You can integrate Media portal with your organization’s identity management system, known as IDP, using the SAML2 protocol. We still maintain basic accounts for all of your users, but when SSO is enabled, your IDP controls access. This includes how to handle any users that may have already been set up prior, if and when to auto‑create new user, and which permissions to grant them. Once you set up the SSO client, you can manage it to disable/enable it, etc.
If you do not see this menu option, contact us to request it.
To set up an SSO client:
Users should use the URL that is specific to your organization: https://mediaportal.lumen.com/sso/saml2/sp/init/{SSO client name}. If users go to https:/mediaportal.lumen.com, they will be redirected to an intermediary page that provides your organization’s URL. The user can click Sign In to proceed. To save clicks, we recommend bookmarking your organization‑specific SSO URL.
SSO user profiles in the Media portal are greatly simplified and only show what is provided by the SAML2 assertions passed in the authentication exchange. The SSO user name is always present and, if provided, the first and last name are also shown. Additionally, there will be no options manage a user's password or status because this is now controlled by your IDP.
The SSO client must provide the SAML2:NameID (user name expressed as an email address). Optionally, the following can be provided:
“firstName” and “lastName”—if not provided, dashes will appear in the Media portal user profile.
role, where the attribute name corresponds to the values provided in the role-mapping screen—if not provided, as described previously, the login request will either cause the default role to be assigned or the login request rejected (depending on how you configure the SSO client).
<saml2:Assertion ID="_1184305154138349862" IssueInstant="2021-08-31T15:16:06.093Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
saml2:Issuer<https://localhost:10443/sso/idp</saml2:Issuer>>
saml2:Subject
<saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">john.smith@mydomain.com</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData InResponseTo="_d8c523d1b65eef00c636a91ddfcf5935" NotOnOrAfter="2021-08-31T15:17:46.065Z" Recipient="https://localhost:8443/sso/saml2/sp/callback/cas-localhost"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2021-08-31T15:16:06.122Z" NotOnOrAfter="2021-08-31T15:17:46.122Z">
saml2:AudienceRestriction
saml2:Audiencecas-localhost</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2021-08-31T15:16:06.065Z" SessionIndex="_4837487843227240903">
<saml2:SubjectLocality Address="cas-localhost"/>
saml2:AuthnContext
saml2:AuthnContextClassRefurn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
saml2:AttributeStatement
<saml2:Attribute FriendlyName="samlAuthenticationStatementAuthMethod" Name="samlAuthenticationStatementAuthMethod">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">urn:oasis:names:tc:SAML:1.0:am:password</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="lastName" Name="lastName">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">Smith</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="firstName" Name="firstName">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">John</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="role" Name="role">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">Admin</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="isFromNewLogin" Name="isFromNewLogin">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">true</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationDate" Name="authenticationDate">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">2021-08-31T09:16:05.868-06:00[America/Denver]</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="authenticationMethod" Name="authenticationMethod">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">AcceptUsersAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="successfulAuthenticationHandlers" Name="successfulAuthenticationHandlers">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">AcceptUsersAuthenticationHandler</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="longTermAuthenticationRequestTokenUsed" Name="longTermAuthenticationRequestTokenUsed">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema%22 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance%22 xsi:type="xsd:string">false</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Explore Media portal
Top content