How to map groups in MediaValet for AAD-SAML single-sign-on integration?

 

When integrating with Azure Active Directory using SAML protocol, Azure only sends MediaValet the user group's ObjectId and not the name.

 

 

Follow the steps below to set up, assign and map user groups in Azure Active Directory:

 

1) Navigate to the MediaValet SAML application set up in your Azure AD Tenant

 

2) Click on the "Users and groups" section to manage which users and groups will need access to MediaValet
mceclip0.png

 

3) From here, ensure all relevant groups and users are assigned to the SAML application.

4) Next, these groups will need to be mapped in MediaValet on the "Authorization Rules" page. This page can be accessed as shown below:

  • As an Admin user for your MediaValet library, click on the gear icon and select "Users" from the drop-down menu:
    mceclip0.png

  • From the User Management page, click on the "Authorization Rules" button found on the far-right side:
    mceclip1.png

 

 

5) From the Authorization Rules page, a group claim will need to be added for each group assigned to the MediaValet SAML application in Azure:

  • In the "Claim Name" field input groups or the entire schema URL if using the default group claim settings in Azure
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups

 

  • In the second column, select "Equals"

  • Under "RULE" column, input the relevant Azure group's ObjectId (this is the value assigned to the group in your AAD TenantId as shown in the example below:
    azure_object_id

  • Under "Action", select "Authorize As"

  • Under "MediaValet Group", select the group setup in MediaValet that you wish to authorize the mapped group as.

  • Click "Add" to add the group claim to the list of rules

 

An example of what a group claim should look like can be seen below:
mceclip2.png

 

 

6) Once you have completed adding all group rules, select "Save" to submit the changes and you should be all set!

 

 

 

com009.svgNotes:

  • During the set-up process, your Onboarding/Customer Success Manager will work with you to set up users and groups in MediaValet.

    • The same number of groups can be set up in Azure Active Directory or one generalized MediaValet group can be set up following which user permissions can be managed from MediaValet's User Management page. 

    • This group can then be referenced as a fallback rule on the role-mapping page. 


  • Once claims have been set up on the role-mapping page, we advise waiting 5-10 minutes before having a user test logging in.

  • When setting up the group claim in Azure AD, ensure the group claim is set up exactly as below:

    • The Name should read as
      groups
    • The Namespace should read as
      http://schemas.xmlsoap.org/ws/2005/05/identity/claims
      • com009.svgNOTE: Please ensure the / is not added after claims in the Namespace value as this will malform the group claim being sent to us, since / is automatically being added by Microsoft.

 

 

For more information on how to navigate our Authorization Rules page, check out the attached guide!

Was this article helpful?
0 out of 0 found this helpful