Integrating Panopto with Shibboleth

Integrating Panopto with Shibboleth

Requirements

* Courses should be automatically pulled into Panopto from Duke's Student Information System and available to be entered into Panopto

Our SOAP API allows Panopto folders to be "provisioned" (created with ACLs) programmatically. If you can retrieve the data from Duke's system, it should be fairly straightforward to reflect it into Panopto.

* Once a course is entered into the Panopto system Panopto accounts are automatically set up for all of the members of that course

See above. This assumes that you've configured Panopto to use an AD provider that can authenticate these accounts.

* Appropriate roles (i.e., "presenter" and "viewer") for thosePanopto accounts are automatically assigned based on whether those users are listed as instructors/ T.A.'s or students in the course in Duke's Student Information System

This would also happen during the "provision" step; if your system knows which rights a given user should have, those can be auto-configured within Panopto.

* We would need to flesh out questions related to the creation and use of "ad hoc" or non-course related access groups. Currently we use Grouper ( for this purpose, and so we're interested in exploring whether Active Directory and Grouper might be able to work together or if we'd need to explore alternative approaches.

If you're not doing programmatic account creation, the way our AD groups system works is by adding all users in the AD group to the viewer ACL for a given resource (folder or single recording). This seems to align well with ad hoc groups.[followup—is this only for viewer accounts? Not instructors/presenters?]

* Once of the key concepts for Identity Management in DukeCapture will be the concept of "nodes" (schools/ depts/ other organizational units). We'll need a way functionally to group users and system assets (such as recorders) by node so that we can cordon off access based on functional units.

This is probably the most significant issue and may require some custom code, but the simplest way (no custom code) is to have a "fake" AD controller or AD connection string for each node.

* One of the things we do now with Lectopia is a simple authentication only option that allows anyone with a Duke NetID to access recordings in Lectopia, essentially limiting access to recordings to members of the "Duke community." This simplicity of this from an administrative standpoint is appealing to a lot of our users, so it's an option I think we'd hope for in DukeCapture 2.0 as well. Hopefully we wouldn't have to set up accounts in Panopto for specific users, but could just authenticate directly via Webauth.

Questions

1. What is the timeline for the Shibb/ AD integration?
2. Given AD and Shibb will be integrated, would we set up groups in AD or in Grouper, or both/either?
3. How will we handle the need to utilize large groups, such as “all Duke NetID holders” or “all School of Medicine students, faculty, and staff?”
4. Along with the question of nodes, would we be able to support enabling power users in each node (school/dept.) to create and manage their own groups in Grouper or AD, and managing access in Panopto themselves?