Cisco Systems 5.2.x , I, L

6-6

UserGuide for Cisc o Digital Media Manager 5.2.x

OL-15762-03

Chapter6 Authentication and Federated Identity

Concepts

IReturn to Top

IdP NEW IN CISCO DMS 5.2.3—identity provider. One SAML 2.0-compliant server (synchronized to at least

one Active Directory user base), that authenticates user session requests upon demand for SPs in one

network subdomain. Furthermore, an IdP normalizes data from a variety of directory servers

(user stores).

Users send their login credentials to an IdP over HTTPS, so the IdP can authenticate them to whichever

SPs they are authorized to use. As an example, consider how an organization could use threeIdPs.

•An IdP in legal.example.com might authenticate user sessions for one SP, by comparing user

session requests to the user base records from one Active Directory server.

•An IdP in sales.example.com might authenticate user sessions for 15 SPs, by comparing user

session requests to the user base records from three Active Directory servers.

•An IdP in support.example.com might authenticate user sessions for four SPs, by comparing

user session requests to the user base records from two Active Directory servers.

Note Only a wellknown CA can issue the digital certificate for your IdP. Otherwise, you cannot use SSL, HTTPS, or

LDAPS in Federation mode and, thus, all user credentials are passed in the clear.

Tip We have tested Cisco DMS federation features successfully against OpenAM and Shibboleth.

We recommend that you use an IdP that we have tested with Cisco DMS.

We explicitly DO NOT support Novell E-Directory or Kerberos-based custom directories.

If your IdP fails, you can switch your authentication mode to LDAP or Embedded.

LReturn to Top

LDAP Lightweight Directory Access Protocol. A highly complex data model and communications protocol for

user authentication. LDAP provides management and browser applications with access to directories

whose data models and access protocols conform to X.500 series (ISO/IEC 9594) standards.

LDAPS Secure LDAP. The same as ordinary LDAP, but protected under an added layer of SSL encryption.

Note Before you try to configure SSL encryption and before you let anyone log in with SSL, you MUST:

•Activate SSL on your ActiveDirectory server and then export a copy of the server’s digital certificate.

•Import into DMM the SSL certificate that you exported from Active Directory.

•Restart Web Services (Tomcat) in AAI.

Caution Is your DMM appliance one half of a failover pair?

If so, you will trigger immediate failover when you submit the command in AAI to restart Web Services. This occurs

by design, so there is no workaround.

LDIF LDAP Data Interchange Format. A strict grammar that SPs and IdPs use to classify and designate

named elements and levels in ActiveDirectory.