Download PDF

If your institution uses LDAP (or Active Directory), or has implemented Shibboleth single sign-on, you can enable either as an Identity Provider (IDP) for your Ensemble Video Institution. You can also create multiple IDPs for your institution, if you have more than one LDAP or use both LDAP and Shibboleth. Once configured, an IDP can be used to authenticate your users as they access Ensemble Video. An IDP can also be used with auto-provisioning, to automatically create appropriate system permissions and access, for new users, within Ensemble Video.

Creating an LDAP Identity Provider

Screenshot of the Identity Providers Menu

To configure an LDAP IDP, go to the Identity Provider control, click the +Add, and select LDAP from the menu.

Screenshot of Adding the LDAP Identity Provider

In the IDP form, you will need to enter a Name for the Identity Provider. This should be something descriptive, like Rose Hill LDAP.  You will also need to provide a Domain, which will be something like rosehill.org. This is the domain that will be associated with the Identity Provider, and that will enable external integrations (such as Canvas or Brightspace) to properly identify access and permissions for a user within Ensemble Video.

Form for configuring an LDAP Identity Provider
Screenshot of the LDAP Configuration Form

Creating a Shibboleth Identity Provider

To configure a Shibboleth IDP, go to the Identity Provider control, click the +Add and select Shibboleth from the menu.

Screenshot of Adding Shibboleth IP

In the IDP form, you will need to enter a Name for the Identity Provider. This should be something descriptive like “Rose Hill Shibboleth”. You also will need to provide a Domain which should match whatever comes after the @ in the EPPN, typically the EPPN matches the email address. This is also the domain that will be associated with the Identity Provider and will enable external integrations, like for Canvas or Brightspace, to properly identify access and permissions for a user within Ensemble Video.

Form for configuring a Shibboleth Identity Provider
Screenshot of the Shibboleth Form

To implement Shibboleth-based authentication for on-premise Ensemble Video installations, you will need to work with the Ensemble Video Technical Support Team to configure Shibboleth Service Provider software on your Ensemble Video server. Contact support@ensemblevideo.com for more information. Once you create any LDAP or Shibboleth authentication source, it will appear in the list of authentication sources, and you can Delete or Edit as needed.

Configuring Automatic Account Creation

To configure Automatic Account Provisioning for any of your authentication sources, click the Action button for the Identity Provider you want to configure this for, and then select Provision from the menu. Then, click the +Add to add a new Provisioning Rule.

Screenshot of the Provisioning Button 

List of Provisioning Rules for an authentication source
Screenshot of Provisioning Rules Order

Auto-Provisioning Multiple Roles

Starting in version 4.5, users can be auto-provisioned into multiple libraries, and given additional roles like Use Live Streaming and Record Ensemble Anthem. This is especially useful when you want all new users to have access to these features.

Screenshot of the Auto Provision Controls in Ensemble 4.5

LDAP Provisioning Rules

LDAP Group is used to determine how a new user is provisioned in Ensemble Video when he or she logs in for the first time. Enter an LDAP Group name, or click on the Search icon and then choose a group from the dropdown menu at the bottom of the form, to select a Group. You can also enter an asterisk (“*”) as a Group, which applies to all LDAP users (a “wildcard” specification that will match ANY user who can log in using your LDAP repository).   For each group (or for any LDAP user with the wildcard “*”), you can specify what Organization the user’s account is created in, what Library they are associated with as their Home Library, and what permission level they’re assigned. Note that you can specify “– Auto-Create –” for the Library, in which case a new Library is created for the user when they first log in.

Form for configuring an LDAP Provisioning Rule
Screenshot of Provision Rule Settings

Shibboleth Provisioning Rules

HTTP Affiliation (e.g., faculty, staff, or student) is used to determine how a new user is provisioned when he or she accesses Ensemble Video for the first time. Just enter an appropriate HTTP Affiliation in the Group entry. You can also enter an asterisk (“*”) as a Group, which applies to all Shibboleth users (a “wildcard” specification that will match ANY user who can authenticate using your institution’s Shibboleth single sign-on setup).

Form for configuring a Shibboleth Provisioning Rule
Screenshot of Shibboleth Provision Rules

For each Group (or for any Shibboleth user with the wildcard “*”) you can specify what Organization the user’s account is created in, what Library they are associated with as their Home Library, and what permission level they’re assigned. Note that you can specify “–Auto-Create–” for the Library, which tells the system to create a new Library for the user, when they first log in.

Ordering Provisioning Rules

For many institutions, there are some users who belong to more than one LDAP Group, or are associated with more than one Shibboleth HTTP Affiliation (e.g., staff who are also students). For that reason, Provisioning Rules are set up with a priority order so users will get provisioned with the higher priority group or affiliation. The priorities can be viewed and modified in the list of Provisioning Rules, for a given authentication source.

List of Provisioning Rules for an authentication source
Screenshot of Provisioning Rules Order

Just click the up/down arrow buttons to move a rule to a higher or lower priority. In the above example, when a user gains access to Ensemble Video for the first time using Shibboleth single sign-on, and they have both faculty and staff HTTP Affiliation, their account will be created using the “Faculty” Provisioning Rule, since it’s the top priority. The same mechanism for ordering Provisioning Rules works for LDAP-based authentication sources and Provisioning Rules.

Assigning Identity Providers to an Institution

Once an identity provider is configured, you can control which institution(s) can log in using the identity provider. Visit the Branding settings for an institution for this setting.