Next: VI. Future Directions for Up: 11. Developing H.350-enabled Call Previous: 11.1.1 Directory Enabled Registration
|
Next: VI. Future Directions for Up: 11. Developing H.350-enabled Call Previous: 11.1.1 Directory Enabled Registration
|
Figure ![[*]](crossref.png)
illustrates how an environment
can be created in which a user uses an identity authenticated by the
enterprise to access any of several endpoint identities. This scenario
has several key features that are desirable for large scale deployments.
The endpoint is automatically configured using information from the directory. This eliminates user error in the configuration process and simplifies deployment.
The user is needs a single sign on credential (typically their enterprise user ID and password). Endpoints can (and often should) have different credentials, but the user does not need to know them, because they are loaded directly into the endpoint from the directory. Because the endpoint credentials are loaded automatically, it is possible that these credentials could be frequently refreshed. For example, a management tool could generate random credentials for each endpoint and store them in the commObject directory each night. This creates a highly secure environment in which credentials can be very strong, and even if compromised are aged-out and recreated in a short period of time.
This scenario supports the use of ID/password or certificate based endpoint credentials. Certificates have traditionally been found to be difficult to deploy for a number of reasons. This scenario solves some important aspects of the certificate management problem and opens the possibility that certificates can be managed by and on behalf of a central certificate management system, rather than on behalf of users, thus shielding users from the complexity of PKI while gaining its security advantages.
In this scenario, the enterprise authentication steps represent a user authenticating to an existing authentication server already deployed for general purpose (e.g. email, web, file sharing) single sign on authentication system. Once authenticated, the user can bind to the LDAP server directly and retrieve all configuration information for the selected endpoint, which includes configuration data and authentication credentials for the endpoint. Finally, using these credentials, the endpoint can authenticate to the call server using whichever authentication scheme is in place (for example, H.235 Annex D or E). Secure LDAP (transport layer security available in LDAP V3) should be used to ensure privacy of these transactions.
