When integrating with Azure Active Directory using SAML protocol, Azure only sends MediaValet the user group's ObjectId and not the name.
Follow the steps below to set up, assign and map user groups in Entra/Azure Active Directory:
1) Navigate to the MediaValet SAML application set up in your Entra/Azure AD Tenant
2) Click on the "Users and groups" section to manage which users and groups will need access to MediaValet
3) From here, ensure all relevant groups and users are assigned to the SAML application.
4) Next, these groups will need to be mapped in MediaValet on the "Authorization Rules" page. This page can be accessed as shown below:
- As an Admin user for your MediaValet library, click on the gear icon and select "Users" from the drop-down menu:
- From the User Management page, click on the "Authorization Rules" button found on the far-right side:
5) From the Authorization Rules page, a group claim will need to be added for each group assigned to the MediaValet SAML application in Azure:
- In the "Claim Name" field input the entire schema URL if using the default group claim settings in Azure
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups
- In the second column, select "Equals"
- Under "RULE" column, input the relevant Azure group's Object Id (this is the value assigned to the group in your AAD TenantId as shown in the example below:
- Under "Action", select "Authorize As"
- Under "MediaValet Group", select the group setup in MediaValet that you wish to authorize the mapped group as.
- Click "Add" to add the group claim to the list of rules
An example of what a group claim should look like can be seen below:
6) Once you have completed adding all group rules, select "Save" to submit the changes and you should be all set!
Notes:
- During the set-up process, your Onboarding/Customer Success Manager will work with you to set up users and groups in MediaValet.
- The same number of groups can be set up in Azure Active Directory or one generalized MediaValet group can be set up following which user permissions can be managed from MediaValet's User Management page.
- This group can then be referenced as a fallback/catchall rule on the role-mapping page.
- The same number of groups can be set up in Azure Active Directory or one generalized MediaValet group can be set up following which user permissions can be managed from MediaValet's User Management page.
- Once claims have been set up on the role-mapping page, we advise waiting 5-10 minutes before having a user test logging in.
- When setting up the group claim in Azure AD, ensure the group claim is set up exactly as below:
- The Name should read as
groups
- The Namespace should read as
http://schemas.xmlsoap.org/ws/2005/05/identity/claims
NOTE: Please ensure the / is not added after claims in the Namespace value as this will malform the group claim being sent to us, since / is automatically being added by Microsoft.
- The Name should read as