8-20
UserGuide for Cisco Digital Media Manager5.4.x
OL-15762-05
Chapter8 Authentication and Federated Identity
Concepts

SSO Scenario3 —Nothing Known

Migration Between Authentication Methods
Understand Migration (from Either LDAP or SSO) to Embedded, page 8-20
Understand Migration (from Embedded) to Either LDAP or SSO, page 8-21

Understand Migration (from Either LDAP or SSO) to Embedded

When you migrate from LDAP (via ActiveDirectory) or federation mode to embedded authentication
mode, you must explicitly choose whether to keep local copies of the:
User accounts that were associated t o LDAP filters.
Groups and policies that were associated to LDAP filters.
1.
A web browser requests access to a protected resource on anSP.
Your federation will not approve or deny this request until it knows more.
2.
The SP asks its IdP if the browser is currently authenticated to any valid user account in theCoT.
3.
The IdP reports that:
The browser is not yet connected to any SP in the CoT.
The browser is not yet authenticated to any valid user account.
We cannot tell if the browser’s human operator is a valid and authorized user, a valid but confused user,
or an intruder.
4.
The SP redirects the browser automatically to an HTTPS login prompt on the IdP, where one of
the following occurs.
The browser’s human operator successfully logs in to a valid user account.
The IdP attaches a SAML
“token” or “passport” to the browser session, authorizing at least some access. And:
The user account has permission to access the protected resource. So, the IdP acts on
the SP’s behalf and redirects the browser immediately to the protectedresource.
OR
The user account DOES NOT have permission to access the protected resource. So, the
IdP redirects the browser to the SP, where an
HTTP 403 Forbidden
message states that the user
is not authorized to access the protected resource.
The browser’s human operator fails to log in.
So, lacking any proof that this person is authorized,
we block access to every protected resource until the human operator can log in successfully.