6-20
UserGuide for Cisc o Digital Media Manager 5.2.x
OL-15762-03
Chapter6 Authentication and Federated Identity
Concepts
Migration Between Authentication Methods
Understand Migration (from Either LDAP or SSO) to Embedded, page 6-20
Understand Migration (from Embedded) to Either LDAP or SSO, page 6-21

Understand Migration (from Either LDAP or SSO) to Embedded

When you migrate from LDAP or federation mode to embedded authentication mode, you must
explicitly choose whether to keep local copies of the:
User accounts that were associated to LDAP filters.
Groups and policies that were associated to LDAP filters.
Note Unless you choose explicitly to keep the local copy of a user, a group, or a policy, we discard the local copy.
Migration from one mode to another takes as long as 1 minute to finish.
3. The IdP reports that:
The browser is not yet connected to any SP in the CoT.
The browser is not yet authenticated to any valid user account.
We cannot tell if the browser’s human operator is a valid and authorized user, a valid but confused user,
or an intruder.
4. The SP redirects the browser automatically to an HTTPS login prompt on the IdP, where one of
the following occurs.
The browser’s human operator successfully logs in to a valid user account. The IdP attaches a SAML
“token” or “passport” to the browser session, authorizing at least some access. And:
The user account has permission to access the protected resource. So, the IdP acts on
the SP’s behalf and redirects the browser immediately to the protectedresource.
OR
The user account DOES NOT have permission to access the protected resource. So, the
IdP redirects the browser to the SP, where an HTTP 403 Forbidden message states that the user
is not authorized to access the protected resource.
The browser’s human operator fails to log in. So, lacking any proof that this person is authorized,
we block access to every protected resource until the human operator can log in successfully.