User guide
8-6
User Guide for Cisco Digital Media Manager 5.4.x
OL-15762-05
Chapter 8 Authentication and Federated Identity
Concepts
I
Return to Top
IdP
identity provider. One SAML 2.0-compliant server (synchronized to at least one Active Directory
user base), that authenticates user session requests upon demand for SPs in one network subdomain.
Furthermore, an IdP normalizes data from a variety of directory servers (user stores).
Users send their login credentials to an IdP over HTTPS, so the IdP can authenticate them to whichever
SPs they are authorized to use. As an example, consider how an organization could use three IdPs.
•
An IdP in
legal
.example.com might authenticate user sessions for one SP, by comparing user
session requests to the user base records from one Active Directory server.
•
An IdP in
sales
.example.com might authenticate user sessions for 15 SPs, by comparing user
session requests to the user base records from three Active Directory servers.
•
An IdP in
support
.example.com might authenticate user sessions for four SPs, by comparing
user session requests to the user base records from two Active Directory servers.
Caution Only a well known CA can issue the digital certificate for your IdP. Otherwise, you cannot use SSL, HTTPS,
or LDAPS in Federation mode and, thus, all user credentials are passed in the clear.
Tip We have tested Cisco DMS federation features successfully against OpenAM, PingFederate, and
Shibboleth. We recommend that you use an IdP that we have tested with Cisco DMS. We explicitly DO NOT support
Novell E-Directory or Kerberos-based custom directories.
If your IdP fails, you can switch your authentication mode to LDAP or Embedded.
L
Return to Top
LDAP
Lightweight Directory Access Protocol. A highly complex data model and communications protocol for
user authentication. LDAP provides management and browser applications with access to directories
whose data models and access protocols conform to X.500 series (ISO/IEC 9594) standards.
Note Microsoft Active Directory is the only LDAP implementation that we support in this release.
LDAPS
Secure LDAP. The same as ordinary LDAP, but protected under an added layer of SSL encryption.
Note Before you try to configure SSL encryption and before you let anyone log in with SSL, you MUST:
• Activate SSL on your Active Directory server and then export a copy of the server’s digital certificate.
• Import into DMM the SSL certificate that you exported from Active Directory.
• Restart Web Services (Tomcat) in AAI.
Caution Is your DMM appliance one half of a failover pair?
If so, you will trigger immediate failover when you submit the command in AAI to restart Web Services. This occurs
by design, so there is no workaround.
LDIF
LDAP Data Interchange Format. A strict grammar that SPs and IdPs use to classify and designate
named elements and levels in Active Directory.