If your institution uses LDAP (or Active Directory), or has implemented Shibboleth single sign-on, you can enable either as an Identity Provider (IDP) for your Ensemble Video Institution. You can also create multiple IDPs for your institution, if you have more than one LDAP, or use both LDAP and Shibboleth. Once configured, an IDP can be used to authenticate your users as they access Ensemble Video. An IDP can also be used with auto-provisioning, to automatically create appropriate system permissions and access, for new users, within Ensemble Video.
- Creating an LDAP Identity Provider
- Creating a Shibboleth Identity Provider
- Configuring Automatic Account Creation
- LDAP Provisioning Rules
- Shibboleth Provisioning Rules
- Ordering Provisioning Rules
- Assigning Identity Providers to an Institution
- Configuring CAS Authentication
Creating an LDAP Identity Provider
In the IDP form, you will need to enter a Name for the Identity Provider. This should be something descriptive, like Rose Hill LDAP. You will also need to provide a Domain, which will be something like rosehill.org. This is the domain that will be associated with the Identity Provider, and that will enable external integrations (such as Canvas or Brightspace) to properly identify access and permissions for a user within Ensemble Video.
Form for configuring an LDAP Identity Provider
Creating a Shibboleth Identity Provider
To configure a Shibboleth IDP, go to the Identity Provider control, click the +Add and select Shibboleth from the menu.
In the IDP form, you will need to enter a Name for the Identity Provider. This should be something descriptive like “Rose Hill Shibboleth”. You also will need to provide a Domain which should match whatever comes after the @ in the EPPN, typically the EPPN matches the email address. This is also the domain that will be associated with the Identity Provider and will enable external integrations, like for Canvas or Brightspace, to properly identify access and permissions for a user within Ensemble Video.
Form for configuring a Shibboleth Identity Provider
To implement Shibboleth-based authentication for on-premise Ensemble Video installations, you will need to work with the Ensemble Video Technical Support Team to configure Shibboleth Service Provider software on your Ensemble Video server. Contact firstname.lastname@example.org for more information. Once you create any LDAP or Shibboleth authentication source, it will appear in the list of authentication sources, and you can Delete or Edit as needed.
Configuring Automatic Account Creation
To configure Automatic Account Provisioning for any of your authentication sources, click the Action button for the Identity Provider you want to configure this for, and then select Provision from the menu. Then, click the +Add to add a new Provisioning Rule.
In the top portion of the Provision Rules form, specify the default Organization and Library for automatically provisioned users (or you can choose to automatically generate a new library based on username). Select the proper role to be given as well - viewer, editor, contributor, or some kind of administrator.
Once the basic information is added for a role, you can fill out the Additional Roles information if you would like to specify additional roles/permissions. Select the proper resource type and configure the role as needed. You can add as many additional roles as you would like. When you are done adding roles, click Save to save the provisioning rules, and then they will be applied to any new user who logs in and satisfies the group criteria for that role. See below for information about using LDAP and and Shibboleth groups for controlling how automatic provisioning is applied to new users.
List of Provisioning Rules for an authentication source
LDAP Provisioning Rules
LDAP Group is used to determine how a new user is provisioned in Ensemble Video when he or she logs in for the first time. Enter an LDAP Group name, or click on the Search icon and then choose a group from the dropdown menu at the bottom of the form, to select a Group. You can also enter an asterisk (“*”) as a Group, which applies to all LDAP users (a “wildcard” specification that will match ANY user who can log in using your LDAP repository). For each group (or for any LDAP user with the wildcard “*”), you can specify what Organization the user’s account is created in, what Library they are associated with as their Home Library, and what permission level they’re assigned. Note that you can specify “-- Auto-Create --” for the Library, in which case a new Library is created for the user when they first log in.
Form for configuring an LDAP Provisioning Rule
Shibboleth Provisioning Rules
HTTP Affiliation (e.g., faculty, staff, or student) is used to determine how a new user is provisioned when he or she accesses Ensemble Video for the first time. Just enter an appropriate HTTP Affiliation in the Group entry. You can also enter an asterisk (“*”) as a Group, which applies to all Shibboleth users (a “wildcard” specification that will match ANY user who can authenticate using your institution’s Shibboleth single sign-on setup).
For each Group (or for any Shibboleth user with the wildcard “*”) you can specify what Organization the user’s account is created in, what Library they are associated with as their Home Library, and what permission level they’re assigned. Note that you can specify “--Auto-Create--” for the Library, which tells the system to create a new Library for the user, when they first log in.
Ordering Provisioning Rules
For many institutions, there are some users who belong to more than one LDAP Group, or are associated with more than one Shibboleth HTTP Affiliation (e.g., staff who are also students). For that reason, Provisioning Rules are set up with a priority order so users will get provisioned with the higher priority group or affiliation. The priorities can be viewed and modified in the list of Provisioning Rules, for a given authentication source. List of Provisioning Rules for an authentication source
Just click the up/down arrow buttons to move a rule to a higher or lower priority. In the above example, when a user gains access to Ensemble Video for the first time using Shibboleth single sign-on, and they have both faculty and student HTTP Affiliation, their account will be created using the “Faculty” Provisioning Rule, since it’s the top priority. The same mechanism for ordering Provisioning Rules works for LDAP-based authentication sources and Provisioning Rules.
Assigning Identity Providers to an Institution
Once an identity provider is configured, you can control which institution(s) can log in using the identity provider. Visit the Branding settings for an institution for this setting.