Manualshelf

User guide

ManualsBrandsCisco ManualsDVD-playersDMS-DMP-4300G
71727374757677787980
8-20
User Guide for Cisco Digital Media Manager 5.4.x
OL-15762-05
Chapter 8 Authentication and Federated Identity
Concepts
SSO Scenario 3Nothing Known
Migration Between Authentication Methods
Understand Migration (from Either LDAP or SSO) to Embedded, page 8-20
Understand Migration (from Embedded) to Either LDAP or SSO, page 8-21
Understand Migration (from Either LDAP or SSO) to Embedded
When you migrate from LDAP (via Active Directory) or federation mode to embedded authentication
mode, you must explicitly choose whether to keep local copies of the:
User accounts that were associated to LDAP filters.
Groups and policies that were associated to LDAP filters.
1.
A web browser requests access to a protected resource on an SP.
Yo u r federation will not approve or deny this request until it knows more.
2.
The SP asks its IdP if the browser is currently authenticated to any valid user account in the CoT.
3.
The IdP reports that:
The browser is not yet connected to any SP in the CoT.
The browser is not yet authenticated to any valid user account.
We cannot tell if the browser’s human operator is a valid and authorized user, a valid but confused user,
or an intruder.
4.
The SP redirects the browser automatically to an HTTPS login prompt on the IdP, where one of
the following occurs.
The browser’s human operator successfully logs in to a valid user account.
The IdP attaches a SAML
“token” or “passport” to the browser session, authorizing at least some access. And:
The user account has permission to access the protected resource. So, the IdP acts on
the SPs behalf and redirects the browser immediately to the protected resource.
OR
The user account DOES NOT have permission to access the protected resource. So, the
IdP redirects the browser to the SP, where an
HTTP 403 Forbidden
message states that the user
is not authorized to access the protected resource.
The browser’s human operator fails to log in.
So, lacking any proof that this person is authorized,
we block access to every protected resource until the human operator can log in successfully.