Chapter 6 Authentication and Federated Identity

Concepts

directory service Any single, named unit at any level within a nested hierarchy of named units, relative to a network. An

entityentity’s essence depends upon its context. This context, in turn, depends upon interactions between at least two service providers — one apiece for the naming service and the directory service — in your network. Theoretically, an entity might represent any tangible thing or logical construct.

By “tangible thing,” we mean something that a person could touch, which occupies real space in the physical world. For example, this entity type might represent one distinct human being, device, or building.

By “logical construct,” we mean a useful abstraction whose existence is assumed or agreed upon but is not literally physical. For example, this entity type might represent one distinct language, subnet, protocol, time zone, or ACL.

 

An entity’s purpose is broad and flexible within the hierarchical context that defines it.

DN

distinguished name. A sequence of attributes that help a CA to distinguish a particular directory service

 

entity uniquely for authentication. Distinct identity in this case arises from a text string of

 

comma-delimited attribute-value pairs. Each attribute-value pair conveys one informational detail

 

about the entity or its context. The comma-delimited string is the actual DN. It consists of the entity’s

 

own CN, followed by at least one OU, and then concludes with at least one DC. For example:

 

CN=username,OU=California,OU=west,OU=sales,DC=Americas,DC=example,DC=com

 

Note

An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must

 

 

never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.

 

Thus, each DN represents more than merely one isolated element. A DN also associates the element to

 

its specific context within the Active Directory user base that your IdP depends upon.

 

Note

A DN can change over the lifespan of its corresponding entity. For example, when you move entries in a tree, you

 

 

might introduce new OU attributes or deprecate old ones that are elements of a DN. However, you can assign to any

entity a reliable and unambiguous identity that persists beyond such changes to its context. To accomplish this, merely include a universally unique identifier (UUID) among the entity’s set of operational attributes.

F

federation

Return to Top

NEW IN CISCO DMS 5.2.3 — The whole collection of authentication servers that synchronize their user bases to one IdP in common and thereby make SSO possible within a network. This mutualized pooling of user bases bestows each valid user with a “federated identity” that spans an array of your SPs.

User Guide for Cisco Digital Media Manager 5.2.x

 

OL-15762-03

6-5

 

 

 

Page 51
Image 51
Cisco Systems 5.2.x manual Federation