LDAP offers a single sign on solution, usable on a wide range of websites. LDAP relies upon the client browser, the application, in this case, YuJa, and the LDAP server, with authentication information available.
The Video Platform's flexible SSO Module Provider framework is designed to support a wide variety of identity solutions, enabling full integration of LDAP into your infrastructure.
Setting up the LDAP SSO System
Setup involves providing the Video Platform with the configuration parameters from your LDAP server, then testing and creating a new SSO system for your organization's domain. Once successfully tested, activating the new LDAP system will make it available for all users of your organization.
- Login to the Video Platform as an Administrator.
- Choose Admin Panel from the Main Menu and select the Integrations tab.
- Click on Select an API to Configure and choose SSO-LDAP.
Section Parameter Description Example Access Credentials LDAP URL The LDAP URL; the Video Platform will use this URL to access LDAP. Ldaps://www.example.com:636/ Access Credentials Anonymous Login If allowed, the Video Platform will not need credentials to access the LDAP URL. N/A Access Credentials Manager DN The credentials of an LDAP user which YuJa can use to access the LDAP URL. cn=YuJaManager,ou=Users,dc=example,dc=com Access Credentials Manager PW The credentials of an LDAP user which YuJa can use to access the LDAP URL. The password of the LDAP user User Requirements Base User DN The container which the Video Platform should search for groups. ou=Users,dc=example,dc=com User Requirements Username Attribute The user property describing their username. sAMAccountName User Requirements Disable Username Filter If checked, the username filter (userNameAttr=loginUserName) will not be applied and only the Other Attributes Filter will be used. N/A User Requirements Other Attributes Filter Other properties that users must have. Leave empty for no additional filters (& (objectClass=user) (sn=*)) Group Requirements Filter by Groups If checked, LDAP access to users will be limited in certain groups. N/A Group Requirements Base Group DN The container which the Video Platform should search for groups. ou=Groups,dc=example,dc=com Group Requirements Allowed Groups Set of white-listed groups, comma separated. cn=Math, cn=Software Group Requirements Group Membership Attribute The user property describing group membership. memberOf User Provisioning Given Name Attribute The user property describing the user's given name. givenName User Provisioning Family Name Attribute The user property describing the user's family name. sn User Provisioning Email Address Attribute The user property describing the user's email. mail User Provisioning Instructor Filter If a user matches this filter, they will be provisioned as an Instructor. (& (objectClass=user) (sn=*)) User Provisioning IT Manager Filter If a user matches this filter, they will be provisioned as an IT Manager. (& (objectClass=user) (sn=*)) - Enter the user credentials of any LDAP enabled account within your institution.
- Click Test and Create. In the confirmation dialog, click OK. If successful, you will be able to see a
list of Validated User Attributes. If required, you can update the configuration settings if you made a mistake. Simply click Test and Save to keep the changes. - Once you have verified that the LDAP SSO works, you can choose to activate the new
authentication scheme for your institution. To do so, click Activate, then click OK.
IMPORTANT: Only activate the new authentication scheme after successfully performing
a test login and are ready to make it available for all users in your organization.
Using Cross Integration with LTI
If your organization has enabled both LMS Integration via LTI and also LDAP SSO access, then you
have the choice to link the two integrations. We generally recommend this because it means
that irrespective of whether your users login via their LMS or their SSO, they will be presented
with the same Video Platform account information. In contrast, if Cross Integration with LTI is not setup, a
user who uses both their LMS and SSO with the Video Platform will be provisioned with two separate
accounts. These steps for Cross Integration are completed on the SSO Integration screen described above.
- Configure your LMS to pass a custom LTI parameter to the Video Platform tool called
lis_person_sourcedid which contains the cross-matching SSO value. This can be an
email, employee ID, or other field. You may need to consult your LMS platform’s product
documentation on how to set custom LTI parameters. The Video Platform will make use of this feature to link the two login methods to the same account. - Scroll to the bottom of the SSO Integration pane, to the section labeled Cross Integration with LTI.
- Enter the LDAP user property that maps to the LTI external identifier (in Step 1 above).
into the Linkage Attribute field.
Note: This textbox will only appear if your institution has enabled LTI access. Click Test and Save to keep the changes. Now, when logging in for the first time via LDAP, the Video Platform will search for a link with an LTI account using the value of the linkage attribute. If found, the LDAP account will be linked to the existing account. Otherwise, a new account will be provisioned as normal. All logins past the first one will continue to link to the Video Platform account created or found on the first login.