Cisco Systems 5.4.x Example: Configure OpenAM to Interoperate with CiscoDMS

8-34

UserGuide for Cisco Digital Media Manager5.4.x

OL-15762-05

Chapter8 Authentication and Federated Identity

Procedures

Example: Configure OpenAM to Interoperate with CiscoDMS

Before You Begin

•

Obtain a digital identity certificate from a well-known CA, install it on your IdP hostsystem, and

then enableSSL.

Procedure

Step1

Configure

OpenAM to use

a datastore from

ActiveDirectory,

unless it already

does so.

Note In Federation mode, we use a synchronization process to learn which usernames are valid in

yourorganization. Later and separately, we use an authentication process to verify user-login credentials. And

even though we expect most IdPs will source both of these services from a MicrosoftActive Directory server,

your organization might use some other other LDAP system to authenticate user sessions. When this is the case,

you must install and configure an Active Directory server for synchronization use by Cisco DMS.

Otherwise, we cannot learn which usernames are valid. In turn, ordinary users cannot log in to CiscoDMS. To

prevent this outcome, you must replicate and synchronize a datastore between your new ActiveDirectory server

and your existing LDAP server. Afterward, CiscoDMS can synchronize with the ActiveD irectory datastore.

In OpenAM Web, choose Access Control> Top Level Realm> Data Stores.

Enter values to define the attributes of your ActiveDirectory DataStore.

You might enter values for some of the attributes (like these ones, for example)...

LDAP Server: <IP_ADDRESS>:389

LDAP Bind DN: CN=Administrator,CN=Users,DC=win2003esx,DC=example,DC =com

LDAP Bind Password: *********

LDAP Organization DN: OU=SystemTest,DC=win2003esx,DC=example,DC=com

LDAP Users Search Attribute: sAMAccountName

LDAP Users Search Filter: (objectclass=user)

Authentication Naming Attribute: sAMAccountName

... while leaving other attribute values undefined.

Attribute Name Mapping: <Empty>

LDAP Groups Search Attribute: <Empty>

LDAP Groups Search Filter: <Empty>

LDAP Groups container Naming Attribute: <Empty>

LDAP Groups Container Value: <Empty>

Attribute Name of Unqiue Member: <Empty>

LDAP People Container Naming Attribute: <Empty>

LDAP People Container Value: <Empty>

Persistent Search Base DN: <Empty>

Persistent Search Filter: <Empty>

Note These are merely examples.

Click Federation , and then click your IdP server instance—for example, dmsIdp.

Click Assertion Processing.

Change the IDP Attribute Map value from UID=uid to UID=sAMAccountN ame.