediasite E Server 7 Create ticket for user, that is valid for the resource. LMS User Mediasite Administrator using Portal Mediasite Database Fig 7: SSO using custom development The Mediasite Building Block for Blackboard and Mediasite extension for Moodle are developed using EDAS and support SSO in a similar manner. Sample permission templates This section provides sample permission templates for typical roles found in an educational organization with an on-premise Mediasite solution: Mediasite Administrators: Users in this role have access to all functions in a Mediasite system and are expected to have access to all Mediasite resources as well as every folder in the Mediasite presentation folder structure. Course Administrators: Users in this role have access to a subset of functions in a Mediasite system and a portion of the folder structure, typically a sub-folder and all folders under that sub-folder. Media Specialists: Users in this role have access to a set of functions that allow them to record presentations using the Mediasite Recorder as well as create presentations. As part of presentation creation, these users may need to create new players and presenters. Users in this role also have access to managing encoding profiles and recorders from the Portal. Faculty: Users in this role have access to a set of functions that allow them to manage catalogs, view, create, and run reports and manage as well as moderate presentations. These users cannot record presentations or manage other entities that make up a presentation. This user is also not given any access to system policies, because system policies are applied across the board. A faculty member would typically be given access to catalogs and presentations for their specific course. For example, for a catalog created Sonic Foundry, Inc. Page 25 of 32

26 for the course Physics101, only the faculty member teaching Physics101 should have permissions for it, not all faculty members. The sample permission templates are provided as an example only and should be modified as needed. Mediasite Administrators role Folder: root folder (e.g., //s) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories Manage API Access Recorder Operator Read FTP Storage Settings Portal User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Read Write View Execute Sonic Foundry, Inc. Page 26 of 32

27 Secured Item Statistics User Statistics Presenter Statistics Server Statistics Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Course Administrators role Folder: sub-folder (e.g., //s/physics101) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Sonic Foundry, Inc. Page 27 of 32

28 Secured Item Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Statistics User Statistics Presenter Statistics Server Statistics Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP Read Write View Execute Sonic Foundry, Inc. Page 28 of 32

29 Secured Item System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Media Specialists role Folder: root folder (e.g., //s) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal Read Write View Execute User Interface Catalog Presenter Sonic Foundry, Inc. Page 29 of 32

30 Secured Item Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Statistics User Statistics Presenter Statistics Server Statistics Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Sonic Foundry, Inc. Page 30 of 32

31 Faculty role Folder: sub-folder (e.g., //s/physics101) Folder : Read, Write, and View Secured Item Operations Read Write View Execute Create s Create Folders Create Presenters Create Players Create Encoding Profiles Create Server Groups Create Podcasts Manage Catalogs Manage Publish To Go Caption s Run System Manager Manage Auth Tickets Search Directories API Access Recorder Operator Read FTP Storage Settings Portal Read Write View Execute User Interface Catalog Presenter Player Encoding Profile Server Group Recorder Schedule Poll Template Template Captioning Statistics User Statistics Presenter Statistics Server Statistics Sonic Foundry, Inc. Page 31 of 32

32 Secured Item Content Creation What s Being Watched User System Application Settings Site Properties Podcast FTP System Message Home Page System Policies Read Write View Execute Catalog Encoding Profile Player Podcast Template Presenter Recorder Schedule Server Group Captioning Project Captioning Provider Settings Sonic Foundry, Inc. Page 32 of 32