8-5
UserGuide for Cisco Digital Media Manager5.4.x
OL-15762-05
Chapter8 Authentication and Fe derated Identity
Concepts
directory service
entity
Any single, named unit at any level within a nested hierarchy of named units, relative to a network. An
entity’s essence depends upon its context. This context, in turn, depends upon interactions between at
least two service providers—one apiece for the naming service and the directory service— in your
network. Theoretically, an entity might represent any tangible thing or logical construct.
•
By “tangible thing,” we mean something that a person could touch, which occupies real space in
the physical world. For example, this entity type might represent one distinct human being, device,
or building.
•
By “logical construct,” we mean a useful abstraction whose existence is assumed or agreed upon
but is not literally physical. For example, this entity type might represent one distinct language,
subnet, protocol, time zone, orACL.
An entity’s purpose is broad and flexible within the hierarchical context that defines it.
DN
distinguished name. A sequence of attributes that help a CA to distinguish a particular directory service
entity uniquely for authentication. Distinct identity in this case arises from a text string of
comma-delimited attribute-value pairs. Each attribute-value pair conveys one informational detail
about the entity or its context. The comma-delimited string is the actual DN. It consists of the entity’s
own CN, followed by at least one OU, and then concludes with at least one DC. For example:
CN=username,OU=California,OU=west,OU=sales,DC=Americas,DC=example,D C=com
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
Thus, each DN represents more than merely one isolated element. A DN also associates the element to
its specific context within the ActiveDirectory user base that your IdP depends upon.
Tip Any DN might change over the lifespan of its corresponding entity. For example, when you move entries in a tree,
you might introduce new OU attributes or deprecate old ones that are elements of a DN. However, you can assign to any
entity a reliable and unambiguous identity that persists beyond such changes to its context. To accomplish this, merely
include a universally unique identifier (UUID) among the entity’s set of operational attributes.
FReturn to Top
federation
The whole collection of authentication servers that make SSO possible in a network by synchronizing
their user bases to one IdP in common. This mutualized pooling of user bases bestows each valid user
with a “federated identity” that spans an array of your SPs.