Please follow the steps below to set up, assign and map user groups in Entra/Azure Active Directory:
1) Navigate to the MediaValet SAML application set up in your Entra/Azure AD Tenant
2) Click on the "Users and groups" section to manage which users and groups will need access to MediaValet
3) From here, ensure all relevant groups and users are assigned to the SAML application. Please see the notes at the end of this article regarding the creation of group claims.
4) Next, these groups will need to be mapped in MediaValet on the "Authorization Rules" page. This page can be accessed as shown below:
As an Administrator user for your MediaValet library, click on the settings gear and select "Users" from the drop-down menu.
From the User Management page, click on the "Authorization Rules" button found on the far-right side:
5) From the Authorization Rules page, a group claim will need to be added for each group assigned to the MediaValet SAML application in Azure. FYI When integrating with Azure Active Directory using SAML protocol, Azure only sends MediaValet the user group's ObjectID and not the name.
In the "Claim Name" field input the entire schema URL if using the default group claim settings in Azure
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/groups-
In the second column, select "Equals"
-
Under "RULE" column, input the relevant Azure group's Object Id (this is the value assigned to the group in your AAD TenantId as shown in the example below:
-
Under "Action", select "Authorize As"
-
Under "MediaValet Group", select the group setup in MediaValet that you wish to authorize the mapped group as.
- Click "Add" to add the group claim to the list of rules
An example of what a group claim should look like can be seen below:
Catch-all/Default rule:
If you have new users who are part of your SSO tenant but haven't yet been added to a MediaValet group, we recommend setting up a default or "catch-all" group. This way, when users log in via SSO, instead of receiving an error stating they are not authorized, their accounts are automatically created and assigned to a default group with limited permissions (such as a Guest group, or any group you configure with your preferred permission set (we recommend to setup a default group with minimal permissions)).
6) Once you have completed adding all group rules, select "Save" to submit the changes and you should be all set!
Notes:
You can setup different rules that are not based on the user group.
For example you could setup a rule on the email claim name:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress equals "john.doe@company.com" Authorize as Administrator (meaning John Doe will receive Administrator permissions)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress contains "company.com" Authorize As "Guest" (meaning the people logging with a certain email domain will automatically receive Guest permissions".
Notes:
-
During the set-up process, your Onboarding/Customer Success Manager will work with you to set up users and groups in MediaValet.
-
The same number of groups can be set up in Azure Active Directory or one generalized MediaValet group can be set up following which user permissions can be managed from MediaValet's User Management page.
-
This group can then be referenced as a fallback/catchall rule on the role-mapping page.
-
The same number of groups can be set up in Azure Active Directory or one generalized MediaValet group can be set up following which user permissions can be managed from MediaValet's User Management page.
-
Once claims have been set up on the role-mapping page, we advise waiting 5-10 minutes before having a user test logging in.
-
When setting up the group claim in Azure AD, ensure the group claim is set up exactly as below:
-
The Name should read as
groups -
The Namespace should read as
http://schemas.xmlsoap.org/ws/2005/05/identity/claims
-