Authentication and SSO management

Multifactor authentication

Lumen can secure your Media portal domain/parent access group with multifactor authentication (MFA)—referred to as an MFA-enabled domain. Multifactor authentication is applied at the domain level and is inherited by all child access groups.

Once we configure your domain with multifactor authentication, all users with access must enter an authentication code (in addition to their password) when signing in to Media portal. This authentication code is emailed by default to the user’s email for portal notifications immediately after submitting their password, but users can enter a different email in their user profile. Users who prefer to receive authentication codes by SMS text message can alternately enter their mobile number and the SMS domain of their service provider.

To request Media portal multifactor authentication for one or more of your domains, contact your Lumen representative or CDN support.

SSO management

You can also integrate Media portal with your organization’s identity management system, known as IDP, using the SAML2 protocol. We still maintain basic accounts for all of your users, but when SSO is enabled, your IDP controls access. This includes how to handle any users that may have already been set up prior, if and when to auto-create new user, and which permissions to grant them. Once you set up the SSO client, you can manage it to disable/enable it, etc.

To set up an SSO client, sign into Media Portal, navigate to Portal Admin > SSO Management. (If you do not see this menu, email us to request it and select “Add Client”.)

In this menu, type a client name (used as entity ID). Make sure you follow the indicated type and number of characters. This client name will be used to determine the unique entry point for your organization's users and therefore must be globally unique in our system.

Select how you want to assign roles to your users by doing one of the following:

• To assign a default role to users trusted by you, select a Media portal role from the Default Role list. For all new users trusted by your IDP, Media portal will create an account for them and assign the default role you selected. (We recommend assigning the Reporting role because it has the lowest permission level.) If we encounter a user trusted by you but without a way to determine the intended role, we will automatically defer to the default role. If done without role mapping, setting a default role indicates that for every new user trusted by your IDP, we will automatically create an account for them with the role you have set as the default. This function can be used alone or in conjunction with role mapping.

   

• To map your internal SSO group roles to Media portal roles, select the Role Mapping checkbox, then do the following to map your role names to Media portal roles:

   

  • In the SP Attribute Name field, type your SAML attribute name, where the roles will be provided in the payload of the SAML2 authentication exchange. (This name is case sensitive.)

     

  • For each of your organization's native role names, map them to Media portal roles: select the Media portal role from the list and type your role name in the SSO Group Name field. (The role name is case sensitive. Click Add to add additional rows to hold each role.)

     

  • If you want Media portal to use a default role for roles you haven't mapped, select a Media portal role from the Default Role list. (If you don't have a default role in conjunction with mapped roles, Media portal will deny access to any user that does not have a known or mapped role. Use this option if you do not want everyone in your company to have access to the Media portal. If a user was already set up in Media portal, the IDP will still determine the role and the user's record will be updated accordingly directly following authentication.

From the SP Initiated Message Type field, choose the request method that the Media portal (SAML SP - service provider) should use. (Certain IDPs require POST; others require GET.) Finally, paste or upload your IDP metadata obtained from your IDP, and click “Create”. Media portal will then show the metadata you need to register with your IDP.

Your client will be in an Inactive status when you create it and you can enable it at your convenience. Once enabled, it will be functioning nearly immediately and the same timing applies should you decide to disable it. To manage your client, select the SSO client you wish to enable from the client name list, and in the “Client State” field, you can enable (or disable) your SSO client. On the same page, you can also edit your SSO client or if you wish to do so, you can delete your SSO client as well.

If you delete your SSO client, Media portal deletes the SSO client and begins authenticating users. Users with a Media portal account can sign in. If a user's password has expired, they may be prompted to reset it before signing in.

Signing in using the SSO client URL

Users should use the URL that is specific to your organization: https://mediaportal.lumen.com/sso/saml2/sp/init/{SSO client name}.

If users go to https:/mediaportal.lumen.com, they will be redirected to an intermediary page that provides your organization’s URL. The user can click Sign In to proceed. To save clicks, we recommend bookmarking your organization-specific SSO URL.

SSO user profiles

SSO user profiles in the Media portal are greatly simplified and only show what is provided by the SAML2 assertions passed in the authentication exchange. The SSO user name is always present and, if provided, the first and last name are also shown. Additionally, there will be no options to manage a user's password or status because this is now controlled by your IDP.

SAML assertions

The SSO client must provide the SAML2:NameID (user name expressed as an email address). Optionally, the following can be provided: 

• “firstName” and “lastName”—if not provided, dashes will appear in the Media Portal user profile. 

   

• role, where the attribute name corresponds to the values provided in the role-mapping screen—if not provided, as described previously, the login request will either cause the default role to be assigned or the login request rejected (depending on how you configure the SSO client).