REVIEW DRAFT—CISCO CONFIDENTIAL
User Guide for
Cisco Digital Media Manager 5.2.x
Part 1 – Cisco Digital Media Suite Administration
Part 2 – Control DMPs and Presentation Systems
Part 3 – Communicate Anything with Cisco Digital Signs
Part 4 – Deliver IPTV Programming with Cisco Cast
Revised: May 31, 2011
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-15762-03
REVIEW DRAFT—CISCO CONFIDENTIAL
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL
STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT
WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS”
WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING,
WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM
A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES,
INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS
MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower,
Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra,
Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital,
Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch,
AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo,
Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation,
Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream,
Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design),
PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc.
and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display
output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in
illustrative content is unintentional and coincidental.
User Guide for Cisco Digital Media Manager 5.2.x
© 2002-2011 Cisco Systems, Inc. All rights reserved.
PART
1 Cisco Digital Media Suite Administration
CONTENTS
CHAPTER
CHAPTER
1 Welcome [to DMS-Admin] 1-1
Concepts 1-1
Glossary 1-2
Procedures 1-2
Learn Your DMM Appliance Serial Number 1-2
Start DMS-Admin 1-3
Set a User Session Timeout for Components of Cisco DMS 1-5
Reference 1-6
FAQs and Troubleshooting 1-6
FAQs 1-6
2 DMS-Admin Dashboard 2-1
Concepts 2-1
Dashboard Overview 2-1
Understand the Alerts Gauge 2-2
Understand the System Information Gauge 2-3
Understand the Status Gauge 2-3
Understand the Licensed Features Gauge 2-4
Understand the Users Logged In Gauge 2-4
CHAPTER
OL-15762-03
Procedures 2-4
View Dashboard Gauges 2-4
3 Licenses 3-1
Concepts 3-1
Understand Licenses 3-2
Procedures 3-2
Obtain License Keys 3-2
Install License Keys 3-3
View Installed Licenses 3-4
Check the Dashboard Gauge for Licenses 3-4
User Guide for Cisco Digital Media Manager 5.2.x
iii
Contents
Reference 3-4
Base Licenses for Cisco DMS Appliances and Endpoints 3-5
Optional Module Licenses 3-6
CHAPTER
CHAPTER
4 Server Operations 4-1
Procedures 4-1
Check Processes Remotely 4-1
Restart Appliances Remotely 4-2
Reference 4-3
Server Processes 4-3
5 Cisco Hinter for RTSP 5-1
Concepts 5-1
Overview 5-1
Workflow 5-2
Restrictions 5-3
Procedures 5-3
Download Cisco Hinter 5-4
Windows 5-4
Install Cisco Hinter on Windows 5-4
Run Cisco Hinter on Windows 5-5
Linux 5-5
Install Cisco Hinter on Linux 5-5
Run Cisco Hinter on Linux 5-5
CHAPTER
iv
Reference 5-6
FAQs and Troubleshooting 5-6
Troubleshoot RTP Over RTSP 5-6
6 Authentication and Federated Identity 6-1
Concepts 6-1
Overview 6-2
Glossary 6-2
Understand the Requirement to Authenticate Users 6-9
Decide Which Authentication Method to Use 6-10
LDAP and Active Directory Concepts 6-10
LDAP is Highly Complex 6-11
Plan Ahead 6-11
Restrictions 6-11
Synchronization Concepts 6-11
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
LDAP Concepts 6-14
Password Concepts 6-16
Understand Authentication Property Sheets for LDAP 6-16
Federated Identity and Single Sign-on (SSO) Concepts 6-17
IdP Requirements 6-17
Configuration Workflow to Activate Federation (SSO) Mode 6-17
Authentication Scenarios for User Sessions in Federation (SSO) Mode 6-18
Migration Between Authentication Methods 6-20
Understand Migration (from Either LDAP or SSO) to Embedded 6-20
Understand Migration (from Embedded) to Either LDAP or SSO 6-21
Procedures 6-21
Export the Root CA X.509 Certificate from Your Active Directory Server 6-22
Configure DMM to Trust the Active Directory Root CA 6-22
Choose an Authentication Method 6-23
Configure LDAP Settings 6-23
Define LDAP Filters 6-23
Define LDAP Bookmarks 6-24
Define the LDAP Synchronization Schedule 6-25
Manage LDAP Attributes 6-26
Configure the Settings for Automatic LDAP Synchronization 6-27
Derive LDAP Group Membership Dynamically from a Query 6-28
Configure Federation Services for SSO 6-29
Export an SP Configuration File from DMM 6-29
Import an IdP Configuration File into DMM 6-29
Bypass External Authentication During Superuser Login 6-30
Contents
OL-15762-03
Reference 6-31
Software UI and Field Reference Tables 6-31
Elements to Choose and Enable the Authentication Mode 6-31
Elements to Define, Validate, and Add LDAP Filters 6-34
Elements to Use LDAP Bookmarks for Synchronization 6-35
Elements to Schedule Synchronization 6-36
Elements to Manage Attributes 6-37
Sample SP Configuration File from DMM 6-38
Sample IdP Configuration Files 6-39
Exported IdP Configuration Sample from OpenAM 6-39
Exported IdP Configuration Sample from Shibboleth 6-40
FAQs and Troubleshooting 6-42
FAQs 6-42
User Guide for Cisco Digital Media Manager 5.2.x
v
Contents
CHAPTER
7 Users and Groups 7-1
Concepts 7-1
Understand User Accounts 7-1
Understand User Roles 7-2
Procedures 7-2
Create User Groups 7-3
Delete User Groups 7-4
Create User Accounts 7-4
Assign Users to Groups 7-6
Edit User Accounts 7-6
Delete User Accounts 7-8
Assign User Access Rights and Permissions 7-8
Reference 7-9
Software UI and Field Reference Tables 7-9
Elements to Configure User Account Settings 7-9
FAQs and Troubleshooting 7-10
FAQs 7-10
CHAPTER
8 Events and Notifications 8-1
Concepts 8-1
Overview 8-2
Restrictions 8-2
Understand SNMP Concepts 8-3
Understand MIB and NMS Concepts 8-3
Understand IP Address Conflict Events 8-3
Understand Supported Event Types 8-4
Global Event Categories 8-4
DMP Event Categories 8-4
Show and Share Event Categories 8-4
Failover Cluster Event Categories 8-5
WAAS Event Categories 8-5
Understand Notification Methods 8-5
Workflow 8-5
Procedures 8-5
Enable or Disable Email 8-6
Configure SNMP Server Settings for Your DMM Appliance 8-6
Populate the MIB Browser in Your NMS 8-7
vi
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Configure Alert Reports and Notification Settings 8-7
Define Alert Report Parameters 8-7
Define Notification Rules 8-8
Reference 8-9
FAQs and Troubleshooting 8-9
FAQs 8-9
PART
2 Control DMPs and Presentation Systems
Contents
CHAPTER
CHAPTER
9 Welcome [to Centralized DMP Management] 9-1
Concepts 9-1
Overview 9-1
Procedures 9-2
Start Digital Signs 9-2
10 DMP Dashboard 10-1
Concepts 10-2
Overview 10-2
Understand the Media and Schedules Gauge 10-2
Understand the Left Side of the Media and Schedules Gauge 10-3
Understand the Digital Media Players Gauge 10-3
Understand the Cast Gauge 10-4
Understand the Settings Gauge 10-5
Procedures 10-5
View Dashboard Gauges for DMPs 10-5
Use the Left Side of the Media and Schedules Gauge 10-6
Use the Right Side of the Media and Schedules Gauge 10-7
Use the Digital Media Players Gauge 10-8
Use the Cast Gauge 10-8
Use the Settings Gauge 10-8
CHAPTER
OL-15762-03
Reference 10-9
Software UI and Field Reference Tables 10-9
Elements on the Right Side of the Media and Schedules Gauge 10-9
11 Register DMPs 11-1
Concepts 11-2
Overview 11-2
Glossary 11-2
User Guide for Cisco Digital Media Manager 5.2.x
vii
Contents
Partial Support for Cisco Medianet 2.1 Features 11-6
Understand Medianet Autoconfiguration for DMPs 11-7
Information That Medianet and DMPs Exchange 11-7
Medianet Activation Workflow for a DMP 4310G or 4400G 11-8
Restrictions 11-9
Guidelines 11-10
Limit Your Use of Manual Registration 11-10
General Best Practices for Non-Medianet Autoregistration 11-10
Best Practices to Schedule Non-Medianet Autoregistration Events 11-10
Understand the Sequence of Operations for Non-Medianet Autoregistration 11-11
Procedures 11-12
Use DMPDM to Prepare a DMP for Manual Registration 11-12
Use a System Task to Normalize DMP Passwords 11-13
Establish Trust Between Digital Signs and your Centrally Managed DMPs 11-14
Add or Edit Address Ranges for Non-Medianet Autoregistration 11-15
Delete Address Ranges for Non-Medianet Autoregistration 11-16
Add or Edit One DMP Manually 11-17
Delete DMPs Manually from Your Device Inventory 11-17
CHAPTER
Reference 11-18
Software UI and Field Reference Tables 11-18
Elements to Autoregister DMPs 11-19
Elements to Add or Edit One DMP Manually 11-19
Elements to Delete One DMP Manually 11-20
Elements to Configure Non-Medianet Autoregistration 11-20
Prevent DHCP Address Assignments to the Wrong VLAN 11-21
FAQs and Troubleshooting 11-25
FAQs 11-25
12 Organize DMPs in Groups 12-1
Concepts 12-1
Overview 12-1
Understand the Effect of Nesting One DMP Group Inside Another 12-2
Procedures 12-3
Add and Edit DMP Groups 12-3
Delete DMP Groups 12-4
Add DMPs Manually to DMP Groups 12-4
Remove DMPs Manually from DMP Groups 12-5
Filter the DMP List Table 12-5
viii
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Reference 12-6
Software UI and Field Reference Tables 12-6
Top-Level Elements to Manage DMPs and DMP Groups 12-6
Elements to Add or Edit DMP Groups 12-7
Elements to Delete DMP Groups 12-8
Elements to Add DMPs Manually to a DMP Group 12-8
Elements to Remove a DMP from a DMP Group 12-8
FAQs and Troubleshooting 12-9
FAQs 12-9
Contents
CHAPTER
CHAPTER
13 Configure DMP Wi-Fi Settings 13-1
Concepts 13-1
Glossary 13-1
ASCII Passphrases and Hexadecimal Keys for WEP 13-4
Workflow 13-4
Restrictions 13-5
Procedures 13-5
Establish a Wired Network Connection 13-5
Establish a Wireless Network Connection (802.11) 13-6
Reference 13-8
DMP Network Interfaces 13-8
FAQs and Troubleshooting 13-8
FAQs 13-8
14 Touchscreens, Projectors, and Displays 14-1
Concepts 14-1
Overview 14-2
Presentation System Concepts 14-3
Understand Which Displays Work Best with DMPs 14-3
Understand How to Choose Media Signal Cables 14-3
Understand and Prevent Image Retention (Burn-in) 14-6
OL-15762-03
Procedures 14-7
Connect to a Digital Display or Projector 14-7
Connect to a Touchscreen 14-8
Connect to an Analog Display or Projector 14-10
Prepare Equipment 14-11
Activate RS-232 Syntax Support for a 32-Inch Cisco LCD on a DMP 4400G 14-11
Activate RS-232 Syntax Support for a 40- or 52-inch Cisco LCD 14-11
Activate RS-232 Syntax Support for a 42- or 47-inch Cisco LCD 14-12
User Guide for Cisco Digital Media Manager 5.2.x
ix
Contents
Activate RS-232 Syntax Support for DMTech Equipment 14-13
Activate RS-232 Syntax Support for NEC Presentation Systems 14-13
Prepare a 40- or 52-inch Cisco LCD to Support Centralized Management through DVI 14-13
Activate or Deactivate HDMI Autodetection 14-14
Activate or Deactivate Resolution Autodetection 14-15
Configure and Manage Equipment 14-15
Define DMP Output Settings for Video and Audio 14-15
Edit DMP Output Settings for Video and Audio 14-16
Delete DMP Output Settings for Video and Audio 14-17
Use Simple Menus to Control Equipment That We Support Explicitly 14-18
Use RS232 Syntax to Control Equipment 14-20
Reference 14-22
Video and Audio Signal Interfaces 14-23
Supported Touchscreen Drivers 14-24
Software UI and Field Reference Tables 14-24
Elements to Choose Configuration Settings from Menus 14-24
Elements to Configure DMP Audio/Video Settings 14-27
Elements to Control HDMI Display Autodetection 14-27
Elements to Control Screen Resolution Autodetection 14-28
Elements to Activate RS-232 for Supported LCD Display Brands (except DMTech) 14-28
Elements to Activate RS-232 for LCD Displays by DMTech 14-28
RS-232 Command Reference for Cisco LCD Displays 14-29
FAQs and Troubleshooting 14-31
FAQs 14-31
Troubleshoot Cisco Professional Series LCD Displays 14-32
CHAPTER
x
15 DMP Remote Control and Its Emulation 15-1
Concepts 15-1
Overview 15-1
Workflow to Provision Emulator Service for IP Phones 15-2
Procedures 15-3
Activate Services 15-3
Start Services 15-4
Configure URL Parameters 15-4
Enable IP Phone Autoregistration 15-5
Define IP Phone Service Attributes 15-5
Expose the Service to IP Phones 15-6
Configure Emulator Settings in Cast 15-7
Configure an IP Phone to Emulate the Remote Control 15-8
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Start the Emulator on an IP Phone 15-9
Start the Emulator on a Mobile Phone 15-10
Use the Emulator on an IP Phone or a Mobile Phone 15-10
Contents
CHAPTER
CHAPTER
16 DMP User Permissions 16-1
Concepts 16-1
Overview 16-1
Scenarios That Illustrate Specialized User Permissions 16-2
Scenario 1: Permission to Manage Content but Not Schedules 16-2
Scenario 2: Permission to Manage One DMP Group but No Content 16-3
Scenario 3: Permission to Manage One DMP Group, Assets, and Schedules 16-5
Scenario 4: Permission to Manage Only the Schedule for One DMP Group 16-7
Procedures 16-8
Configure User Rights and Permissions 16-8
Reference 16-9
Software UI and Field Reference Tables 16-9
Elements to Configure User Rights and Permissions for DMPs 16-9
17 Media Assets and Embedded Software 17-1
Concepts 17-1
Overview 17-1
Restrictions 17-2
User Permission Restrictions 17-2
Media Restrictions 17-2
File Size Restrictions 17-3
Local Storage Restrictions 17-3
OL-15762-03
Procedures 17-4
Work with Assets and Categories in Your Media Library 17-4
Add One Asset at a Time to Your Media Library 17-4
Add Multiple Assets Simultaneously to Your Media Library 17-6
Reference 17-7
Software UI and Field Reference Tables 17-7
Elements to Manage Assets and Categories 17-7
Elements to Add Categories and Rename Them 17-9
Elements to Add Assets and Edit Their Attributes 17-10
Elements To Describe and Preview One Asset 17-11
User Guide for Cisco Digital Media Manager 5.2.x
xi
Contents
CHAPTER
18 Schedule Media to Play and Commands to Run 18-1
Concepts 18-1
Overview 18-1
Understand Future Deployments for Presentations 18-2
Understand Time Zones in the Schedule 18-2
Understand Tooltips in the Schedule Timeline 18-3
Understand Inline Status Messages for Deployed Events in the Schedule 18-3
Guidelines 18-3
Best Practices to Prevent Unscheduled DMP Restarts 18-3
Best Practices to Manage and Maintain the Schedule 18-3
Best Practices to Stop Playback of a Scheduled Job 18-4
Restrictions 18-4
External Server Restrictions 18-4
Content Delivery Network Restrictions 18-5
Scenarios 18-5
Methods to Pre-empt Only One Instance of a Recurring Event 18-5
Procedures 18-7
Use ‘Play Now’ to Transmit Assets or Commands Immediately 18-7
Use the ‘Run Task’ Feature to Transmit Assets or Commands Immediately 18-8
Schedule the Time Slot for a Future Event 18-8
CHAPTER
Reference 18-10
Software UI and Field Reference Tables 18-10
Elements of a Tooltip in the Schedule Timeline 18-10
Elements to Describe the Status of Deployed Events 18-11
FAQs and Troubleshooting 18-12
FAQs 18-12
19 Content Distribution and Delivery 19-1
Concepts 19-1
Overview 19-1
Understand DMP Support for the CIFS Protocol 19-2
Choose a Content Delivery System to Use with DMPs 19-2
DMS-CD Concepts 19-3
DMS-CD Overview 19-4
Retry Timeout 19-4
Concurrent Deployments 19-4
DMS-CD Performance Factors 19-4
Understand Shared Scheduling Features for Deployments 19-6
Understand DMS-CD Alert Reports 19-6
xii
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Guidelines 19-7
DMS-CD Guidelines 19-7
Restrictions 19-11
DMS-CD Restrictions 19-11
CIFS Restrictions 19-12
ACNS Restrictions 19-12
ECDS Restrictions 19-12
Example Scenario 19-13
Organizational Logic at Acme 19-13
Deployment Scheduling Logic at Acme 19-14
Procedures 19-15
Configure ACNS or WAAS 19-15
Configure DMS-CD 19-16
Configure Deployment Threshold Preferences 19-17
Check Disk Space Capacity for Deployments 19-17
Create a Deployment Package 19-18
Edit a Deployment Package 19-19
Delete a Deployment Package 19-20
Contents
Reference 19-21
Software UI and Field Label Reference Tables 19-21
Elements to Define Deployment Thresholds 19-21
Elements to Define a DMS-CD Deployment Package 19-24
Elements to Define WAAS, ACNS, or ECDS Settings 19-25
FAQs and Troubleshooting 19-27
Troubleshoot DMS-CD 19-27
FAQs for ACNS 19-30
FAQs for WAAS 19-30
Troubleshoot ACNS 19-30
PART
3 Communicate Anything with Cisco Digital Signs
CHAPTER
20 Playlists 20-1
Concepts 20-1
Guidelines 20-1
Best Practices to Optimize DMP Settings for Playlists 20-1
Restrictions 20-2
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
xiii
Contents
Procedures 20-2
Create and Organize Playlists 20-2
Change the Sequence of Playback 20-3
Reference 20-3
Software UI and Field Reference Tables 20-3
Elements to Define a Playlist 20-3
CHAPTER
21 Proof of Play 21-1
Concepts 21-1
Overview 21-1
Restrictions 21-2
Glossary 21-2
Insertions 21-2
Workflow 21-3
Procedures 21-3
Prepare DMPs to Support Proof of Play 21-3
Enable Syslog and NTP 21-4
Enable Proof of Play Features in DMM 21-5
Create Requestors 21-6
Create Insertions 21-6
Run a Report 21-7
Export a Report 21-8
View Previous Reports 21-9
Use the Proof of Play Dashboard 21-9
Use Deployment Reports 21-10
CHAPTER
xiv
Reference 21-10
FAQs and Troubleshooting 21-10
FAQs 21-10
Troubleshooting 21-11
22 Plan for and Manage Emergencies 22-1
Concepts 22-1
Overview 22-1
Procedures 22-2
Create Deployment Packages for Emergencies 22-2
Provision Emergency Assets Immediately to DMP Local Storage 22-3
Use the ‘Run Task’ Feature to Provision Emergency Assets Immediately 22-3
Use the ‘Play Now’ Feature to Provision Emergency Assets Immediately 22-5
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Schedule the Future Staging of Emergency Assets 22-6
Start Playback of an Emergency Message 22-7
Stop Playback of an Emergency Message 22-8
PART
4 Deliver IPTV Programming with Cisco Cast
Contents
CHAPTER
CHAPTER
23 Welcome [to Cisco Cast] 23-1
Concepts 23-1
Overview 23-1
Restrictions 23-2
Feature License Restrictions 23-2
Centralized Administration 23-2
On-Premises Operation 23-2
Workflow 23-2
Procedures 23-3
Start Cisco Cast 23-3
24 Redistribute Live TV 24-1
Concepts 24-1
Guidelines 24-2
Site Assessment for Live Video Programming 24-2
Restrictions 24-2
Channel Count Restrictions 24-2
Codec Restrictions 24-2
OL-15762-03
Procedures 24-2
Add Channels 24-3
Edit Channels 24-3
Reassign Channel Numbers 24-4
Delete Channels 24-5
List Only the Defined (Active) or Undefined (Inactive) TV Channels 24-5
Reference 24-6
Software UI and Field Reference Tables 24-6
Elements to Manage TV Channels 24-6
Elements to Define Channel Settings 24-8
User Guide for Cisco Digital Media Manager 5.2.x
xv
Contents
CHAPTER
25 Video on Demand 25-1
Concepts 25-1
Overview 25-1
Guidelines 25-2
Site Assessment for VoD Programming 25-2
Restrictions 25-2
Channel Count Restrictions 25-2
Workflow to Stage VoD Assets to DMP Local Storage 25-2
Procedures 25-3
Add a New VoD Category 25-3
Add a New VoD Subcategory 25-3
Edit a VoD Category 25-4
Delete a VoD Category 25-4
Map a Video to a VoD Category 25-5
Organize Videos in VoD Categories 25-6
Remove a Video from a Category 25-6
Stage an EPG to DMP Local Storage 25-6
Reference 25-7
Software UI and Field Reference Tables 25-7
Elements to Manage VoD Categories 25-7
CHAPTER
26 Electronic Program Guide 26-1
Concepts 26-1
Overview 26-1
Guidelines 26-2
Understand EPG Data Formats 26-2
XMLTV 26-2
Tribune Media Services 26-2
Understand Methods to Describe EPG Channels 26-3
Procedures 26-5
Add or Edit Subscriptions to Data from an EPG Provider 26-5
Delete Settings That Define a Subscription 26-6
Synchronize EPG Channel Schedules and Program Descriptions 26-6
Reference 26-7
Software UI and Field Reference Tables 26-7
Elements to Define EPG Provider Settings 26-7
FAQs and Troubleshooting 26-8
Troubleshoot EPG Highlighting 26-8
xvi
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Contents
CHAPTER
27 Look and Feel 27-1
Concepts 27-1
Overview 27-1
Procedures 27-2
Choose the Color Scheme for Your Menu System 27-2
Specify Which Features Your Menu System Should Include 27-2
Show a Custom Logo in Your Menu System 27-3
Show the Cisco Logo in Your Menu System 27-4
Choose the Date and Time Formats for Your Menu System 27-4
Deploy Menu System Customizations to Your DMPs 27-5
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
xvii
Contents
xviii
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
P
ART
1
Cisco Digital Media Suite Administration
Welcome [to DMS-Admin]
Revised: May 21, 2011
OL-15762-03
• Concepts, page 1-1
• Procedures, page 1-2
• Reference, page 1-6
We prepared this material with specific expectations of you.
Audience
Note This material pertains to multiple releases of Cisco DMS.
You will administer Cisco DMS.
CHA PTER
1
Concepts
5.2.0 5.2.1 5.2.2 5.2.3
• Glossary, page 1-2
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
1-1
Procedures
Glossary
Chapter 1 Welcome [to DMS-Admin]
Timesaver Go to terms that start with... [
A
AAI
D
DMS-Admin
Procedures
A|D
Appliance Administration Interface. Text-based, menu-driven user interface and command shell on all
Cisco DMS appliances. Administrators use AAI to set up, connect, and maintain an appliance.
Return to Top
Digital Media Suite Administration. Web-based graphical user interface on a DMM appliance.
Administrators use DMS-Admin to:
• Activate and monitor features throughout the full range of Cisco DMS products.
• Exchange information with network entities outside Cisco DMS.
• Centrally manage user accounts for Cisco DMS products.
• Learn Your DMM Appliance Serial Number, page 1-2
• Start DMS-Admin, page 1-3
].
Learn Your DMM Appliance Serial Number
Caution You cannot obtain any Cisco DMS software feature licenses until you know your DMM appliance serial number.
Procedure
Step 1 Use SSH (or a keyboard connected your DMM appliance) to log in to the admin account in AAI.
Note You alone know the password for this account.
User Guide for Cisco Digital Media Manager 5.2.x
1-2
OL-15762-03
Chapter 1 Welcome [to DMS-Admin]
In the top-level menu for AAI, the SHOW_INFO option is highlighted by default.
Step 2 Press Enter to load the Show Info screen.
Procedures
Step 3 Write down the appliance serial number that AAI shows to you.
Step 4 Stop. You have completed this procedure.
Start DMS-Admin
Procedure
Step 1 Point your browser at your DMM appliance.
• Use HTTPS and specify port 8443
• Be sure to use the fully qualified appliance DNS name and not merely its IP address.
For example,
OL-15762-03
OR
Use HTTP and specify port 8080—which redirects immediately to the secured HTTPS connection.
https://dmm.example.com:8443.
User Guide for Cisco Digital Media Manager 5.2.x
1-3
Procedures
Chapter 1 Welcome [to DMS-Admin]
Step 2 When the login page loads, sign in to your account.
Note The appearance of the login screen can differ from this illustration. Its actual appearance depends on which Cisco DMS
software release you use and which user authentication method (embedded, LDAP, or federation) Cisco DMS uses in your network.
Step 3 Click Log In.
Step 4 Choose Administration from the global navigation or click Administration on the landing page.
1-4
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 1 Welcome [to DMS-Admin]
What happens next depends on what happened before.
Procedures
• Is your
appliance
No licenses are installed.
We take you first to the page where you can install a license key.
factory-new or
recently
restored?
• Have you
activated even
one licensed
At least one license is installed.
We take you first to the DMS-Admin Dashboard, whose gauges can inform you
at a glance.
feature?
Step 5 Stop. You have completed this procedure.
Related Topics
• Chapter 2, “DMS-Admin Dashboard”
• Chapter 3, “Licenses”
Set a User Session Timeout for Components of Cisco DMS
We log inactive users out of their sessions automatically after an interval, which you set, has elapsed.
This interval applies to all users without exception.
Procedure
Step 1 Choose Administration > Security > Session.
Step 2 Use the Session Timeout (in minutes) field to enter or edit a session timeout value.
Step 3 Click Update.
Step 4 Stop. You have completed this procedure.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
1-5
Reference
Reference
• FAQs and Troubleshooting, page 1-6
FAQs and Troubleshooting
• FAQs, page 1-6
FAQs
Q.
What might prevent me from logging in?
A.
Check the following, and then try again to log in.
• Is your username wrong or mistyped?
• Is your password wrong, mistyped, or expired?
• Is your user account suspended?
• Is your user account locked after too many failed login attempts?
Chapter 1 Welcome [to DMS-Admin]
1-6
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
DMS-Admin Dashboard
Revised: May 21, 2011
OL-15762-03
• Concepts, page 2-1
• Procedures, page 2-4
We prepared this material with specific expectations of you.
Audience
Note This material pertains to multiple releases of Cisco DMS.
You will administer Cisco DMS.
You have already installed at least the license key to activate one Cisco DMS software feature module.
CHA PTER
2
Concepts
• Dashboard Overview, page 2-1
Dashboard Overview
The dashboard for DMS-Admin centralizes many features for system monitoring and log collection.
When problems of any kind interfere with the data-collection processes that populate its gauges, they
show question marks in addition to the best available data. In this case, check that your systems and
network are configured and working correctly.
5.2.0 5.2.1 5.2.2 5.2.3
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
2-1
Concepts
Chapter 2 DMS-Admin Dashboard
These are the dashboard gauges.
NEW IN CISCO DMS RELEASE 5.2.3—The Failover Cluster gauge monitors your use, if any, of failover.
Note Sometimes, a monitoring gauge might leave out a value that you expect it to show. When this occurs, we mark any missing
values with a placeholder symbol ( ) to indicate which values we could not show.
Tip Until you install at least one license key, the DMS-Admin dashboard cannot retrieve data to populate its gauges.
Understand the Alerts Gauge
This gauge shows the total count of notification messages delivered in the past 1 hour.
Timesaver Click View Alerts to open the Alerts page.
2-2
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 2 DMS-Admin Dashboard
Understand the System Information Gauge
The System Information gauge:
• Tells you the installed release version of your DMM server software.
• Tells you the serial number of your DMM appliance.
• Measures free space and used space for:
–
The content partition on your DMM appliance hard drive.
–
The content partition on your Show and Share appliance hard drive.
Concepts
Understand the Status Gauge
Tip Refresh your browser to update the data that this gauge shows.
Have you set up the hardware and activated the separately licensed software features for server failover,
Show and Share, and your DMPs?
If so, this gauge summarizes their current state in three summaries, side-by-side.
Digital Media Players
Show and Share
Appliance
• Counts the total number of registered DMPs.
• Specifies how many DMPs were reachable or unreachable when this gauge loaded in your browser.
• States whether your Show and Share appliance was unreachable at any time in the past 1 hour.
(This release supports your use of only one Show and Share appliance.)
• Counts the number of Show and Share publishing operations that were pending or completed when
this gauge loaded in your browser.
Failover Cluster
OL-15762-03
• NEW IN CISCO DMS 5.2.3—Indicates the status of Cisco DMS appliances in your failover cluster.
User Guide for Cisco Digital Media Manager 5.2.x
2-3
Procedures
Timesaver Click...
• View All DMPs and DMP Groups to open the DMP Manager page.
• Go to Show and Share to open Show and Share.
• Manage Show and Share to open Show and Share Administration.
• View Failover Status to open the Failover Configuration page.
Understand the Licensed Features Gauge
This gauge lists software feature module licenses that are installed on your DMM appliance and
describes constraints that your licenses impose.
Chapter 2 DMS-Admin Dashboard
Understand the Users Logged In Gauge
Counts the total number of users who logged in to your Cisco DMS appliances over the past 1 hour.
Timesaver Click View All Users to open the Users page in DMS-Admin.
Procedures
• View Dashboard Gauges, page 2-4
View Dashboard Gauges
Procedure
Step 1 Click the Dashboard tab.
Step 2 Stop. You have completed this procedure.
2-4
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Licenses
Revised: May 21, 2011
OL-15762-03
• Concepts, page 3-1
• Procedures, page 3-2
• Reference, page 3-4
We prepared this material with specific expectations of you.
Audience
Note This material pertains to multiple releases of Cisco DMS.
You will administer Cisco DMS.
You have already purchased at least the license key to activate one Cisco DMS software feature module.
CHA PTER
3
Concepts
5.2.0 5.2.1 5.2.2 5.2.3
• Understand Licenses, page 3-2
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
3-1
Procedures
Understand Licenses
Features of Cisco DMS are licensed and activated separately. Until you obtain and install license keys,
their corresponding features are hidden from all users—including you, the administrator.
Note Even then, some features remain hidden from users whose privilege levels are low.
What to Do Next
• OPTIONAL—Would you like to learn which feature licenses we sell?
See http://www.cisco.com/go/dms.
• MANDATORY—Would you like to obtain license keys?
Proceed to the “Obtain License Keys” section on page 3-2.
• MANDATORY—Would you like to install feature licenses?
Proceed to the “Install License Keys” section on page 3-3.
Chapter 3 Licenses
Procedures
• Obtain License Keys, page 3-2
• Install License Keys, page 3-3
• View Installed Licenses, page 3-4
• Check the Dashboard Gauge for Licenses, page 3-4
Obtain License Keys
Before You Begin
• Obtain the serial number for your DMM appliance.
Procedure
Step 1 Compose an email message that includes or identifies all of the following.
• All Cisco sales order numbers that were associated with your Cisco DMS purchase (such as,
appliances, software modules for DMM, and DMPs), including even the sales order numbers for all
purchased products and services that are not components of Cisco DMS.
• Your DMM appliance serial number.
• Your email address.
3-2
• The name of your organization.
• The department name within your organization.
• The DMM software feature module (or modules) that you purchased.
• Did you purchase DMM software feature modules for Cisco Digital Signs or Cisco Cast? If so,
include the number of DMPs that you will manage centrally.
Step 2 Send the email message to dms-softwarekeys@cisco.com.
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 3 Licenses
Step 3 After you receive a license key file from Cisco, save a local copy of it.
Step 4 Stop. You have completed this procedure.
What to Do Next
• MANDATORY—Install License Keys, page 3-3
Related Topics
• Learn Your DMM Appliance Serial Number, page 1-2
• View Installed Licenses, page 3-4
Install License Keys
Procedure
Step 1 Start DMS-Admin.
Procedures
Step 2 Choose Licensing > Install/Upgrade Licensing.
Step 3 Click Browse or Choose File, depending on your installed browser.
Step 4 Find and click the license file where you saved it.
Step 5 Click Open.
Step 6 Click Install License.
Step 7 Repeat these steps until all of your licenses are installed.
Features that you licensed are now activated.
Step 8 Stop. You have completed this procedure.
Related Topics
• Start DMS-Admin, page 1-3
• View Installed Licenses, page 3-4
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
3-3
Reference
View Installed Licenses
Before You Begin
• Install license keys.
Procedure
Step 1 Start DMS-Admin.
Step 2 Choose Licensing > View Licensing.
Step 3 Stop. You have completed this procedure.
Tip The License Features gauge on the DMS-Admin dashboard summarizes this information.
Related Topics
• Start DMS-Admin, page 1-3
• Install License Keys, page 3-3
Chapter 3 Licenses
Check the Dashboard Gauge for Licenses
Before You Begin
• Install license keys.
Procedure
Step 1 Start DMS-Admin.
Step 2 Choose Administration > Dashboard.
Step 3 Check the License Features gauge.
It tells you which of your:
• Licensed features are activated.
• Feature licenses impose restrictions.
Step 4 Stop. You have completed this procedure.
Reference
3-4
• Base Licenses for Cisco DMS Appliances and Endpoints, page 3-5
• Optional Module Licenses, page 3-6
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 3 Licenses
Base Licenses for Cisco DMS Appliances and Endpoints
We include a base license at no additional cost with the purchase of any Cisco DMS appliance or
endpoint. These licenses are unit-specific and perpetual. We do not impose any non-support fees and do
not obligate you to purchase other licenses.
Reference
DMM appliance
Show and Share
appliance
DMP endpoint
With a DMM appliance base license, you can:
• Install feature licenses for components of Cisco DMS
• Gain access to features after you license them.
• Create user accounts and user groups for components of Cisco DMS
• Configure a user authentication framework for use throughout Cisco DMS
• Configure event notifications and alarms for components of Cisco DMS
• Check processes remotely.
• Monitor and restart servers remotely
1
.
1
.
1
.
1
.
1
.
With a Show and Share appliance base license (and a DMM appliance), you can set up a
Show and Share site.
• Authors: 5
• Viewe rs: Unlimited
• Category managers: Unlimited
• Featured video managers: Unlimited
• Video reviewers/publishers: Unlimited
With a DMP endpoint base license, you can set up the DMP itself2 from its embedded device
manager, DMPDM.
1. Including Show and Share, if you have and use it.
2. Managed in isolation, without involving DMM or any other DMPs.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
3-5
Reference
Optional Module Licenses
Note To obtain and activate any license for any component of Cisco DMS, you must have a DMM appliance.
Chapter 3 Licenses
Module or Pack Part Number
Show and Share
Author License
Packs
Show and Share
Features
DMS-Admin
Features
DMM Features
Centralized DMP
Management
1. During your initial order, use part numbers that omit the = character. Only later, when you want to extend what you ordered initially, should you use part
numbers that end with =.
10 authors • DV-AUTHOR-FL-10
• DV-AUTHOR-FL-10=
50 authors
500 authors
1,000
authors
10,000
authors
25,000
authors
Live Event
Module
SNMP
Notifications
Digital Signs
Module
Cast Module
• DV-AUTHOR-FL-50
• DV-AUTHOR-FL-50=
• DV-AUTHOR-FL-500
• DV-AUTHOR-FL-500=
• DV-AUTHOR-FL-1000
• DV-AUTHOR-FL-1000=
• DV-AUTHOR-FL-10000
• DV-AUTHOR-FL-10000=
• DV-AUTHOR-FL-25000
• DV-AUTHOR-FL-25000=
• DMM-LEM52-K9
• DMM-LEM52-K9=
• DMM-SNMP52-K9
• DMM-SNMP52-K9=
• DMM-SIGNSM52-K9
• DMM-SIGNSM52-K9=
• DMM-CAST52-K9
• DMM-CAST52-K9=
1 DMP • DMP-FL-1
• DMP-FL-1=
10 DMPs
50 DMPs
500 DMPs
1,000 DMPs
• DMP-FL-10
• DMP-FL-10=
• DMP-FL-50
• DMP-FL-50=
• DMP-FL-500
• DMP-FL-500=
• DMP-FL-1000
• DMP-FL-1000=
1
Description
Author licenses are cumulative. For example, the base
license for Show and Share includes 5 authors—so, if you
purchase and install a 10-author pack, your
Show and Share will support as many as 15 authors.
Activates Show and Share abilities to host and produce
managed, live webcasts—including audience polling,
moderated Q&A, audio, video, and synchronized slides.
Activates support for SNMP interaction with network
monitoring applications. Also activates support for event
notifications and alerts.
Activates DMM baseline features to centrally manage and
operate a digital signage network with Cisco DMPs.
Activates DMM abilities to deliver on-demand video and
live broadcast TV channels over IP networks to DMPs and
their attached presentation systems.
To centrally manage DMPs from DMM, you must
combine a Digital Signs Module license with at least one
DMP feature license.
DMP feature licenses are cumulative. If you are already
licensed to manage 500 DMPs before you install an
additional 50-unit license, your DMM installation will
support managing as many as 550 DMPs.
3-6
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Server Operations
Revised: May 21, 2011
OL-15762-03
•
Procedures, page 4-1
• Reference, page 4-3
We prepared this material with specific expectations of you.
Audience
Note This material pertains to multiple releases of Cisco DMS.
You administer Cisco DMS.
5.2.0 5.2.1 5.2.2 5.2.3
CHA PTER
4
Procedures
• Check Processes Remotely, page 4-1
• Restart Appliances Remotely, page 4-2
Check Processes Remotely
Procedure
Step 1 Start DMS-Admin.
Step 2 Choose Administration > Services.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
4-1
Procedures
Chapter 4 Server Operations
Step 3 Do one of the following.
• Would you like
to check server
processes on
your DMM
appliance?
• Would you like
to check server
processes on a
Show and Share
appliance?
View the processes for DMM
Click DMM Server in the far-left column.
A list tells you which processes are running or stopped.
View the processes for Show and Share
Click Show and Share Server in the far-left column.
A list tells you which processes are running or stopped.
Step 4 Stop. You have completed this procedure.
Restart Appliances Remotely
Procedure
Step 1 Start DMS-Admin.
Step 2 Choose Administration > Services.
Step 3 Click a server name in the far-left column.
4-2
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 4 Server Operations
Step 4 Choose Options > Restart Server.
Step 5 Stop. You have completed this procedure.
Reference
• Server Processes, page 4-3
Server Processes
Each of these server processes runs on at least one type of Cisco DMS appliance.
• ActiveMQ
Reference
• Apache
• Cast Web Application
• Cast Admin Web Application
• Cast EPG Collector Web Application
• Cast Flash Web Application
• Cast Remote Control Web Application
• DMS-Admin Web Application
• DSM Web Application
• Event Management System
• IFMS Web Application
• OpenAM Web Application
• Postgresql
• Scheduled Backup Services
• Streaming Server
• Tomc at
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
4-3
Reference
Chapter 4 Server Operations
4-4
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Cisco Hinter for RTSP
Revised: May 21, 2011
OL-15762-03
• Concepts, page 5-1
• Procedures, page 5-3
• Reference, page 5-6
We prepared this material with specific expectations of you.
Audience
Note This material pertains to multiple releases of Cisco DMS.
You administer Cisco DMS.
CHA PTER
5
Concepts
Overview
5.2.0 5.2.1 5.2.2 5.2.3
• Overview, page 5-1
• Workflow, page 5-2
• Restrictions, page 5-3
A streaming media framework called RTP over RTSP makes it possible for DMPs to play streaming
video on demand through RTSP connections. This framework prevents data loss inside streams and
maintains proper synchronization of audio to video, even in high-definition.
You must maintain two data files for each VoD that you will stream in this way.
• An MPEG2-TS source file, which uses the filename extension MPG. Its program stream might be
encoded as MPEG-1, MPEG-2, or MPEG-4 Part 10 (H.264).
• A “hinted” MOV file, which is derived from your MPG source file and imposes order upon it.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
5-1
Concepts
Note We do not develop, maintain, sell, or support Darwin Streaming Server. Nor do we warrant its suitability for any purpose.
Workflow
Chapter 5 Cisco Hinter for RTSP
You must use our Cisco Hinter utility to output each hinted MOV file.
Cisco Hinter prepares MPEG2-TS files for interleaved RTP transmission through open source software
called Darwin Streaming Server (DSS). Hinter adds delivery information to a media track, which tells
DSS how to pack and stream (multiplex, or mux) data from the audio channel and the video channel. This
method improves audiovisual synchronization because these channels traverse the network together.
Your DSS can then deliver such hinted video to your DMPs upon demand, after you stage the MPG-MOV
pair to its media serving directory.
Cisco Hinter versions for Windows and Linux users are downloadable from your DMM appliance.
1. Download and set up Cisco Hinter.
2. Download Darwin Streaming Server (DSS).
Note The official repository for DSS is http://dss.macforge.org. Alternatively, you can use
http://developer.apple.com/opensource/server/streaming/index.html.
3. Install and configure DSS on equipment other than any Cisco DMS server appliance.
4. Process each of your MPG files with Cisco Hinter to output a small, hinted MOV file.
5. Stage your MPG and MOV files together in the DSS serving directory.
6. Request streams from rtsp://<DSS_IP_address>:<optional_port_number>/<filename>.mov.
In DMPDM
a. Enter your stream’s address in the URL field at Display Actions > Media URL.
b. Click Start.
In Digital Signs
a.
Click the URL (recommended) radio button on the Simple property sheet in the Add Asset
dialog box.
b. Enter your stream’s address in the URL field.
c. Choose RTSP from the File Type list.
d. Click Save.
5-2
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 5 Cisco Hinter for RTSP
Restrictions
RTSP Variants
Darwin Streaming Server
Cisco Hinter
Procedures
• There are many variants of RTSP and we support only one of them. You must use RTP over RTSP,
which is also called RTP over TCP or Interleaved TCP. In this variant, RTP, RTCP, and RTSP data
stream together over one logical port—typically, port 554.
• Our RTSP does not support live streaming (multicast or unicast) in this release.
• Our RTSP does not support “trick mode.” This means that you cannot pause video during playback,
fast-forward through it, or fast-rewind through it. You can merely start or stop playback.
• DSS cannot read any file whose file size is greater than 2.1 GB. You must split such large files into
smaller ones before you derive hinted MOV output from them.
• Although DSS is an open source streaming media platform and available for multiple operating
systems, we have tested DSS on Linux exclusively.
• Cisco Hinter software is available for Windows and Linux, exclusively.
• We do not support any other hinter.
• We do not support playback of hinted files that you output from any other hinter.
Procedures
Protocols
• We do not support User Datagram Protocol (UDP).
• We do not support Session Announcement Protocol (SAP).
• We do not support Session Description Protocol (SDP) or its announcements.
• Download Cisco Hinter, page 5-4
• Windows, page 5-4
• Linux, page 5-5
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
5-3
Procedures
Download Cisco Hinter
Procedure
Step 1 Start DMS-Admin.
Step 2 Choose Settings > Hinter.
Step 3 Click to download either the Windows or the Linux version.
• Cisco-Hinter-Windows.zip
Chapter 5 Cisco Hinter for RTSP
• Cisco-Hinter-Linux.tar.gz
Step 4 Decompress the archive.
Step 5 Stop. You have completed this procedure.
Windows
• Install Cisco Hinter on Windows, page 5-4
• Run Cisco Hinter on Windows, page 5-5
Install Cisco Hinter on Windows
Procedure
Step 1 Open a command prompt where you decompressed the archive.
Step 2 Type the command cd CiscoHinter, and then press Enter.
Step 3 Type the command install.bat, and then press Enter.
Step 4 Stop. You have completed this procedure.
5-4
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 5 Cisco Hinter for RTSP
Run Cisco Hinter on Windows
Procedure
Step 1 Open a command prompt where you decompressed the archive.
Step 2 Type the command runHinter.bat, and then press Enter.
Step 3 Enter the MPEG2-TS filename in the Source MPEG field.
OR
Click Browse or Choose File (depending on which browser you use) to find your MPEG2-TS file.
We populate the Output Name field automatically. It is identical to the name in the Source MPEG field,
except that the filename extension is MOV and not MPG.
Step 4 Click Generate, and then wait for the “Hinting finished successfully” message.
Step 5 Find your hinted MOV output file in the ..\hinted-files subdirectory.
Step 6 Move or copy both the MPG file and its MOV derivative to the DSS root directory.
Step 7 Stop. You have completed this procedure.
Procedures
Linux
• Install Cisco Hinter on Linux, page 5-5
• Run Cisco Hinter on Linux, page 5-5
Install Cisco Hinter on Linux
Procedure
Step 1 Open a command prompt where you decompressed the archive.
Step 2 Type the command run Install.sh, and then press Enter.
Step 3 Stop. You have completed this procedure.
Run Cisco Hinter on Linux
Procedure
Step 1 Open a command prompt where you decompressed the archive.
Step 2 Type the command run runHinter.sh, and then press Enter.
Step 3 Enter the MPEG2-TS filename in the Source MPEG field.
OL-15762-03
OR
User Guide for Cisco Digital Media Manager 5.2.x
5-5
Reference
Step 4 Click Generate, and then wait for the “Hinting finished successfully” message.
Step 5 Find your hinted MOV output file in the ..\hinted-files subdirectory.
Step 6 Move or copy both the MPG file and its MOV derivative to the DSS root directory.
Step 7 Stop. You have completed this procedure.
Reference
Chapter 5 Cisco Hinter for RTSP
Click Browse or Choose File (depending on your browser) to find your MPEG2-TS file.
We populate the Output Name field automatically. It is identical to the name in the Source MPEG field
except that the filename extension is MOV and not MPG.
• FAQs and Troubleshooting, page 5-6
FAQs and Troubleshooting
• Troubleshoot RTP Over RTSP, page 5-6
Troubleshoot RTP Over RTSP
These general troubleshooting ideas might help you to diagnose and resolve problems with this feature.
• Verify that both the MPG source file and its hinted MOV derivative are present together in the media
root directory on your DSS.
• Use a utility like openRTSP to test both the MPG source file and its hinted MOV derivative. The
correct Linux command line syntax in this case is
openRTSP -V -v -t rtsp://DSS_server_IP_address/filename.mov
• Use HexEdit, WinHex, or a similar utility to open your hinted MOV file and verify that it contains:
–
An explicit reference to the full and literal filename of your MPG source.
–
The signature for MOV output from Cisco Hinter:
Hinted MPEG1 Muxed Track
–
The signature for interleaved RTP:
m=OTHER 0 RTP/AVP 96
• Check the system logs on your DSS.
5-6
Note • openRTSP — http://www.live555.com/openRTSP/
• HexEdit —http://hexedit.sourceforge.net/
•WinHex—http://www.winhex.com/winhex/
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Audience
CHA PTER
6
Authentication and Federated Identity
Revised: May 31, 2011
OL-15762-03
• Concepts, page 6-1
• Procedures, page 6-21
• Reference, page 6-31
We prepared this material with specific expectations of you.
Embedded Mode— You understand fundamental principles of user authentication.
LDAP Mode—YOU ARE A MICROSOFT ACTIVE DIRECTORY EXPERT with real-world experience in its configuration
and administration.
Federation Mode—YOU ARE A SAML 2.0 EXPERT with real-world experience in its configuration and administration,
including import and export of SAML 2.0-compliant IdP and SP configuration files.
Note This material pertains to multiple releases of Cisco DMS.
Concepts
OL-15762-03
5.2.0 5.2.1 5.2.2 5.2.3
• Overview, page 6-2
• Glossary, page 6-2
• Understand the Requirement to Authenticate Users, page 6-9
• Decide Which Authentication Method to Use, page 6-10
• LDAP and Active Directory Concepts, page 6-10
• Federated Identity and Single Sign-on (SSO) Concepts, page 6-17
• Migration Between Authentication Methods, page 6-20
User Guide for Cisco Digital Media Manager 5.2.x
6-1
Concepts
Overview
Glossary
Chapter 6 Authentication and Federated Identity
User authentication features of DMS-Admin help you to:
• NEW IN CISCO DMS 5.2.0— Authenticate all user sessions. We now we prevent you from disabling
mandatory authentication, even though we allowed this in Cisco DMS 5.1.x and prior releases.
• Choose and configure an authentication method.
• Import user account settings from an Active Directory server.
• NEW IN CISCO DMS 5.2.1— Synchronize user groups from an Active Directory server.
• NEW IN CISCO DMS 5.2.3— Use federation services with a SAML 2.0-compliant IdP to support
SP-initiated “single sign-on” login authentication in your network (following an initial
synchronization to a Microsoft Active Directory Server that populates the DMM user database).
Note We support your use of one—and only one—IdP server with Cisco DMS 5.2.3.
Timesaver Go to terms that start with... [
A
Active Directory
Active Directory
forest
Active Directory
tree
A|C|D|F|I|L|O|R|S|U|X
].
Microsoft implementation of LDAP. A central authentication server and user store.
A domain-straddling combination of Active Directory trees within an organization that operates
multiple Internet domains. Thus, the forest at “Amalgamated Example, LLC” might straddle all trees
across example
.com, example.net, and example.org.
Or, to use Cisco as a real-world case-study, one forest could straddle cisco.com and webex.com,
among others.
Note This Cisco DMS release does not support Active Directory forests.
A subdomain-straddling combination of IdPs throughout one Internet domain. These IdPs operate
collectively on behalf of the Internet domain’s constituent subdomains. Thus, the “tree” at
example.com might encompass all of the IdPs to authenticate user sessions within subdomains such
as these:
• legal.example.com
•sales.example.com
• support.example.com
6-2
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Concepts
administrator DN
authentication
C
The DN to authenticate your Active Directory server’s administrator.
Note NEW IN CISCO DMS 5.2.3 —This release is more strict than any prior release in its enforcement of
proper LDAP syntax. Now, when you specify the administrator DN, you must use proper
syntax, which conforms exactly to LDIF grammar.
• Proper syntax: CN=admin1,OU=Administrators,DC=example,DC=com
• Poor syntax: EXAMPLE\admin1
OTHERWISE
When you use poor syntax here for the first time while your DMM appliance runs DMS 5.2.3,
we show you, the administrator, this error message: “Invalid username or password.”
But if you used and validated poor syntax here before upgrading to Cisco DMS 5.2.3, we do
not repeat the validation process. Therefore—even though we do not show an error message
to anyone—
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
LDAP users simply cannot log in.
The process to verify if a directory service entity has correctly claimed its own identity.
Return to Top
CA
CN
CoT
certification authority. Authority that issues and manages security credentials and public keys, which
any directory service entity relies upon to encrypt and decrypt messages exchanged with any other
directory service entity. As part of a public key infrastructure (PKI), a CA checks with a registration
authority (RA) to verify information that certificate requestors provide. After the RA verifies requestor
information, the CA can then issue a certificate.
common name. An attribute-value pair that names one directory service entity but indicates nothing
about its context or position in a hierarchy. For example, you might see
cn=administrator is so commonplace in theory that it might possibly recur many times in an Active
cn=administrator. But
Directory forest, while referring to more than just one directory service entity. An absence of context
means that you cannot know which device, site, realm, user group, or other entity type requires the
implied “administration” or understand why such “administration” should occur.
Therefore, use of a standalone CN is limited in the LDIF grammar. Absent any context, a standalone
CN is only ever useful as an RDN.
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
NEW IN CISCO DMS 5.2.3 —
circle of trust. The various SP that all authenticate against one IdP in common.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-3
Concepts
Chapter 6 Authentication and Federated Identity
D
DC
digital certificate
Return to Top
domain component. An attribute to designate one constituent part of a fully-qualified domain name
(FQDN). Suppose for example that you manage a server whose FQDN is americas.example.com. In
this case, you would link together three DC attribute-value pairs:
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
DC=Americas,DC=example,dc=com.
Uniquely encrypted digital representation of one directory service entity, whether physical or logical.
This trustworthy representation certifies that the entity is not an imposter when it sends or receives data
through a secured channel. The CA normally issues the certificate upon request by the entity or its
representative. The requestor is then held accountable as the “certificate holder.” To establish and retain
credibility, a certificate must conform to requirements set forth in International Organization for
Standardization (ISO) standard X.509. Most commonly, a digital certificate includes the following.
• One DN to authenticate the directory service entity.
• One DN to authenticate the CA.
• A serial number to identify the digital certificate itself.
• An expiration date, after which any entity that receives the certificate should reject it.
• A copy of the certificate holder’s public key.
• The CA’s digital signature, so recipients can verify that the certificate is not forged.
6-4
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Concepts
directory service
entity
DN
Any single, named unit at any level within a nested hierarchy of named units, relative to a network. An
entity’s essence depends upon its context. This context, in turn, depends upon interactions between at
least two service providers— one apiece for the naming service and the directory service—in your
network. Theoretically, an entity might represent any tangible thing or logical construct.
• By “tangible thing,” we mean something that a person could touch, which occupies real space in
the physical world. For example, this entity type might represent one distinct human being, device,
or building.
• By “logical construct,” we mean a useful abstraction whose existence is assumed or agreed upon
but is not literally physical. For example, this entity type might represent one distinct language,
subnet, protocol, time zone, or ACL.
An entity’s purpose is broad and flexible within the hierarchical context that defines it.
distinguished name. A sequence of attributes that help a CA to distinguish a particular directory service
entity uniquely for authentication. Distinct identity in this case arises from a text string of
comma-delimited attribute-value pairs. Each attribute-value pair conveys one informational detail
about the entity or its context. The comma-delimited string is the actual DN. It consists of the entity’s
own CN, followed by at least one OU, and then concludes with at least one DC. For example:
CN=username,OU=California,OU=west,OU=sales,DC=Americas,DC=example,DC=com
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
Thus, each DN represents more than merely one isolated element. A DN also associates the element to
its specific context within the Active Directory user base that your IdP depends upon.
F
federation
Note A DN can change over the lifespan of its corresponding entity. For example, when you move entries in a tree, you
might introduce new OU attributes or deprecate old ones that are elements of a DN. However, you can assign to any
entity a reliable and unambiguous identity that persists beyond such changes to its context. To accomplish this, merely
include a universally unique identifier (UUID) among the entity’s set of operational attributes.
Return to Top
NEW IN CISCO DMS 5.2.3—
The whole collection of authentication servers that synchronize their user
bases to one IdP in common and thereby make SSO possible within a network. This mutualized pooling
of user bases bestows each valid user with a “federated identity” that spans an array of your SPs.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-5
Concepts
Chapter 6 Authentication and Federated Identity
I
IdP
Return to Top
NEW IN CISCO DMS 5.2.3— identity provider. One SAML 2.0-compliant server (synchronized to at least
one Active Directory user base), that authenticates user session requests upon demand for SPs in one
network subdomain. Furthermore, an IdP normalizes data from a variety of directory servers
(user stores).
Users send their login credentials to an IdP over HTTPS, so the IdP can authenticate them to whichever
SPs they are authorized to use. As an example, consider how an organization could use three IdPs.
• An IdP in legal.example.com might authenticate user sessions for one SP, by comparing user
session requests to the user base records from one Active Directory server.
• An IdP in sales.example.com might authenticate user sessions for 15 SPs, by comparing user
session requests to the user base records from three Active Directory servers.
• An IdP in support.example.com might authenticate user sessions for four SPs, by comparing
user session requests to the user base records from two Active Directory servers.
Note Only a well known CA can issue the digital certificate for your IdP. Otherwise, you cannot use SSL, HTTPS, or
LDAPS in Federation mode and, thus, all user credentials are passed in the clear.
Tip We have tested Cisco DMS federation features successfully against OpenAM and Shibboleth.
We recommend that you use an IdP that we have tested with Cisco DMS.
We explicitly DO NOT support Novell E-Directory or Kerberos-based custom directories.
L
LDAP
LDAPS
LDIF
If your IdP fails, you can switch your authentication mode to LDAP or Embedded.
Return to Top
Lightweight Directory Access Protocol. A highly complex data model and communications protocol for
user authentication. LDAP provides management and browser applications with access to directories
whose data models and access protocols conform to X.500 series (ISO/IEC 9594) standards.
Secure LDAP. The same as ordinary LDAP, but protected under an added layer of SSL encryption.
Note Before you try to configure SSL encryption and before you let anyone log in with SSL, you MUST:
• Activate SSL on your Active Directory server and then export a copy of the server’s digital certificate.
• Import into DMM the SSL certificate that you exported from Active Directory.
• Restart Web Services (Tomcat) in AAI.
Caution Is your DMM appliance one half of a failover pair?
If so, you will trigger immediate failover when you submit the command in AAI to restart Web Services. This occurs
by design, so there is no workaround.
LDAP Data Interchange Format. A strict grammar that SPs and IdPs use to classify and designate
named elements and levels in Active Directory.
6-6
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Concepts
O
OpenAM
OU
R
RDN
Return to Top
NEW IN CISCO DMS 5.2.3— SAML 2.0-compliant identity and access management server platform written
in Java. OpenAM is open source software available under the Common Development and Distribution
(CDDL) license. OpenAM is derived from and replaces OpenSSO Enterprise, which also used CDDL
licensing. See http://www.forgerock.com/openam.html.
organizational unit. An LDIF classification type for a logical container within a hierarchical system.
In LDIF grammar, the main function of an OU value is to distinguish among superficially identical CNs
that might otherwise be conflated. For example:
• CN=John Doe,OU=sales,DN=example,DN=com
• CN=John Doe,OU=marketing,DN=example,DN=com
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
Return to Top
relative distinguished name. The CN for a directory service entity, as used exclusively (and still without
any explicit context) by the one IdP that has synchronized this entity against an Active Directory user
base. When an IdP encounters any RDN attribute in an LDIF reference, the IdP expects implicitly that
its SAML 2.0-synchronized federation is the only possible context for the CN. It expects this because
an IdP cannot authenticate—and logically should never encounter—a directory service entity whose
RDN is meaningful to any other federation.
S
SAML
Shibboleth
SP
SSO
Return to Top
NEW IN CISCO DMS 5.2.3 —Security Assertion Markup Language. XML-based open standard that security
domains use to exchange authentication and authorization data, including assertions and security
tokens.
NEW IN CISCO DMS 5.2.3—
We support SAML 2.0.
A SAML 2.0-compliant architecture for federated identity-based
authentication and authorization.
NEW IN CISCO DMS 5.2.3—
service provider. Server that requests and receives information from an IdP.
For example, SPs in Cisco DMS include your DMM server and your Show and Share server.
NEW IN CISCO DMS 5.2.3—
single sign on. (And sometimes “single sign off.”) The main user-facing
benefit of federation mode is that SPs begin— and end, in some implementations —user sessions on
behalf of their entire federation. SSO is a convenience for users, who can log in only once per day as
their work takes them between multiple servers that are related but independent. Furthermore, SSO is
a convenience to IT staff, who spend less time on user support, password fatigue, compliance audits,
and so on.
• We DO NOT support single sign off in Cisco DMS 5.2.3.
• We support only SP-initiated SSO in Cisco DMS 5.2.3.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-7
Concepts
Chapter 6 Authentication and Federated Identity
U
user base
user base DN
user filter
X
X-509
Return to Top
The location of the user subtree in the LDAP directory tree. For example, DC=ad,DC=com.
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
The DN for an Active Directory user base.
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Otherwise, validation fails.
A user filter limits the scope of an agreement to import filtered records from an Active Directory
user base.
Note An LDAP expression must never include a space immediately to either side of a “=” sign. Similarly, it must
never include a space immediately to either side of an “objectClass” attribute. Nor can a group name include any spaces.
Otherwise, validation fails.
Return to Top
A standard for public key infrastructure. X.509 specifies, among other things, standard formats for
public key certificates and a certification path validation algorithm.
6-8
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Understand the Requirement to Authenticate Users
Although Cisco DMS always authenticates users, we support three authentication methods.
• Embedded authentication is completely native to Cisco DMS. It does not depend on any
external servers.
• LDAP authentication causes Cisco DMS products to rely on one—and only one—Microsoft
Active Directory server and a Microsoft Internet Information Server (IIS). Thus, setup and
operation with this method are more complex than with embedded authentication.
• NEW IN CISCO DMS 5.2.3 —Federation mode—also known as single sign-on (SSO) causes Cisco DMS
products to rely on a SAML 2.0-compliant IdP in combination with a Microsoft Active Directory
server and IIS. Thus, setup and operation with this method are more complex than with LDAP
authentication.
Concepts
Note You must choose one of these methods. The method that you use determines which login screen your users will see.
Tip • After a user session times out, we prompt the affected user to log in twice.
• An unresponsive Active Directory server can hang a login prompt for 20 minutes without any error message.
EMBEDDED MODE LDAP MODE FEDERATION (SSO) MODE
IdP-specific login screen
(
NEW IN CISCO DMS 5.2.3)
1. When any of your federation servers uses a self-signed certificate, we show your users two SSL warnings during login.
Related Topics
• LDAP and Active Directory Concepts, page 6-10
• Federated Identity and Single Sign-on (SSO) Concepts, page 6-17
1
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-9
Concepts
Decide Which Authentication Method to Use
Chapter 6 Authentication and Federated Identity
LDAP and Active Directory Concepts
• LDAP is Highly Complex, page 6-11
• Plan Ahead, page 6-11
• Restrictions, page 6-11
• Synchronization Concepts, page 6-11
• LDAP Concepts, page 6-14
• Password Concepts, page 6-16
• Understand Authentication Property Sheets for LDAP, page 6-16
User Guide for Cisco Digital Media Manager 5.2.x
6-10
OL-15762-03
Chapter 6 Authentication and Federated Identity
LDAP is Highly Complex
Caution LDAP-related features of Cisco DMS are meant for use by qualified and experienced administrators of
Microsoft Active Directory. Unless you are an Active Directory and LDAP expert, we recommend that you use
embedded authentication.
Plan Ahead
• Install and configure Active Directory and Internet Information Services (IIS) before you try to
configure LDAP authentication mode or federation mode in DMS-Admin.
Tip We support IIS 6 on Windows Server 2003.
•
Pair your DMM appliance and your Show and Share appliance in AAI before you configure
Cisco DMS to use LDAP authentication. Otherwise, video tutorials for Show and Share are not
loaded onto your Show and Share appliance.
• Make sure that you have generated or imported certificates as necessary and activated SSL on the
Active Directory server before you try to configure SSL encryption.
Concepts
Restrictions
Cisco DMS Release
5.2.0
5.2.1
5.2.2
5.2.3
Synchronization Concepts
• Synchronization (Replication) Overview, page 6-12
• Synchronization Types, page 6-12
• Understand Manual Synchronization, page 6-13
• Understand Automatic Synchronization, page 6-13
• Guidelines for Synchronization, page 6-14
Support for
Active Directory
Trees Forests
Ye s N o
Ye s N o
Ye s N o
Ye s N o
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-11
Concepts
Synchronization (Replication) Overview
When you choose LDAP authentication or SSO authentication, user account data originates from your
Active Directory server. However, Cisco DMS does not synchronize (replicate) this data automatically,
in real time. Instead, we cache it. Therefore, you must resynchronize user account data when you think
it is appropriate to do so. You can:
• Resynchronize manually.
• Schedule synchronizations to recur in the future at set intervals.
Note Features of Digital Signs and Show and Share Administration help you to manage user access
privileges and permissions for Cisco DMS.
DMS-Admin synchronizes all user accounts in the Active Directory “user base” that your filter specifies,
except users whose accounts are disabled on your Active Directory server.
Synchronization Types
Chapter 6 Authentication and Federated Identity
We support four types of Active Directory synchronization in LDAP mode or federation mode.
Initial Update Overwrite Delete
Runs a one-time
synchronization for a
new filter that you never
synchronized
previously.
Runs an incremental,
fast update to find and
make up for any
differences between
user accounts that
match your
Active Directory filter
and your local copy of
those user accounts.
Overwrites your local
copy of user accounts
that correspond to your
Active Directory filter
with new copies of
those user accounts. In
addition, deletes your
local copy of each user
account that has been
Deletes your local copy
of user accounts that
correspond to a defined
Active Directory filter
and deletes the entry for
that filter from
DMS-Admin.
deleted from
Active Directory since
the last time that you ran
a synchronization.
6-12
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Understand Synchronization of a DMM Group to an LDAP Filter
NEW IN CISCO DMS 5.2.1
Concepts
Is the Active Directory Filter
Associated to a DMM
User Group?
Yes
No
In most cases, you can associate one LDAP filter apiece to one DMM user group. Likewise, in most
•
cases, you can associate one DMM user group apiece to one LDAP filter. The Digital Signs user
group is an exception to both of these principles. It is built-in to Cisco DMS.
• After you associate a DMM user group to an LDAP filter, you cannot use features on the Users tab
to delete the DMM user group until after you delete the LDAP filter. However, even when you delete
an LDAP filter, there is no requirement to delete its associated DMM user group. Furthermore,
there is no way for you to delete the Digital Signs user group. It is built-in to Cisco DMS.
Understand Manual Synchronization
Manual synchronization mode requires you to choose Administration > Settings > Authentication >
Synchronize Users > LDAP Bookmarks during all future synchronizations. Afterward, you must
click Update.
We Sync All Matching LDAP User Accounts to the
‘All Users’ Group in DMM Associated User Group in DMM
Yes Ye s
N.A.
Yes
Note Manual synchronization mode deletes your schedule for automatic synchronizations.
Understand Automatic Synchronization
Automatic synchronization mode automates and schedules incremental updates to user accounts that
match Active Directory filters that you defined in DMS-Admin. When you use automatic
synchronization mode, new fields and elements become available to you. These help you to configure
the settings for automatic synchronization.
Tip See the “Understand Synchronization of a DMM Group to an LDAP Filter” section on page 6-13.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-13
Concepts
Guidelines for Synchronization
We recommend that you synchronize your LDAP bookmarks periodically. Synchronization ensures that
user and group membership associations are current and correct.
Sync
Type Best Practices
Initial
Update
Overwrite Note The Overwrite option is CPU-intensive for your DMM appliance and might lower its
Chapter 6 Authentication and Federated Identity
The Initial option is CPU-intensive for your DMM appliance and might lower performance
temporarily. We recommend that you use it during off-peak hours only.
We recommend that you use the Update option whenever:
• A new user account in Active Directory should have login access to DMM or
Show and Share.
• User attributes
Show and Share.
• A user account is disabled in Active Directory and should be deleted from DMM
and Show and Share.
performance temporarily. We recommend that you use this option during off-peak hours only.
1
change in Active Directory for a user account in DMM or
LDAP Concepts
•
After a user account is deleted from Active Directory, this option deletes the
corresponding user account from DMM and Show and Share.
• After a user account is associated to a new first name, last name, or username, this
option overwrites the outdated user account attributes.
Delete
Caution The Delete option is destructive by design. We advise that you use it sparingly and with great
caution. Among other effects, your deletion of an LDAP bookmark can affect user access to videos
in Show and Share.
Note Typically, the deletion process takes about 1 minute to finish. However, when there are more than
50,000 users in the Active Directory database, this process might run in the background and take about
30 minutes to finish. In this case, the user interface in DMS-Admin can show that a bookmark was deleted
even though the actual process has not finished. If you observe this behavior, simply allow 30 minutes for
the operation to finish.
1. Attributes that you entered on the Manage Attributes property sheet in DMS-Admin.
Related Topics
• Manage LDAP Attributes, page 6-26
• Understand LDAP Attributes, page 6-15
6-14
• Guidelines for LDAP Filters, page 6-15
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Understand LDAP Attributes
Ordinarily, DMS-Admin will not import any user account from your Active Directory server when the
value in it is blank for any of these attributes:
• Login User Name—This required value always must be unique.
•First Name—This required value might be identical for multiple users.
•Last Name—This required value might also be identical for multiple users.
However, you can import and synchronize all of the Active Directory user accounts that match your
filters. You can do this even when some of the user accounts are incomplete because one or more of their
attributes have blank values.
To prevent these undefined attributes from blocking the import of the user accounts they are meant to
describe, you can enter generic values for most attributes in the Values to Use by Default column.
DMS-Admin takes the generic values that you enter, and then inserts them automatically where they
are needed.
Tip Nonetheless, you cannot enter a default value for the Login User Name attribute. Usernames are unique.
Concepts
Guidelines for LDAP Filters
• Use “OU” values to impose rough limits on a filter, page 6-15
• Use “memberOf” values to pinpoint a filter more precisely, page 6-16
• Use “objectClass” values to match all user records, page 6-16
Use “OU” values to impose rough limits on a filter
• Never use a filter that defines the user base at the domain level. For example, this filter is
• Instead, use filters that define the user base at a lower level, as this one does.
• LDAP returns matched records from all levels within the user base that your filter defines.
not acceptable.
DC=example,DC=com
OU=SanJose,DC=example,DC=com
Would a filter for “
OU=RTP,DC=example,DC=com
OU=Milpitas,OU=SanJose,DC=example,DC=com
OU=Sunnyvale,OU=SanJose,DC=example,DC=com
1. Research Triangle Park, NC, does not have any physical connection to San José, CA.
2. Milpitas, CA and Sunnyvale, CA, are suburbs of San José, CA, which affects them directly and in multiple ways.
OU=SanJose,DC=example,DC=com” ever include any users from...?
No
Yes
Yes
1
2
2
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-15
Concepts
Use “memberOf” values to pinpoint a filter more precisely
• But what if you did not want to include any members of Milpitas or Sunnyvale? If your
Use “objectClass” values to match all user records
• You can define a comprehensive filter that matches all user records.
Password Concepts
Chapter 6 Authentication and Federated Identity
Active Directory server considered these cities (organizational units) to be subsets of San José, how
could you exclude their members? To do so, you would use the
memberOf
attribute. It stops LDAP from matching records at any lower level than the one you name explicitly.
In this scenario for example, you would use
memberOf=OU=SanJose,DC=example,DC=com
to match only the direct members of the “SanJose” OU.
objectClass=user
Note NEW IN CISCO DMS 5.2.3—User passwords in Cisco DMS are no longer case-sensitive.
• Understand the Effects of a Changed Password in Active Directory, page 6-16
• Understand the Effects of a Blank Password in Active Directory, page 6-16
Understand the Effects of a Changed Password in Active Directory
After you change a user password on your Active Directory server, there is no requirement to
resynchronize the affected user account in DMS-Admin.
Understand the Effects of a Blank Password in Active Directory
• Even though it is possible in Active Directory to use a blank value for a password, Cisco DMS does
not allow it.
• When you choose LDAP authentication, any user whose Active Directory password is blank is
prevented from logging in to any component of Cisco DMS.
• Access is enabled or restored after the password is populated on the Active Directory server.
Understand Authentication Property Sheets for LDAP
The Authentication page contains four tabbed property sheets.
Select
Mode
Define
Filter
6-16
1
Embedded, LDAP, or (NEW IN CISCO DMS 5.2.3) SSO
Select Mode is by default the only active tab. Your choices on the Select Mode property sheet
determine whether you have access to the other three property sheets.
LDAP or (NEW IN CISCO DMS 5.2.3) SSO
Your choices on the Define Filter property sheet help you to configure and add a new agreement.
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Concepts
Synchronize
Users
Manage
Attributes
1. In most production environments, you can expect to use the Select Mode property sheet only one time.
LDAP or (NEW IN CISCO DMS 5.2.3) SSO
Your choices on the Synchronize Users property sheet help you to submit a new agreement.
LDAP or (NEW IN CISCO DMS 5.2.3) SSO
Federated Identity and Single Sign-on (SSO) Concepts
• IdP Requirements, page 6-17
• Configuration Workflow to Activate Federation (SSO) Mode, page 6-17
• Authentication Scenarios for User Sessions in Federation (SSO) Mode, page 6-18
IdP Requirements
NEW IN CISCO DMS 5.2.3 — To us e federation (SSO) mode in Cisco DMS, you must have access to an IdP
that meets our requirements. Your IdP must:
• Support SAML 2.0.
• Support these two SAML profiles:
–
Web B row ser SSO Profile
–
Enhanced Client or Proxy (ECP) Profile
• Generate assertions in which the SAML “UID” attribute is mapped to the local portion of an
authenticated user’s username.
• Use a digital certificate from a well-known CA (but only if you will use HTTPS).
Configuration Workflow to Activate Federation (SSO) Mode
NEW IN CISCO DMS 5.2.3
Configure and set up an Active Directory server.
1.
2. Configure and set up a SAML 2.0-compliant IdP.
Note When you use a “fresh install” of Cisco DMS 5.2.3 (as opposed to an upgrade), your DMM appliance is configured
to use embedded authentication mode by default. But when you upgrade a DMM server that was already
configured for an earlier Cisco DMS release, it might use either embedded mode or LDAP mode.
3. Obtain a digital certificate from a trusted CA and install it on your IdP.
4. Use DMS-Admin to configure Cisco DMS for federation mode.
5. Export SAML 2.0-compliant metadata from your DMM server and import it into your IdP.
6. Export SAML 2.0-compliant metadata from your IdP and import it into your DMM server.
7. Configure Active Directory exactly as you would in LDAP mode.
8. Click Update to save your work, and then advance to the Synchronize Users property sheet.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-17
Chapter 6 Authentication and Federated Identity
Concepts
9. Synchronize DMM with your Active Directory server to populate the DMM user database.
Note You MUST configure at least one LDAP bookmark.
10. Synchronize users exactly as you would in LDAP mode.
Note Whenever you change any setting or value on your IdP or any of your SPs, you must reestablish their
pairing to restore mutual trust among them.
Click Update to save your work.
11.
Authentication Scenarios for User Sessions in Federation (SSO) Mode
• SSO Scenario 1 — Trusted + Valid + Authorized
• SSO Scenario 2—Trusted + Valid + NOT Authorized
• SSO Scenario 3—Nothing Known
SSO Scenario 1—Trusted + Valid + Authorized
NEW IN CISCO DMS 5.2.3
1. A web browser requests access to a protected resource on an SP.
Yo ur federation will not approve or deny this request until it knows more.
2. The SP asks its IdP if the browser is currently authenticated to any valid user account in the CoT.
3. The IdP verifies that:
• The browser is already connected to an SP elsewhere in the CoT, having authenticated
successfully to a valid user account and having received a SAML “token” or “passport” that
authorizes at least some access.
• The user account has sufficient permissions to access the protected resource.
The IdP acts on the SP’s behalf and redirects the browser immediately to the protected resource.
4.
6-18
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
SSO Scenario 2—Trusted + Valid + NOT Authorized
NEW IN CISCO DMS 5.2.3
A web browser requests access to a protected resource on an SP.
1.
Yo ur federation will not approve or deny this request until it knows more.
2. The SP asks its IdP if the browser is currently authenticated to any valid user account in the CoT.
3. The IdP verifies that:
• The browser is already connected to an SP elsewhere in the CoT, having authenticated
successfully to a valid user account and having received a SAML “token” or “passport” that
authorizes at least some access.
• The user account DOES NOT have sufficient permissions.
Concepts
4. The IdP redirects the browser to the SP, where an HTTP 403 Forbidden message states that the user is
not authorized to access the protected resource.
SSO Scenario 3—Nothing Known
NEW IN CISCO DMS 5.2.3
1. A web browser requests access to a protected resource on an SP.
Yo ur federation will not approve or deny this request until it knows more.
2. The SP asks its IdP if the browser is currently authenticated to any valid user account in the CoT.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-19
Concepts
Chapter 6 Authentication and Federated Identity
3. The IdP reports that:
• The browser is not yet connected to any SP in the CoT.
• The browser is not yet authenticated to any valid user account.
• We cannot tell if the browser’s human operator is a valid and authorized user, a valid but confused user,
or an intruder.
The SP redirects the browser automatically to an HTTPS login prompt on the IdP, where one of
4.
the following occurs.
• The browser’s human operator successfully logs in to a valid user account. The IdP attaches a SAML
“token” or “passport” to the browser session, authorizing at least some access. And:
– The user account has permission to access the protected resource. So, the IdP acts on
the SP’s behalf and redirects the browser immediately to the protected resource.
OR
– The user account DOES NOT have permission to access the protected resource. So, the
IdP redirects the browser to the SP, where an
is not authorized to access the protected resource.
• The browser’s human operator fails to log in. So, lacking any proof that this person is authorized,
we block access to every protected resource until the human operator can log in successfully.
HTTP 403 Forbidden message states that the user
Migration Between Authentication Methods
• Understand Migration (from Either LDAP or SSO) to Embedded, page 6-20
• Understand Migration (from Embedded) to Either LDAP or SSO, page 6-21
Understand Migration (from Either LDAP or SSO) to Embedded
When you migrate from LDAP or federation mode to embedded authentication mode, you must
explicitly choose whether to keep local copies of the:
• User accounts that were associated to LDAP filters.
• Groups and policies that were associated to LDAP filters.
Note • Unless you choose explicitly to keep the local copy of a user, a group, or a policy, we discard the local copy.
• Migration from one mode to another takes as long as 1 minute to finish.
6-20
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
The result varies according to the combination of your choices.
When You
Keep Local
Copies of
Procedures
Users
Groups
Yes Ye s Ye s
The Result
Policies
• We preserve all local information.
• We overwrite all LDAP-derived user account passwords with
CiscoDMMvp99999.
• We preserve all local user accounts. However, we overwrite all LDAP-derived
1
user account passwords with CiscoDMMvp99999.
Yes No No
No Yes Ye s
• We discard all LDAP-derived groups.
• We discard all LDAP-derived policies.
• We discard all LDAP-derived user accounts.
• We preserve all LDAP-derived groups. However, they are empty.
• We preserve all LDAP-derived policies. Although they no longer apply to anyone,
you can reuse them and apply them to any remaining user accounts and any future
user accounts as you see fit.
No No No • We discard all LDAP-derived users, groups, and policies.
1. This security feature protects your network and user data. If anyone gains unauthorized access to the exported file and tries
to use it, Active Directory rejects the invalid passwords.
Understand Migration (from Embedded) to Either LDAP or SSO
1
Note • Before you migrate from embedded authentication mode to federation mode, you must install a digital certificate
Procedures
OL-15762-03
from a trusted CA on your IdP server. Otherwise, you cannot migrate to federation mode at all.
• After you migrate from embedded authentication mode to either LDAP mode or federation mode, the locked property sheets
become unlocked. You must use them.
• Migration from one mode to another takes as long as 1 minute to finish.
• Export the Root CA X.509 Certificate from Your Active Directory Server, page 6-22
• Configure DMM to Trust the Active Directory Root CA, page 6-22
• Choose an Authentication Method, page 6-23
• Configure LDAP Settings, page 6-23
• Configure Federation Services for SSO, page 6-29
User Guide for Cisco Digital Media Manager 5.2.x
6-21
Chapter 6 Authentication and Federated Identity
Procedures
Export the Root CA X.509 Certificate from Your Active Directory Server
Procedure
Step 1 Open a web browser on your Active Directory server and connect to http://localhost/certsrv.
Step 2 Click Download a CA certificate.
Step 3 Choose the current CA certificate.
Step 4 Choose DER encoded.
The X.509 certificate that you export must be DER-encoded, and it can be binary or printable (Base64).
However, when you use Base64, the certificate file must include these lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Step 5 Click Download CA certificate.
Step 6 Save this certificate in a file.
For example, you might call the certificate ADcertificate.cer.
Step 7 Stop. You have completed this procedure.
Configure DMM to Trust the Active Directory Root CA
Procedure
Step 1 Choose Administration > Security > Authentication > Select Mode.
Step 2 Enter the details for your Active Directory server.
Tip Be sure to use the logical port where your Active Directory server listens for SSL connections. The port
number, by default, is 636.
Step 3
Step 4 As prompted, use DMS-Admin to restart Web Services (Tomcat).
Step 5 Stop. You have completed this procedure.
Upload the root CA certificate file that you saved locally.
a. Click Upload, and then click Add.
b. Browse to the file on a local volume.
c. Click the filename and press Enter.
d. Click OK to save your work and dismiss the dialog box.
The installed certificate cannot take effect until after you restart Tomcat.
6-22
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Choose an Authentication Method
Procedure
Step 1 Choose Administration > Security > Authentication.
Step 2 Use elements on the Select Mode property sheet to choose an authentication mode.
Step 3 Click Update.
Note Migration from one mode to another takes as long as 1 minute to finish.
The authentication settings that you changed are now in effect.
Step 4 Stop. You have completed this procedure.
What to Do Next
• OPTIONAL—Did you choose LDAP or SSO?
Proceed to the “Define LDAP Filters” section on page 6-23
Procedures
Related Topics
• Elements to Choose and Enable the Authentication Mode, page 6-31
Configure LDAP Settings
• Define LDAP Filters, page 6-23
• Define LDAP Bookmarks, page 6-24
• Define the LDAP Synchronization Schedule, page 6-25
• Manage LDAP Attributes, page 6-26
• Configure the Settings for Automatic LDAP Synchronization, page 6-27
• Derive LDAP Group Membership Dynamically from a Query, page 6-28
Define LDAP Filters
Before You Begin
• Choose LDAP or federation as your authentication method.
Procedure
OL-15762-03
Step 1 Choose Administration > Security > Authentication.
Step 2 Click Define Filter.
User Guide for Cisco Digital Media Manager 5.2.x
6-23
Procedures
Step 3 Do the following.
a. Use elements on the Define Filter property sheet to define, validate, and add one LDAP filter.
b. Click Update.
c. Repeat this step for each filter to be added.
The authentication settings that you changed are now in effect.
Step 4 Stop. You have completed this procedure.
Related Topics
• Elements to Define, Validate, and Add LDAP Filters, page 6-33
Define LDAP Bookmarks
Before You Begin
• Choose LDAP or SSO as your authentication method.
• Define LDAP filters.
Chapter 6 Authentication and Federated Identity
Procedure
Step 1 Choose Administration > Security > Synchronize Users > LDAP Bookmarks,
Tip Is the Synchronize Users tab disabled (dimmed), so that you cannot click it? If so, refresh your browser.
Step 2 Do any or all of the following.
• Would you like to import user accounts to Cisco DMS because they correspond to an
Active Directory filter that you will define? If so:
–
Choose the synchronization type for these user accounts.
–
Specify which default access privileges you will assign to them.
• Should Cisco DMS synchronize user accounts that correspond to a defined Active Directory filter?
If so, use the synchronization type that you chose.
• Would you like to sever your ties to a User Base or Active Directory server? If so:
–
Delete from Cisco DMS all user accounts that correspond to a defined Active Directory filter.
–
Delete the entry for that filter from DMS-Admin.
• Would you like to create a new group in DMM?
AND
6-24
Populate it automatically with user accounts that correspond to an Active Directory
filter that you defined previously?
If so, delete the entry for that filter from DMS-Admin, and then recreate it while associating it to
the new group.
Step 3 Validate the filter.
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Step 4 Validate the DMM group name.
• Group names in DMM can include alphanumeric characters (0–9; a–z; A-Z), hyphens (-),
underscores (
• Spaces are forbidden.
• Other forbidden characters include:
~‘!@#$%^&*()+={[}]|\:;”"’'<>?/
Step 5 Click Update.
Note Please wait. Your request might take as long as 1 minute to process.
The authentication settings that you changed are now in effect.
Step 6 Stop. You have completed this procedure.
What to Do Next
• OPTIONAL—Would you like to associate a set of imported users with a new group?
Proceed to the “Derive LDAP Group Membership Dynamically from a Query” section on page 6-28.
Procedures
_), and periods (.).
• OPTIONAL—Would you like to configure the schedule for synchronization?
Proceed to the “Define the LDAP Synchronization Schedule” section on page 6-25.
Related Topics
• Define LDAP Filters, page 6-23
• Derive LDAP Group Membership Dynamically from a Query, page 6-28
• Elements to Use LDAP Bookmarks for Synchronization, page 6-34
Define the LDAP Synchronization Schedule
Before You Begin
• Choose LDAP or SSO as your authentication method.
• Define LDAP filters.
• Define LDAP bookmarks.
Procedure
Step 1 Choose Administration > Security > Synchronize Users > Scheduling,
Step 2 Choose between manual synchronization and automatic synchronization.
OL-15762-03
Note You will not see any of the elements that Table 6-3 on page 6-34 describes until after you define at least one
filter on the Define Filter property sheet.
User Guide for Cisco Digital Media Manager 5.2.x
6-25
Procedures
Chapter 6 Authentication and Federated Identity
Step 3 Click Update.
The authentication settings that you changed are now in effect.
Step 4 Stop. You have completed this procedure.
What to Do Next
• OPTIONAL—Would you like to associate attribute names in DMS-Admin and Active Directory?
If so, proceed to the “Manage LDAP Attributes” section on page 6-26.
• OPTIONAL—Should Cisco DMS expect that your Active Directory server uses factory-preset attribute
names? If so, proceed to the “Manage LDAP Attributes” section on page 6-26.
• OPTIONAL—Should Cisco DMS expect that your Active Directory server uses custom attribute
names? If so, proceed to the “Manage LDAP Attributes” section on page 6-26.
Related Topics
• Define LDAP Bookmarks, page 6-24
• Elements to Schedule Synchronization, page 6-35
Manage LDAP Attributes
Before You Begin
• Choose LDAP or SSO as your authentication method.
• Define LDAP filters.
• Define LDAP bookmarks.
• Configure the LDAP synchronization schedule.
Procedure
Step 1 Click Administration > Security > Authentication > Manage Attributes.
Tip Is the Manage Attributes tab disabled (dimmed), so that you cannot click it? If so, refresh your browser.
Step 2 Use elements on the Manage Attributes property sheet to:
• Set the associations between DMS-Admin attribute names and their corresponding Active Directory
attribute names.
• Use the predefined and typical names for Active Directory attributes (shown in grey text) or edit
those attribute names so they match the names that your Active Directory server uses.
• Enter the values to use by default in DMS-Admin when a user account attribute is not defined on
your Active Directory server.
6-26
You must enter a value for each mandatory attribute. You cannot enter a value to use by default for user
names, because each user name is unique.
Step 3 Click Update.
The authentication settings that you changed are now in effect.
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Step 4 Stop. You have completed this procedure.
Related Topics
• Define the LDAP Synchronization Schedule, page 6-25
• Elements to Manage Attributes, page 6-36
Configure the Settings for Automatic LDAP Synchronization
Procedure
Step 1 Click the calendar icon ( ) to choose the start date for synchronization.
Step 2 Choose the hour and minute when synchronization should begin, and then choose either AM or PM as
the period.
Step 3 From the Repeat Interval list, choose the interval of recurrence:
Interval Description
Never Synchronization occurs once and does not recur.
Every Day Synchronization recurs once every 24 hours. You must set the hour and minute when it
should start.
Every Week Synchronization recurs once every 7 days. You must set the hour and minute when it
should start.
Every
Month
Custom Synchronization recurs at an interval of your choosing. You must set the hour and
Synchronization recurs once each month. You must set the hour and minute when it
should start.
minute when it should start.
Choose Days, Weeks, or Months as the interval type.
Procedures
OL-15762-03
• Choose a day of the month from 1 to 30 when the interval type is Days.
• Choose a day of the week when the interval type is Weeks.
• Choose an interval of recurrence from 1 to 6 when the interval type is Months.
Step 4 (Optional)
• Did you click the Automatic Synchronization radio button?
• And should a one-time synchronization start immediately, in addition to the start date and time that
you specified?
If so, check the Synchronize users immediately check box.
Step 5 Click Update.
The authentication settings that you changed are now in effect.
Step 6 Stop. You have completed this procedure.
User Guide for Cisco Digital Media Manager 5.2.x
6-27
Procedures
Derive LDAP Group Membership Dynamically from a Query
NEW IN CISCO DMS 5.2.1—You can populate a user group with the returned output from a User Base DN
query. However, a group of this kind differs in important ways from a group that you populate manually.
Note • Membership of such groups is dynamic— based on shared characteristics among the group of Active Directory
users who match your query.
• We update and clean these groups automatically during synchronization. Their membership will change after
synchronization runs, when the corresponding records in Active Directory show that a user's membership should start
or stop.
• An imported Active Directory group is always read-only in DMS-Admin. By protecting it, we ensure that it is always correct,
relative to the original and subject to any delay between synchronizations. For this reason, you cannot edit their memberships
rolls manually.
• When you try to delete a user from a group of this type, DMS-Admin shows an error message.
Chapter 6 Authentication and Federated Identity
Before You Begin
• Choose LDAP as your authentication method.
Procedure
Step 1 Choose Administration > Security > Authentication.
Step 2 Click Define Filter,
Step 3 Use elements on the Define Filter property sheet to define, validate, and add one LDAP filter.
Step 4 Would you like to add users to a group that exists already? If so, choose that group name from the User
Group (in DMM) list.
OR
Would you like to create and populate an entirely new group? If so, choose Create a New User Group
from the User Group (in DMM) list. Then, use the Group Name field to enter a name for the new group.
Step 5 Would you like to check your filter’s syntax? If so, click Validate.
Step 6 Click Update.
Step 7 Stop. You have completed this procedure.
6-28
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Configure Federation Services for SSO
• NEW IN CISCO DMS 5.2.3— Export an SP Configuration File from DMM, page 6-29
• NEW IN CISCO DMS 5.2.3— Import an IdP Configuration File into DMM, page 6-29
• NEW IN CISCO DMS 5.2.3— Bypass External Authentication During Superuser Login, page 6-30
Export an SP Configuration File from DMM
NEW IN CISCO DMS 5.2.3 —Before you can use Cisco DMS in federation mode, you must export data from
it in the form of an SP configuration file. Later, you will import this file into your IdP.
Procedure
Step 1 Make sure that your DMM appliance is running in embedded authentication mode or LDAP mode.
Step 2 Log in as superuser.
Step 3 Choose Administration > Security > Authentication.
Procedures
Step 4 Check the Federation check box.
Step 5 Click Export.
Step 6 Save the exported file to your client PC or laptop computer as dms_sp_config.xml.
Note See the technical documentation or tutorials for your IdP to understand how it imports SP configuration
files like this one.
Step 7 Stop. You have completed this procedure.
Related Topics
• Import an IdP Configuration File into DMM, page 6-29
Import an IdP Configuration File into DMM
NEW IN CISCO DMS 5.2.3 —Before you can use Cisco DMS in federation mode, you must export data from
your IdP in the form of an IdP configuration file. This topic explains how to use the exported file after
you generate and save it.
Before You Begin
• See the technical documentation or tutorials for your IdP to understand how it exports configuration
files for an SP (such as DMM) to import.
• Rename the exported IdP configuration file dms_idp_config.xml.
OL-15762-03
Procedure
Step 1 Choose Administration > Security > Authentication.
Step 2 Click Federation to choose it as your authentication mode.
User Guide for Cisco Digital Media Manager 5.2.x
6-29
Procedures
Step 3 Click Import.
Step 4 Choose and upload the IdP file that you saved previously.
Step 5 Enter the necessary LDAP information to use your Active Directory server.
Step 6 Stop. You have completed this procedure.
Related Topics
• Define LDAP Filters
• Export an SP Configuration File from DMM, page 6-29
Bypass External Authentication During Superuser Login
NEW IN CISCO DMS 5.2.3— Your DMM server features a special login form, which rejects every
username except superuser. You use this special form whenever Cisco DMS runs in federation mode
or an error has prevented migration from one authentication mode to another.
Procedure
Chapter 6 Authentication and Federated Identity
Step 1 Go to http://<FQDN>:8080/dmsadmin/admin/login.
a. Enter superuser in the Username field.
b. Enter the corresponding password in the Password field.
c. Click Log In.
Step 2 Stop. You have completed this procedure.
Related Topics
• Federation Mode (SSO) FAQs, page 6-42
6-30
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Reference
• Software UI and Field Reference Tables, page 6-31
• Sample SP Configuration File from DMM, page 6-37
• Sample IdP Configuration Files, page 6-38
• FAQs and Troubleshooting, page 6-41
Software UI and Field Reference Tables
• Elements to Choose and Enable the Authentication Mode, page 6-31
• Elements to Define, Validate, and Add LDAP Filters, page 6-33
• Elements to Use LDAP Bookmarks for Synchronization, page 6-34
• Elements to Schedule Synchronization, page 6-35
• Elements to Manage Attributes, page 6-36
Reference
Elements to Choose and Enable the Authentication Mode
Navigation Path
Administration > Security > Authentication > Select Mode
Table 6-1 Elements for the Authentication Mode
Element Description
Authentication Mode Area
Embedded Requires users who log in to DMM or Show and Share to authenticate against a user account
database that is native to DMM. This database is independent of every other type of
authentication that you might use in your network.
LDAP Automatically deletes all user accounts except superuser. Requires future users to authenticate
against the user account data from your Active Directory server when they log in to DMM or
Show and Share.
Federation Automatically deletes all user accounts except superuser. Requires future users to authenticate
themselves to your IdP when they log in to DMM or Show and Share.
Federation Mode Elements Area
Last Successfully
Configured IdP
IdP Configuration File Provides the means to import configuration metadata that you previously exported from your
This value becomes populated for the first time after you succeed at least once in importing
configuration metadata into DMM from your IdP.
This element is visible only in federation mode.
IdP and saved to a file. Click Import to browse for the file, which you can then import.
This element is visible only in federation mode.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-31
Chapter 6 Authentication and Federated Identity
Reference
Table 6-1 Elements for the Authentication Mode (continued)
Element Description
Last Configured IdP While it names an IdP explicitly, this value does not necessarily identify the IdP in current use.
Instead, this value describes only your most recent attempt to import configuration metadata
from an IdP, without regard for whether the attempt failed or succeeded.
This element is visible only in federation mode. It becomes populated for the first time after
you attempt at least once to import IdP metadata.
Tip Compare this value to the “Last Successfully Configured IdP” value. When they differ, you know that
your latest such attempt actually failed.
(SP Configuration File)
Export
Enable Authentication
Tes t
Test Username Enter a username that your IdP already knows. Do not use the “superuser” username. This
Test User Password Enter the password that corresponds to the test username. This element is visible only while
Provides the means to export configuration metadata from DMM. Click Export to begin
browsing for a locally mounted drive and folder where you can save the exported config file.
Later, you will import this file into your IdP.
This element is visible only in federation mode.
Helps you to test whether your federation mode settings are correct and will allow SSO for your
ordinary users.
Check this check box to expose UI elements that are otherwise hidden. Clear this check box to
hide such elements.
element is visible only while the Enable Authentication Test check box is checked.
the Enable Authentication Test check box is checked.
LDAP Configuration Area
Anonymous Enables or disables an anonymous connection between your DMM appliance and your
Active Directory server.
• An anonymous connection is suitable when you want to see or use public information on
the Active Directory server.
• In contrast, if you want to see or use privileged information on your Active Directory
server, the server will require you to enter login credentials to prove that you have
sufficient access rights.
In the latter case, your Active Directory server will reject any attempt to log in anonymously.
This check box is available to you only when you choose LDAP mode or federation mode.
Host Enter the routable IP address or DNS-resolvable hostname for the Active Directory server. This
field is available to you only when you choose LDAP mode or federation mode.
Port Enter the TCP port number that your Active Directory server uses for communications. This
field is available to you only after you choose LDAP mode or federation mode.
The Active Directory port number by default is:
• 389 for LDAP communications.
• 636 for LDAPS (Secure LDAP, or LDAP over SSL) and SSO communications.
Administrator DN Enter the distinguished name of the Active Directory server administrator.
This field is available to you only after you choose LDAP mode or federation mode and
uncheck the Anonymous check box.
Tip See administrator DN, page 6-3.
6-32
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Reference
Table 6-1 Elements for the Authentication Mode (continued)
Element Description
Password Enter the password that is associated with the Administrator DN.
This field is available to you only after you choose LDAP mode or federation mode and
uncheck the Anonymous check box.
Use SSL Encryption The check box to enable or disable encrypted sign-on. This check box is available to you only
when you use LDAP mode or federation mode.
Note Whenever you enable SSL, you must restart Web Services (Tomcat) from AAI. And if your DMM
server is one half of a failover pair, the Tomcat restart will trigger immediate failover.
• Check the check box to enable encryption.
• Uncheck it to disable encryption.
Enabling SSL causes the connections between your DMM appliance and your Active Directory
server to use LDAPS. An LDAPS connection is suitable when you want to prevent untrusted
third parties from reading credentials that the servers exchange.
Active Directory
Certificate File
Helps you to upload the digital certificate that your Active Directory server uses for LDAPS
communications. This field is available to you only while the Use SSL Encryption check box
is checked.
Command Buttons
Update Saves and applies your work on the Authentication Mode property sheet.
Cancel Discards your work on the Authentication Mode property sheet and resets all values to their
previous configuration.
Related Topics
• Choose an Authentication Method, page 6-23
• Elements to Define, Validate, and Add LDAP Filters, page 6-33
• Elements to Use LDAP Bookmarks for Synchronization, page 6-34
• Elements to Manage Attributes, page 6-36
Elements to Define, Validate, and Add LDAP Filters
Navigation Path
Administration > Security > Authentication > Define Filter
Table 6-2 Elements for Filters
Element Description
Description Enter a human-readable description for the filter.
User Base DN Enter the distinguished name of the Active Directory user base that you will search.
User Filter Enter a user filter to limit the number of matching user accounts to import from the user base
that you specified.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-33
Chapter 6 Authentication and Federated Identity
Reference
Table 6-2 Elements for Filters (continued)
Element Description
User Group (in DMM) Choose or create a user group to associate with the filter. At the very least, the list includes
these options.
• All Users Group
• Create a New User Group
• Digital Signage Users
Command Buttons
Add Adds the filter, exactly as entered, without first validating it.
Validate Validates the filter to confirm, before you add it, that it will return meaningful results.
Clear Clears all entries from the Define Filters property sheet.
Related Topics
• Choose an Authentication Method, page 6-23
• Elements to Choose and Enable the Authentication Mode, page 6-31
• Elements to Use LDAP Bookmarks for Synchronization, page 6-34
• Elements to Manage Attributes, page 6-36
Elements to Use LDAP Bookmarks for Synchronization
Navigation Path
Administration > Security > Authentication > Synchronize Users
Table 6-3 Elements for Bookmarks
Element Description
LDAP Bookmarks property sheet
Synchronization One of the following types.
• Initial
• Update
• Overwrite
• Delete
Note When you click Delete on the LDAP Bookmarks sub-tab, we ask you whether to delete groups and
policies. When you choose Yes, we delete all of the following from Cisco DMS.
• All user accounts that match the filter.
• NEW IN CISCO DMS 5.2.1—The particular user group that is associated to the filter.
• NEW IN CISCO DMS 5.2.1—All access policies associated to the particular user group.
6-34
The deletion process can take as long as 1 minute to finish.
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
Reference
Table 6-3 Elements for Bookmarks (continued)
Element Description
Command Buttons
Update Submits your selections for the type of synchronization and the scope of access that you chose
and configured. Synchronization of the specified type starts immediately.
Cancel Resets all entries to their previous values on the LDAP Bookmarks property sheet.
• Discards all changes to the configuration of behaviors for synchronizations.
• Discards all changes to the scope of access.
Related Topics
• Choose an Authentication Method, page 6-23
• Elements to Choose and Enable the Authentication Mode, page 6-31
• Elements to Define, Validate, and Add LDAP Filters, page 6-33
• Elements to Manage Attributes, page 6-36
Elements to Schedule Synchronization
Navigation Path
Administration > Security > Authentication > Synchronize Users
Table 6-4 Elements for Scheduling
Element Description
Scheduling property sheet
Synchronization Mode Enables one synchronization mode to receive updated user account information from an
Active Directory server. We support two such modes but they are mutually exclusive.
Whenever you enable one, you disable the other. Click either Manual Synchronization or
Automatic Synchronization.
Command Buttons
Update Submits your selections for the type of synchronization and the scope of access that you chose
and configured. Synchronization of the specified type starts immediately.
Cancel Resets all entries to their previous values on the Scheduling property sheet.
• Discards all changes to the configuration of behaviors for synchronizations.
• Discards all changes to the scope of access.
OL-15762-03
Related Topics
• Configure the Settings for Automatic LDAP Synchronization, page 6-27
• Choose an Authentication Method, page 6-23
• Elements to Choose and Enable the Authentication Mode, page 6-31
User Guide for Cisco Digital Media Manager 5.2.x
6-35
Chapter 6 Authentication and Federated Identity
Reference
• Elements to Define, Validate, and Add LDAP Filters, page 6-33
• Elements to Manage Attributes, page 6-36
Elements to Manage Attributes
Navigation Path
Administration > Security > Authentication > Manage Attributes
Table 6-5 Elements for Attributes Management
Element Description
DMM Attribute Name Values that DMS-Admin uses to describe and identify various attributes that it associates with
each user account. You cannot change the values in this column. They are for your reference
only, to help you enter suitable values (and recognize suitable values when you see them) in
the LDAP Attribute Name column and the Values to Use by Default column.
LDAP Attribute Name Values that your Active Directory server uses—which correspond one-to-one with values in
the DMM Attribute Row column—to describe and identify attributes of each user account. In
its factory-default configuration, DMS-Admin prepopulates all fields in this column with the
most commonplace values that Active Directory servers use for this purpose. When the values
for these attributes differ on your Active Directory server or when you prefer to import objects
that use other Active Directory attributes, you can edit the values in this column.
Values to Use by
Default
Enter text to insert automatically when the value is blank for the corresponding attribute in an
Active Directory user account that you import or synchronize. To ensure that DMS-Admin
imports each valid user account that matches a filter, we recommend that you enter values for
these attributes:
• First Name
• Last Name
For your convenience, you can also enter values to insert automatically when the values are
blank for other attributes— such as Company, Department, or Phone Number—but this
is optional.
Note You cannot enter a value to use by default as the Login User Name value.
Ignore User Account
Control Flags
NEW IN CISCO DMS 5.2.3— Tells DMM to ignore whether your Active Directory server makes use
of the User Account Control Flags attribute. DMM expects to find this attribute on your
Active Directory server and, when the attribute is not present, authentication fails.
Command Buttons
Reset to Factory Default Returns all values in the LDAP Attribute Name column to the most commonplace values that
Active Directory servers use. If you entered different values manually because the labels for
these attributes differ on your Active Directory server or because you prefer to import user
accounts that use other Active Directory attributes, DMS-Admin deletes what you entered.
Update Saves and applies your work in the Manage Attributes property sheet.
Related Topics
• Choose an Authentication Method, page 6-23
• Elements to Choose and Enable the Authentication Mode, page 6-31
6-36
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
• Elements to Define, Validate, and Add LDAP Filters, page 6-33
• Elements to Use LDAP Bookmarks for Synchronization, page 6-34
Sample SP Configuration File from DMM
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!- ! DMS SAML2 Service Provider Metadata
!
! Actual Service Provider configuration for the IDP will be instantiated
! from this template and be deposited onto the IDP.
! (Auto-generated on/at: Wed May 11 16:58:14 PDT 2011)
!
! Copyright (c) 2011 Cisco Systems, Inc.
!-->
<EntityDescriptor entityID="http://DMMSP.example.com:8080/opensso"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<KeyDescriptor>
<ds:KeyInfo>
<ds:KeyName>tomcat</ds:KeyName>
<ds:X509Data>
<ds:X509SubjectName>/C=US/ST=CA/L=SJ/O=CISCO/OU=CISCO/CN=DMMSP.example.com</ds:X509Subject
Name>
<ds:X509IssuerSerial>
<ds:X509IssuerName>DMMSP.example.com</ds:X509IssuerName>
<ds:X509SerialNumber>1304558251</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509Certificate>Mk6g1VAwAIGUk0QTNwaEzqUECAczVzAMCSDsUIgAQELICqwFQhOABhGJiQwgBBYCkAHAIB
9DGMQE COBEcGAAT0Qg4wBBMMVTzVzC1DEQAM8KlAQVKNDwDMBGF0TxWJACA0YNENgQxCSADEVNlQUwQxDV
BDbAQ0M8pvGTNUFyMtzwTYxTAMVTMMAxx3EMLEcTDDFMvzNEmwcTMNco2LmhgTVw2MTaMAmvx1ALMOQADBkjVwACMB
GNTh0F1BQVJJQAAUM1BSDQwTHAsxAVgMlNMjTCVEQEEgzCwEUCAAQxh8Y0GkMMBZZgTwSVNX0EUBglbgRvgwJrADA5
QYF32B9PNQEBVJANQIBb5K8YwNUQNYo0aQDjDJyMbhjswjcDgAM0IYJIoAGAGBr/qw1adeTiX6wNGwl+Pn2rhopPL7
cCzUI2aNCNyK+D99sLujKL/kjyCBZ9lqKPeCArxWfKycC3/QqgO/SNz33b8JSh6iG35kVwA3OMZplEtLX4CfBkdsXY
TVaKIRPRLMSOH9u9vH6ELFgSzl8dH/tL1o3aJADhnG4gcFA8tGE8QIXZBdBQdNwlDYj1AAAARYsKS6wV2vCZEgTNEI
MAQbvD A87sb03cvDpQUCJ5SQ0O/ 4xQA531HhBHSCDOFbUlq+ PeTKB4dkGsIst9BPaIr43bWO3zfkMbrU2A WNu+
dPcBZpO1raWmP2I8ZErlDYPJSEstzmaC30kkeXg4nfe10KCx1QH8BAQusegy38+ oh8NLYw3N dzQl5vs=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://DMMSP.example.com:8080/opensso/SPSloRedirect/metaAlias/sp"
ResponseLocation="http://DMMSP.example.com:8080/opensso/SPSloRedirect/metaAlias/sp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://DMMSP.example.com:8080/opensso/SPSloPOST/metaAlias/sp"
ResponseLocation="http://DMMSP.example.com:8080/opensso/SPSloPOST/metaAlias/sp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://DMMSP.example.com:8080/opensso/SPSloSoap/metaAlias/sp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://DMMSP.example.com:8080/opensso/SPMniRedirect/metaAlias/sp"
ResponseLocation="http://DMMSP.example.com:8080/opensso/SPMniRedirect/metaAlias/sp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://DMMSP.example.com:8080/opensso/SPMniPOST/metaAlias/sp"
ResponseLocation="http://DMMSP.example.com:8080/opensso/SPMniPOST/metaAlias/sp"/>
Reference
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-37
Reference
Chapter 6 Authentication and Federated Identity
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://DMMSP.example.com:8080/opensso/SPMniSoap/metaAlias/sp"
ResponseLocation="http://DMMSP.example.com:8080/opensso/SPMniSoap/metaAlias/sp"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameID
Format>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
<AssertionConsumerService index="0" isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://DMMSP.example.com:8080/opensso/Consumer/metaAlias/sp"/>
<AssertionConsumerService index="1"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="http://DMMSP.example.com:8080/opensso/Consumer/metaAlias/sp"/>
<AssertionConsumerService index="2"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS"
Location="http://DMMSP.example.com:8080/opensso/Consumer/ECP/metaAlias/sp"/>
</SPSSODescriptor>
</EntityDescriptor>
Sample IdP Configuration Files
• Exported IdP Configuration Sample from OpenAM, page 6-38
• Exported IdP Configuration Sample from Shibboleth, page 6-39
Exported IdP Configuration Sample from OpenAM
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<EntityDescriptor entityID="dmsIdp" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<IDPSSODescriptor WantAuthnRequestsSigned="false"
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MJEwVFggTTQ1MUwD9w0kQACIQNICQQWBGBYlAqqAMBGUzAwAEkVsiagAELKkCBkDCADdhAUIQIGE
CYABEMTxwVzNBKQlNQZDMAlNCEQ1ADJzAKC0E4QgQSBExwGGVwzM0AAgQOVDUDT0A8cCNTxMFBVV
BxxjNambbJAQRbThnMxjlMNFYMm8cpT2mDovLMTvENv4pAJIw2yNDRAYDMMTAG0wOyET3MLExgMw
ZEMAAVk80JDVMVT1TSghThEMxBwjAU1zkwFMYEODCAQgH0MGQQGAJCNLEUNBQEBsCCBAwQVMlQAx
DGgwkJ5EAY9vMADP2y0NbJIQo0jV5RaXw8YbsQsTVQDjx5ZNKNZaUgMBByUDjhcYjN2wJBSWQ0bNABmAo2eD4JQ1QA
hEVyPDgAQEMZBUIAtNdgrxA0BcYIB9QuG4aWYHGX/ LcxHcYOES0MIYciud6KmI+/ kq/ YpRbA30QYctD0uax/
0M7BUD/SMT+P1kQhA9dCLiOeu2WB2dKFWWOwcLIhgne7omCI+ozijrImy+4C3fz9zC/VrBA3bQZMcnsE6YbZJDC7Ih
AjNAEAoQNZ5gGAKxBYEABzXjgAQwcDpvFYK1yNqr wArSlA7b3Vkhn42iQVjvj8I3No2ssay4LZyBsffkrm+
gATatC/ HvyyNGoapGS9K4fLZNzBaXDW99/ 728x7bGciRWFdx4VOdPABkis+ a1Had9Blj8uCupvRp/ wkRkP+
6hldOYEWQyVmrwid02g3S5Gtb+ ErQO7KA5G1wKvrw=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService index="0" isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://OpenAM.example.com:8080/opensso/ArtifactResolver/metaAlias/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://OpenAM.example.com:8080/opensso/IDPSloRedirect/metaAlias/idp"
ResponseLocation="http://OpenAM.example.com:8080/opensso/IDPSloRedirect/metaAlias/idp"/>
6-38
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://OpenAM.example.com:8080/opensso/IDPSloPOST/metaAlias/idp"
ResponseLocation="http://OpenAM.example.com:8080/opensso/IDPSloPOST/metaAlias/idp"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://OpenAM.example.com:8080/opensso/IDPSloSoap/metaAlias/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://OpenAM.example.com:8080/opensso/IDPMniRedirect/metaAlias/idp"
ResponseLocation="http://OpenAM.example.com:8080/opensso/IDPMniRedirect/metaAlias/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://OpenAM.example.com:8080/opensso/IDPMniPOST/metaAlias/idp"
ResponseLocation="http://OpenAM.example.com:8080/opensso/IDPMniPOST/metaAlias/idp"/>
<ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://OpenAM.example.com:8080/opensso/IDPMniSoap/metaAlias/idp"/>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName</NameID
Format>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="http://OpenAM.example.com:8080/opensso/SSORedirect/metaAlias/idp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://OpenAM.example.com:8080/opensso/SSOPOST/metaAlias/idp"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://OpenAM.example.com:8080/opensso/SSOSoap/metaAlias/idp"/>
<NameIDMappingService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://OpenAM.example.com:8080/opensso/NIMSoap/metaAlias/idp"/>
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="http://OpenAM.example.com:8080/opensso/AIDReqSoap/IDPRole/metaAlias/idp"/>
<AssertionIDRequestService Binding="urn:oasis:names:tc:SAML:2.0:bindings:URI"
Location="http://OpenAM.example.com:8080/opensso/AIDReqUri/IDPRole/metaAlias/idp"/>
</IDPSSODescriptor>
</EntityDescriptor>
Reference
Exported IdP Configuration Sample from Shibboleth
<EntityDescriptor entityID=”https://sso.example.com/idp/shibboleth”
xmlns=”urn:oasis:names:tc:SAML:2.0:metadata”
xmlns:ds=”http://www.w3.org/2000/09/xmldsig#”
xmlns:shibmd=”urn:mace:shibboleth:metadata:1.0”
xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance”>
<IDPSSODescriptor protocolSupportEnumeration=”urn:mace:shibboleth:1.0
urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol”>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICRTCCAa6gAwIBAgIETOrk+jANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExCzAJBgNVBAcTAlNKMQ4wDAYDVQQKEwVDSVNDTzEOMAwGA1UECxMFQ0lTQ08xHTAbBgNV
BAMTFGZydWl0bG9vcHMuY2lzY28uY29tMCAXDTEwMTEyMjIxNDczOFoYDzIxMTAxMDI5MjE0NzM4
WjBmMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNKMQ4wDAYDVQQKEwVDSVND
TzEOMAwGA1UECxMFQ0lTQ08xHTAbBgNVBAMTFGZydWl0bG9vcHMuY2lzY28uY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCX0tTliXR7pGh9NNEKbIkChNB0t/H+2ysm4xr1Y60+hFssJGGx
qnNv8UEqH7SIk7Z9eDBW6lJreiH3KtSWIJBvtV1hLGZAlwPTu/b6GzVHGX9uZaj3Jyw0N8rul8k8
BoTsdNag7ZhQ7vIfcQ1HjLw9RT3u+n5ZkD+hbwEKtKePEwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-39
Reference
Chapter 6 Authentication and Federated Identity
AA932Gf5lEY1c3w/ALuEXiDdtLnzRrNZxF7ZneDPfnjygNMOLgYTwCARdjdW40Xurd2RGSJC3MYJ
bhqMIStSTbYPBB6KLuEWkk+AW+/uprX5T49SY6hS918tcErmWdW0CYFlIiRa2hMaJz6AbWAqKR80
+n5IWxwEOlkmOPdWd1B/
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<ArtifactResolutionService
Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding”
Location=”http://sso.example.com:8080/idp/profile/SAML1/SOAP/ArtifactResolution”
index=”1”/>
<ArtifactResolutionService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”
Location=”http://sso.example.com:8080/idp/profile/SAML2/SOAP/ArtifactResolution”
index=”2”/>
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
<SingleSignOnService Binding=”urn:mace:shibboleth:1.0:profiles:AuthnRequest”
Location=”http://sso.example.com:8080/idp/profile/Shibboleth/SSO” />
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”
Location=”http://sso.example.com:8080/idp/profile/SAML2/POST/SSO” />
<SingleSignOnService
Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign”
Location=”http://sso.example.com:8080/idp/profile/SAML2/POST-SimpleSign/SSO” />
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”
Location=”http://sso.example.com:8080/idp/profile/SAML2/Redirect/SSO” />
<SingleSignOnService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”
Location=”http://sso.example.com:8080/idp/profile/SAML2/SOAP/SSO”/>
</IDPSSODescriptor>
<AttributeAuthorityDescriptor
protocolSupportEnumeration=”urn:oasis:names:tc:SAML:1.1:protocol
urn:oasis:names:tc:SAML:2.0:protocol”>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
MIICRTCCAa6gAwIBAgIETOrk+jANBgkqhkiG9w0BAQUFADBmMQswCQYDVQQGEwJVUzELMAkGA1UE
CBMCQ0ExCzAJBgNVBAcTAlNKMQ4wDAYDVQQKEwVDSVNDTzEOMAwGA1UECxMFQ0lTQ08xHTAbBgNV
BAMTFGZydWl0bG9vcHMuY2lzY28uY29tMCAXDTEwMTEyMjIxNDczOFoYDzIxMTAxMDI5MjE0NzM4
WjBmMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAlNKMQ4wDAYDVQQKEwVDSVND
TzEOMAwGA1UECxMFQ0lTQ08xHTAbBgNVBAMTFGZydWl0bG9vcHMuY2lzY28uY29tMIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCX0tTliXR7pGh9NNEKbIkChNB0t/H+2ysm4xr1Y60+hFssJGGx
qnNv8UEqH7SIk7Z9eDBW6lJreiH3KtSWIJBvtV1hLGZAlwPTu/b6GzVHGX9uZaj3Jyw0N8rul8k8
BoTsdNag7ZhQ7vIfcQ1HjLw9RT3u+n5ZkD+hbwEKtKePEwIDAQABMA0GCSqGSIb3DQEBBQUAA4GB
AA932Gf5lEY1c3w/ALuEXiDdtLnzRrNZxF7ZneDPfnjygNMOLgYTwCARdjdW40Xurd2RGSJC3MYJ
bhqMIStSTbYPBB6KLuEWkk+AW+/uprX5T49SY6hS918tcErmWdW0CYFlIiRa2hMaJz6AbWAqKR80
+n5IWxwEOlkmOPdWd1B/
6-40
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<AttributeService Binding=”urn:oasis:names:tc:SAML:1.0:bindings:SOAP-binding”
Location=”http://sso.example.com:8080/idp/profile/SAML1/SOAP/AttributeQuery” />
<AttributeService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:SOAP”
Location=”http://sso.example.com:8080/idp/profile/SAML2/SOAP/AttributeQuery” />
<NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
</AttributeAuthorityDescriptor>
</EntityDescriptor>
FAQs and Troubleshooting
Reference
• FAQs, page 6-41
FAQs
• LDAP (Active Directory) FAQs, page 6-41
• Federation Mode (SSO) FAQs, page 6-42
• Error Message FAQs, page 6-42
• Network Policy FAQs, page 6-42
• User Exclusion FAQs, page 6-43
LDAP (Active Directory) FAQs
Q.
Which Active Directory releases does Cisco DMS support?
A.
Our completed tests succeeded as follows.
Windows Active Directory Server 2000
Windows Active Directory Server 2003
•
Cisco DMS 5.2.1
•
Cisco DMS 5.2.2
Cisco DMS 5.2.3
•
•
Cisco DMS 5.2.1
OL-15762-03
•
Cisco DMS 5.2.2
Cisco DMS 5.2.3
•
Windows Active Directory Server 2008R2
•
Cisco DMS 5.2.3
User Guide for Cisco Digital Media Manager 5.2.x
6-41
Reference
Federation Mode (SSO) FAQs
Q.
NEW IN CISCO DMS 5.2.3— Are there any special APIs to use federation mode?
A.
No. We support one set of API calls that work identically across all supported authentication modes.
See http://developer.cisco.com.
Q.
NEW IN CISCO DMS 5.2.3— Can I use one browser to connect simultaneously to more than one DMM appliance
or more than one Show and Share appliance?
A.
No. Each time that you connect to an additional instance, you are logged out of any prior instance
in that browser. However, you can use multiple browsers together for this purpose.
Q.
NEW IN CISCO DMS 5.2.3— Why would user sessions time out for Show and Share or DMM users after a
different interval than I set in DMM?
A.
This can happen when session timeout values differ between your DMM appliance and your IdP.
Reconfigure these servers to share one identical session timeout value.
Error Message FAQs
Chapter 6 Authentication and Federated Identity
Network Policy FAQs
Q.
Why does an error message state that an Active Directory password is not valid?
Explanation
A “User must change password at next login” flag might be set on your Active Directory
server. While this flag is set, the affected user cannot log in to any Cisco DMS component.
DMS-Admin cannot change any password on your Active Directory server.
Recommended Action Use features that your Active Directory server provides for this purpose.
Q.
Why does an error message state that filter validation has failed?
Explanation
Filters fail when they point to empty containers. They also fail in response to filter
expressions that includes any spaces.
Recommended Action Make sure on your Active Directory server that your filter did not refer to an
empty organizational unit (OU) container.
one space.
Q.
NEW IN CISCO DMS 5.2.3— Why would my API calls receive an HTTP 401 Unauthorized error?
Recommended Action
Q.
When I use LDAP authentication with Cisco DMS, which ports must remain open in my network?
A.
Your DMM appliance accepts user authentication requests securely through port 443. DMM then
When you use federation mode, enable ECP on your IdP server.
Confirm also that your filter expression does not contain even
passes these requests securely to your Active Directory server through port 389. Also, SSL uses
port 636.
6-42
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 6 Authentication and Federated Identity
User Exclusion FAQs
Q.
Can I block Cisco DMS access to one particular Active Directory user account, when it is among the matched
results for an otherwise useful LDAP filter?
A.
Yes. Extend your query to include a logical NOT (!) operator for an attribute whose value is unique
to this user. This example uses the LDAP “
default to populate the corresponding login name for DMM. However, if your Active Directory
server uses any other attribute name than “
example syntax accordingly when you extend your query.
(&(currentFilter)(samAccountName!=
Tip Information on the Manage Attributes property sheet in DMS-Admin confirms whether your Active Directory
server uses the “samAccountName” attribute name.
samAccountName” attribute name, which DMM uses by
samAccountName” for this purpose, you must update the
username-to-be-excluded
))
Reference
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
6-43
Reference
Chapter 6 Authentication and Federated Identity
6-44
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Users and Groups
Revised: May 22, 2010
OL-15762-03
• Concepts, page 7-1
• Procedures, page 7-2
• Reference, page 7-9
We prepared this material with specific expectations of you.
Audience
Note This material pertains to multiple releases of Cisco DMS.
You manage user accounts and user groups for components of Cisco DMS..
CHA PTER
7
5.2.0 5.2.1 5.2.2 5.2.3
Concepts
• Understand User Accounts, page 7-1
• Understand User Roles, page 7-2
Understand User Accounts
You can create user accounts manually or you can import them from an Active Directory server.
Imported accounts and created accounts can coexist.
You cannot create any new user accounts manually while your authentication method is LDAP.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
7-1
Chapter 7 Users and Groups
Procedures
Understand User Roles
User roles in DMS-Admin are the automatic result of a logical operation. You cannot use DMS-Admin
to assign a user role directly to any user.
In some cases, users who are authorized to use more than one licensed feature of Cisco DMS. The
DMS-Admin user role that you see for a user account is based on all privileges and access settings that
the user has, combined across all of your licensed and activated features.
Table 7-1 Logic That Determines User Role Designations in DMS-Admin
User Role Logic
Admin This user role is assigned automatically to any user who is an administrator in any DMM software
module. These users have full read/write access to all users and user groups in DMS-Admin and can
manage settings for them.
Group Admin This user role is assigned automatically to any user who is a content author for Show and Share but is
not an administrator in any DMM software module. These users cannot see information about user
accounts and groups in DMS-Admin, nor can they create, edit, or delete them. However, these users
can create user groups as part of the workflow in Show and Share Administration when they assign the
rights to view a new or preexisting video.
ReadOnly
Procedures
Caution Each user account has only the user role “ReadOnly” until you assign additional access rights and
privileges. User accounts with this role have severely limited access.
This user role in DMS-Admin is assigned automatically to any user who has not been granted any
explicit access settings or privileges in any DMM software module, or who can log in to
Show and Share but has no other privileges. These users are prevented from logging in to any DMM
software module.
• Create User Groups, page 7-3
• Delete User Groups, page 7-4
• Create User Accounts, page 7-4
• Assign Users to Groups, page 7-6
• Edit User Accounts, page 7-6
• Delete User Accounts, page 7-8
• Assign User Access Rights and Permissions, page 7-8
7-2
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 7 Users and Groups
Create User Groups
Procedure
Step 1 Choose Administration > Users.
Step 2 Click Create Group.
Step 3 Enter values to name and describe the group.
Tip The name that you enter for a user group must not contain any spaces or special characters.
Procedures
Step 4 Click Save to save your work.
Step 5 Stop. You have completed this procedure.
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
7-3
Procedures
Delete User Groups
Procedure
Step 1 Choose Administration > Users.
Step 2 Click a group name to highlight it.
Chapter 7 Users and Groups
Step 3 Choose Options > Delete Group.
Step 4 Click Ye s in the Delete Confirmation dialog box.
Step 5 Stop. You have completed this procedure.
Create User Accounts
Procedure
Step 1 Choose Administration > Users.
Step 2 Click Add New User.
7-4
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 7 Users and Groups
Step 3 Enter the required values in the Add New User dialog box.
Procedures
Step 4 (Optional) Enter contact information.
Step 5 (Optional) Assign the user to a user group.
OL-15762-03
Step 6 Click Save.
Step 7 Stop. You have completed this procedure.
User Guide for Cisco Digital Media Manager 5.2.x
7-5
Procedures
Related Topics
• Elements to Configure User Account Settings, page 7-9
• Delete User Accounts, page 7-8
Assign Users to Groups
When you first create a user account in DMS-Admin, you can associate the account with a user group
immediately or you can do so after you assign access rights and permissions to the user.
Procedure
Step 1 Drag a user from the table to the group name.
Chapter 7 Users and Groups
OR
Use the Edit User dialog box.
Step 2 Stop. You have completed this procedure.
Edit User Accounts
You can edit user account settings manually.
Procedure
Step 1 Choose Administration > Users.
Step 2 Click an entry in the untitled table that describes all user accounts.
User Guide for Cisco Digital Media Manager 5.2.x
7-6
OL-15762-03
Chapter 7 Users and Groups
Step 3 Choose Options > Edit User.
Step 4 Make changes to its values in the Edit User dialog box.
Step 5 (Optional) Enter contact information.
Procedures
Step 6 (Optional) Assign the user to a user group.
Step 7 Click Save.
Step 8 Stop. You have completed this procedure.
Related Topics
• Elements to Configure User Account Settings, page 7-9
• Delete User Accounts, page 7-8
OL-15762-03
User Guide for Cisco Digital Media Manager 5.2.x
7-7
Procedures
Delete User Accounts
Note You cannot delete the superuser account. However, you can delete any other user account.
Procedure
Step 1 Choose Administration > Users.
Step 2 Click an entry in the untitled table that describes all user accounts.
To mark multiple user accounts for deletion, Ctrl-click.
Step 3 Choose Options > Delete User.
Step 4 Stop. You have completed this procedure.
Related Topics
• Create User Accounts, page 7-4
• Elements to Configure User Account Settings, page 7-9
Chapter 7 Users and Groups
Assign User Access Rights and Permissions
Note User rights and privileges are feature-specific. You cannot use DMS-Admin to assign rights or privileges to any user.
Before You Begin
• Obtain and install the license keys to activate licensed features.
• Create or import user accounts.
Procedure
Step 1 Assign access rights and privileges to users in the individually licensed features they will use.
Step 2 Stop. You have completed this procedure.
7-8
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Chapter 7 Users and Groups
Reference
Reference
• Software UI and Field Reference Tables, page 7-9
• FAQs and Troubleshooting, page 7-10
Software UI and Field Reference Tables
• Elements to Configure User Account Settings, page 7-9
Elements to Configure User Account Settings
Navigation Path
Administration > Users
Table 7-2 Elements for Creating and Editing User Accounts Manually
Element Description
First Name This required value might be identical for multiple users.
Note NEW IN CISCO DMS 5.2.3—We no longer validate that this value is strictly alphanumeric.
Specifically, we support your use of opening and closing quotation marks, forward slashes, and back slashes.
Last Name This required value might also be identical for multiple users.
Note NEW IN CISCO DMS 5.2.3—We no longer validate that this value is strictly alphanumeric.
Specifically, we support your use of opening and closing quotation marks, forward slashes, and back slashes.
Email Address The email address to be associated with this user account.
Username A unique username. The name is unique in the sense that you have not used it as the name for
any other user account for any component of Cisco DMS. You must enter the username.
Note NEW IN CISCO DMS 5.2.3—Usernames are now case-insensitive and the minimum username
length is lowered to two characters. (Previously, the minimum username length was four characters.)
Password The password for the user account. You must enter a password, then reenter it.
Re-enter password
Active list Signifies whether the account holder is an active or inactive user of Cisco DMS. Alternatively,
signifies whether the account holder is active in your organization.
Optional Contact Info
Company The agency, corporation, nonprofit organization, or other such institution to be associated with
this user account.
Department The department within the institution.
Phone The telephone number to be associated with this user account.
Optional Group Selection
Unlabeled check box Marks the groups to which this user should belong.
Groups column Shows the group name.
Description column Optional, brief description of the group and its purpose.
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
7-9
Reference
FAQs and Troubleshooting
• FAQs, page 7-10
FAQs
Q.
What might prevent a user from logging in to DMM with an account that I created in DMS-Admin?
A.
By default, DMS-Admin assigns all newly created user accounts to a user role called “ReadOnly.”
Users with this role cannot log in to DMM. To grant this right to users, you must assign
module-specific rights to them in Digital Signs or Show and Share Administration. Afterward, their
user role changes to “Admin.”
Chapter 7 Users and Groups
7-10
User Guide for Cisco Digital Media Manager 5.2.x
OL-15762-03
Loading...