Filter
Top Products
6-5
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Concepts
directory service
entity
Any single, named unit at any level within a nested hierarchy of named units, relative to a network. An
entity’s essence depends upon its context. This context, in turn, depends upon interactions between at
least two service providers—one apiece for the naming service and the directory service—in your
network. Theoretically, an entity might represent any tangible thing or logical construct.
• By “tangible thing,” we mean something that a person could touch, which occupies real space in
the physical world. For example, this entity type might represent one distinct human being, device,
or building.
• By “logical construct,” we mean a useful abstraction whose existence is assumed or agreed upon
but is not literally physical. For example, this entity type might represent one distinct language,
subnet, protocol, time zone, or ACL.
An entity’s purpose is broad and flexible within the hierarchical context that defines it.
DN
distinguished name. A sequence of attributes that help a CA to distinguish a particular directory service
entity uniquely for authentication. Distinct identity in this case arises from a text string of
comma-delimited attribute-value pairs. Each attribute-value pair conveys one informational detail
about the entity or its context. The comma-delimited string is the actual DN. It consists of the entity’s
own CN, followed by at least one OU, and then concludes with at least one DC. For example:
CN=username,OU=California,OU=west,OU=sales,DC=Americas,DC=example,DC=com
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
Thus, each DN represents more than merely one isolated element. A DN also associates the element to
its specific context within the Active Directory user base that your IdP depends upon.
Note A DN can change over the lifespan of its corresponding entity. For example, when you move entries in a tree, you
might introduce new OU attributes or deprecate old ones that are elements of a DN. However, you can assign to any
entity a reliable and unambiguous identity that persists beyond such changes to its context. To accomplish this, merely
include a universally unique identifier (UUID) among the entity’s set of operational attributes.
F
Return to Top
federation
NEW IN CISCO DMS 5.2.3—
The whole collection of authentication servers that synchronize their user
bases to one IdP in common and thereby make SSO possible within a network. This mutualized pooling
of user bases bestows each valid user with a “federated identity” that spans an array of your SPs.