SAML SSO - Cisco

SAML SSO - Cisco

(SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By A. M. Mahesh Babu BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO SAML SSO is the Single Sign On mechanism Developed for our Unified Communications products. Single Sign On provides for a better user experience as the user needs to enter their AD authentication credentials only once for access to different UC services like Administrative, Self-care and End User applications of Call manager , Unity Connection , Presence server . BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public Benefits of using SAML SSO Seamless login to Multiple UC Web applications by entering the credentials only once. It reduces password fatigue by removing the need for entering different user name and password combinations for different UC applications .. It improves productivity because you spend less time re-entering credentials for the same identity. With this Mechanism, we offload the Authentication work to Identity Provider (IdP) and UC products only take care of Authorization

Easy to Identify the changes made by an Administrator as the audit logs will indicate which AD user logged in which was not the case when using a Common Credentials . BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Example of SAML SSO Have you noticed that you are automatically logged into Cisco support forum if you have already logged into Cisco.com ? -If yes , this is done by SAML SSO BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

What exactly is SAML SSO SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration applications seamlessly after signing into one of those applications. SAML describes the exchange of security related information between trusted business partners. It is an authentication protocol used by service providers (for example, Cisco Unified Communications Manager) to authenticate a user. SAML enables exchange of security authentication information between an Identity Provider (IdP) and a service provider. To Know more about SAML Protocol http://saml.xml.org/saml-specifications BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public What users can access with one time Credentials User Web applications

LDAP users with administrator rights Call Manager Administration IM &P Administration Cisco Unified Serviceability Unity Connection Administration Cisco Unity Connection Serviceability Cisco Personal Communications Assistant Web Inbox Mini Web Inbox ( desktop version) LDAP users without administrator rights CUCM End user page (Self care Portal) Cisco Personal Communications Assistant Web Inbox Mini Web Inbox ( desktop version) Note: The users (LDAP or non-LDAP) do not gain access to the following web applications using SAML SSO: Disaster Recovery System

Cisco Unified Operating System Administration BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Software requirements The SAML SSO feature requires the following software components: Cisco Unified Communications applications, release 10.0(1) or later. An LDAP server that is trusted by the IdP server and supported by Cisco Unified Communications applications. Any of the following supported Identity Provider servers that complies with SAML 2.0 standard: Microsoft Active Directory Federated Service (AD FS) Federation Server version 2.0 Open Access Manager (OpenAM) version 10.1 Ping Federate version 6.10.0.4 Oracle Access Manager version 11g BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public SAML SSO web browsers The following operation system browsers support SAML SSO solution: On Microsoft Windows XP, Vista, and 7: Microsoft Internet Explorer (IE) 8, IE 9 Mozilla Firefox 4.x, Firefox 10.x Google Chrome 8.x On Apple OS X and later: Apple Safari 5.x Firefox 4.x, 10.x Chrome 8.x BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Basic Elements of SAML SSO BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public Basic Elements of SAML SSO Client (the end users client): This is a browser-based client or a client that can leverage a browser instance for authentication. For example, a system administrators browser. Service provider: This is the application or service that the client is trying to access. For example, Cisco Unified Communications Manager. An Identity Provider (IdP) server: This is the entity that authenticates end user credentials, and issues SAML Assertions. Lightweight Directory Access Protocol (LDAP) users: These users are integrated with an LDAP directory, for example Microsoft Active Directory or OpenLDAP. Non-LDAP users reside locally on the Unified Communications server. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Basic Elements of SAML SSO SAML Assertion: It consists of pieces of security information that get transferred

from IdPs to service providers to facilitate user authentication. SAML Request: This is an authentication request that is generated by a Unified Communications application. To authenticate the LDAP user, Unified Communications application delegates an authentication request to the IdP. Circle of Trust (CoT): It consists of the various service providers that share and authenticate against one IdP in common. Metadata: This is an xml file generated by an SSO-enabled Unified Communications application (for example, Cisco Unified Communications Manager, Cisco Unity Connection etc) as well as an IdP. The exchange of SAML metadata builds a trust relationship between IdP and service provider. Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the IdP to post the final SAML response to a particular URL BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO Call Flow BRKUCC2004

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO Call Flow Step 1 A browser-based end user client attempts to access a protected resource on a service provider. Note The browser does not have an existing session with the service provider. Step 2 request. Upon receipt of the request from the browser, the service provider generates a SAML authentication

Note The SAML request includes information indicating which service provider generated the request. Later, this allows the IdP to know which particular service provider initiated the request. The IdP must have the Assertion Consumer Service (ACS) URL to complete SAML authentication successfully. The ACS URL tells the IdP to post the final SAML response to a particular URL. Note The authentication request can be sent to the IdP, and the Assertion sent to the service provider through either Redirect or POST binding. For example, Cisco Unified Communications Manager supports POST binding in either direction. Step 3 The service provider redirects the request to the browser.

Note The IdP URL is preconfigured on the service provider as part of SAML metadata exchange. Step 4 The browser follows the redirect and issues an HTTPS GET request to the IdP. The SAML request is maintained as a query parameter in the GET request. Step 5 BRKUCC2004 The IdP checks for a valid session with the browser. 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 6 In the absence of any existing session with the browser, the IdP generates a login request to the browser and mechanism is configured and enforced by the IdP. Note The authentication mechanism is determined by the security and authentication requirements of the customer. This could be form-based authentication using username and password, Kerberos, PKI, etc. This example assumes form-based authentication. Step 7 Note The authentication challenge for logging is between the browser and the IdP. The service provider is not involved in end user authentication. Step 8

The IdP in turn submits the credentials to the LDAP server. Step 9 The LDAP server checks the directory for credentials and sends the validation status back to the IdP. Step 10 The IdP validates the credentials and generates a SAML response which includes a SAML Assertion. Note The Assertion is digitally signed by the IdP and the end user is allowed access to the service provider protected resources. The IdP also sets its cookie here. Step 11 The IdP redirects the SAML response to the browser.

Step 12 provider. The browser follows the hidden form POST instruction and posts the Assertion to the ACS URL on the service Step 13 The service provider extracts the Assertion and validates the digital signature. Note Step 14 The service provider then grants access to the protected resource and provides the resource content by replying 200 OK to the browser.

Note The service provider sets its cookie here. If there is a subsequent request by the browser for an additional resource, the browser includes the service provider cookie in the request. The service provider checks whether a session already exists with the browser. If a session exists, the web browser returns with the resource content. The user enters the required credentials in the login form and posts them back to the IdP. The service provider uses this digital signature to establish the circle of trust with the IdP. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Configuration BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Pre-requisites to SAML Enablement IdP should be configured and Metadata should be downloaded to Administrator PC . ADFS Idp Configuration with screenshots https://supportforums.cisco.com/sites/default/files/adfs_setup_for_saml_sso.docx https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20 For other Idp configuration http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration /guide/10xcucsagx/10xcucsag112.html#pgfId-1060896 DNS/FQDN must be deployed for all unified products like CUCM ,UCXN IdP and SP should be clock synched and pingable. Disclaimer: I have put in place configuration document for ADFS (Microsoft) as IdP for testing in Lab and is not the official Configuration Guide. Please refer the Microsoft/Appropriate official References while Configuring the IdP. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Enabling SAML SSO on Call Manager Step 1: Enable SAML SSO mode. To enable SAML SSO mode on Connection server, log on to the Cisco Unity Connection interface.

Browser to System >SAML Single Sign-On > select the option Enable SAML SSO. Step 2: IdP Metadata import. On the pop up , click continue , then on page for Identity Provider (IdP) Metadata Trust File , browse and upload IdP metadata file , select the option Import IdP Metadata. Then select Next. If the import of metadata is successful, a success message appears Import succeeded for all server Step 3: SAML metadata exchange. Select Trust Metadata Fileset to download zipped metadata files (metadata files for all nodes) . Select the option Next. Step 4: Import SP metadata into IDP On IdP ,Import the downloaded SP metadata (Trust Metadata Fileset) into IdP. Step 5 : Select the admin user Select a valid admin user from the list of users shown .Click Run Test SSO. Click Next BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Disabling SAML SSO SAML SSO disabled via following options :1. Disable SAML SSO button on GUI . 2. CLI utils sso disable BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public List of CLIs The following section describes the CLI commands for SAML Single Sign-On. All the commands are valid for cluster and stand- alone nodes as well: utils sso disable Sample output Disable SAML SSO Success for this node utils sso status Sample Output IdP Metadata Imported Date = Wed Aug 28 14:11:28 IST 2013 SP Metadata Exported Date = Wed Aug 28 14:13:08 IST 2013 SSO Test Result Date = Wed Aug 28 14:13:42 IST 2013 SAML SSO Test Status = passed Recovery URL Status = disabled utils sso enable

Sample Output ***** W A R N I N G : SSO enable is not available from CLI ***** To enable SSO please refer to Product Administrative guide ! BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public List of CLIs (Cont..) utils sso recovery-url enable Sample Output Recovery URL enabled utils sso recovery-url disable Sample Output Recovery URL disabled set samltrace level Sample Output admin:set samltrace level DEBUG Command Execution Successful. SAML Trace Level is set to :DEBUG show samltrace level Sample Output Current SAML Trace level is :INFO

BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Troubleshooting BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Recovery URL Local Admin Support Recovery URL is highlighted on server landing page (on all nodes) when SAML SSO and recovery URL is enabled Recovery URL to bypass Single Sign On (SSO) Why Recovery-URL? Non-LDAP Local Administrator are not supported by SAML SSO.

It also provides backdoor access to administrative and serviceability GUIs via local administrators username/password in instances where SSO login to the GUIs fails, for example, if the network connection to the IdP fails. This URL uses FORM based authentication and an Application User account where the users password is locally stored in the service DB. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Collect Logs from RTMT Following log files can be collected from RTMT: ssoApp.log

ssospxxxxx.log Below are the steps to follow on RTMT Login to RTMT Goto: System Tools Trace Trace & Log Central Click on Collect files click next select Cisco SSO finish Log files will be downloaded BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public References

Cisco Unified Communication Manager SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.0(1) http:// www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/ 0_1/CUCM_BK_SB003832_00_saml-sso-deployment-guide-for.html Cisco Unity Connection Managing SAML SSO in Cisco Unity Connection http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/ guide/10xcucsagx/10xcucsag112.html Troubleshooting SAML SSO in Cisco Unity Connection Release 10.x http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/troubleshooting/ guide/10xcuctsgx/10xcuctsg208.html BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation BRKUCC2004 _ID

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Recently Viewed Presentations

  • Introduction to Cell Theory - PHA Science

    Introduction to Cell Theory - PHA Science

    Day in the life of a cell! You will get a 'script' afterwards which, combined with your notes, is all you need for the hw. TURN IN: 2 sheets - one of labeled cell parts, and one is the table...
  • Limits and Their Properties

    Limits and Their Properties

    Cubeis a prism with six square faces. Other prisms and pyramids are named for the shape of their bases. Prism is formed by two parallel congruent bases and connected by faces. Cylinder is formed by two parallel congruent to circular...
  • Outlining a Research Paper

    Outlining a Research Paper

    Subordination. Division. 1. Parallelism. ... Can be used in place of or in conjunction with traditional outline. How to create and use a reverse outline: Reread paper draft one paragraph at a time. Summarize main point of each paragraph in...
  • Capturing Successful Child Welfare Practice in Rural, North

    Capturing Successful Child Welfare Practice in Rural, North

    The proportion of spending from county, state, and fed make this pattern The variance in county spending is much larger for the 100% rural counties, where the range is from $27 per child to $448.72 per child (almost $450) West/Mountains...
  • Présentation PowerPoint - FQDE

    Présentation PowerPoint - FQDE

    Présentation de Pierre Charland sur l'appariement des revenus et des dépenses des commissions scolaires. Diffusion de documents de la FQDE sur l'implantation du PL 105. Tableau synthèse pour supporter la mise en place du PL 105. Capsules d'informations sur son...
  • The Victorian Period - PC\|MAC

    The Victorian Period - PC\|MAC

    The Hungry Forties. 1st decade of Queen Victoria's reign was troubled. She came to the throne in the first year of a depression. 1.5 million unemployed workers (out of 16 million people)were on some form of relief
  • Hazard Hazard Glitch   :       glitch   .   :  6

    Hazard Hazard Glitch : glitch . : 6

    Static-0 Hazard A properly designed two-level sum-of-products (AND-OR) circuit has no static-0 hazards. A static-0 hazard is just the dual of a static-1 hazard an OR-AND circuit that is the dual of the example circuit would have a static-0 hazard....
  • Ch 12 The Struggle to Preserve Judaism - FCPS

    Ch 12 The Struggle to Preserve Judaism - FCPS

    Ch 12 The Struggle to Preserve Judaism. Introduction. ... honor God's rescue of the Hebrews from . Egypt. ... Caring for the less fortunate people in society is a basic value in . Judaism. The Central Beliefs and Teachings of...