SAML SSO - Cisco

SAML SSO - Cisco

(SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By A. M. Mahesh Babu BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO SAML SSO is the Single Sign On mechanism Developed for our Unified Communications products. Single Sign On provides for a better user experience as the user needs to enter their AD authentication credentials only once for access to different UC services like Administrative, Self-care and End User applications of Call manager , Unity Connection , Presence server . BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public Benefits of using SAML SSO Seamless login to Multiple UC Web applications by entering the credentials only once. It reduces password fatigue by removing the need for entering different user name and password combinations for different UC applications .. It improves productivity because you spend less time re-entering credentials for the same identity. With this Mechanism, we offload the Authentication work to Identity Provider (IdP) and UC products only take care of Authorization

Easy to Identify the changes made by an Administrator as the audit logs will indicate which AD user logged in which was not the case when using a Common Credentials . BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Example of SAML SSO Have you noticed that you are automatically logged into Cisco support forum if you have already logged into Cisco.com ? -If yes , this is done by SAML SSO BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

What exactly is SAML SSO SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration applications seamlessly after signing into one of those applications. SAML describes the exchange of security related information between trusted business partners. It is an authentication protocol used by service providers (for example, Cisco Unified Communications Manager) to authenticate a user. SAML enables exchange of security authentication information between an Identity Provider (IdP) and a service provider. To Know more about SAML Protocol http://saml.xml.org/saml-specifications BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public What users can access with one time Credentials User Web applications

LDAP users with administrator rights Call Manager Administration IM &P Administration Cisco Unified Serviceability Unity Connection Administration Cisco Unity Connection Serviceability Cisco Personal Communications Assistant Web Inbox Mini Web Inbox ( desktop version) LDAP users without administrator rights CUCM End user page (Self care Portal) Cisco Personal Communications Assistant Web Inbox Mini Web Inbox ( desktop version) Note: The users (LDAP or non-LDAP) do not gain access to the following web applications using SAML SSO: Disaster Recovery System

Cisco Unified Operating System Administration BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Software requirements The SAML SSO feature requires the following software components: Cisco Unified Communications applications, release 10.0(1) or later. An LDAP server that is trusted by the IdP server and supported by Cisco Unified Communications applications. Any of the following supported Identity Provider servers that complies with SAML 2.0 standard: Microsoft Active Directory Federated Service (AD FS) Federation Server version 2.0 Open Access Manager (OpenAM) version 10.1 Ping Federate version 6.10.0.4 Oracle Access Manager version 11g BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public SAML SSO web browsers The following operation system browsers support SAML SSO solution: On Microsoft Windows XP, Vista, and 7: Microsoft Internet Explorer (IE) 8, IE 9 Mozilla Firefox 4.x, Firefox 10.x Google Chrome 8.x On Apple OS X and later: Apple Safari 5.x Firefox 4.x, 10.x Chrome 8.x BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Basic Elements of SAML SSO BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved.

Cisco Public Basic Elements of SAML SSO Client (the end users client): This is a browser-based client or a client that can leverage a browser instance for authentication. For example, a system administrators browser. Service provider: This is the application or service that the client is trying to access. For example, Cisco Unified Communications Manager. An Identity Provider (IdP) server: This is the entity that authenticates end user credentials, and issues SAML Assertions. Lightweight Directory Access Protocol (LDAP) users: These users are integrated with an LDAP directory, for example Microsoft Active Directory or OpenLDAP. Non-LDAP users reside locally on the Unified Communications server. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Basic Elements of SAML SSO SAML Assertion: It consists of pieces of security information that get transferred

from IdPs to service providers to facilitate user authentication. SAML Request: This is an authentication request that is generated by a Unified Communications application. To authenticate the LDAP user, Unified Communications application delegates an authentication request to the IdP. Circle of Trust (CoT): It consists of the various service providers that share and authenticate against one IdP in common. Metadata: This is an xml file generated by an SSO-enabled Unified Communications application (for example, Cisco Unified Communications Manager, Cisco Unity Connection etc) as well as an IdP. The exchange of SAML metadata builds a trust relationship between IdP and service provider. Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the IdP to post the final SAML response to a particular URL BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO Call Flow BRKUCC2004

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO Call Flow Step 1 A browser-based end user client attempts to access a protected resource on a service provider. Note The browser does not have an existing session with the service provider. Step 2 request. Upon receipt of the request from the browser, the service provider generates a SAML authentication

Note The SAML request includes information indicating which service provider generated the request. Later, this allows the IdP to know which particular service provider initiated the request. The IdP must have the Assertion Consumer Service (ACS) URL to complete SAML authentication successfully. The ACS URL tells the IdP to post the final SAML response to a particular URL. Note The authentication request can be sent to the IdP, and the Assertion sent to the service provider through either Redirect or POST binding. For example, Cisco Unified Communications Manager supports POST binding in either direction. Step 3 The service provider redirects the request to the browser.

Note The IdP URL is preconfigured on the service provider as part of SAML metadata exchange. Step 4 The browser follows the redirect and issues an HTTPS GET request to the IdP. The SAML request is maintained as a query parameter in the GET request. Step 5 BRKUCC2004 The IdP checks for a valid session with the browser. 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Step 6 In the absence of any existing session with the browser, the IdP generates a login request to the browser and mechanism is configured and enforced by the IdP. Note The authentication mechanism is determined by the security and authentication requirements of the customer. This could be form-based authentication using username and password, Kerberos, PKI, etc. This example assumes form-based authentication. Step 7 Note The authentication challenge for logging is between the browser and the IdP. The service provider is not involved in end user authentication. Step 8

The IdP in turn submits the credentials to the LDAP server. Step 9 The LDAP server checks the directory for credentials and sends the validation status back to the IdP. Step 10 The IdP validates the credentials and generates a SAML response which includes a SAML Assertion. Note The Assertion is digitally signed by the IdP and the end user is allowed access to the service provider protected resources. The IdP also sets its cookie here. Step 11 The IdP redirects the SAML response to the browser.

Step 12 provider. The browser follows the hidden form POST instruction and posts the Assertion to the ACS URL on the service Step 13 The service provider extracts the Assertion and validates the digital signature. Note Step 14 The service provider then grants access to the protected resource and provides the resource content by replying 200 OK to the browser.

Note The service provider sets its cookie here. If there is a subsequent request by the browser for an additional resource, the browser includes the service provider cookie in the request. The service provider checks whether a session already exists with the browser. If a session exists, the web browser returns with the resource content. The user enters the required credentials in the login form and posts them back to the IdP. The service provider uses this digital signature to establish the circle of trust with the IdP. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Configuration BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Pre-requisites to SAML Enablement IdP should be configured and Metadata should be downloaded to Administrator PC . ADFS Idp Configuration with screenshots https://supportforums.cisco.com/sites/default/files/adfs_setup_for_saml_sso.docx https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20 For other Idp configuration http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration /guide/10xcucsagx/10xcucsag112.html#pgfId-1060896 DNS/FQDN must be deployed for all unified products like CUCM ,UCXN IdP and SP should be clock synched and pingable. Disclaimer: I have put in place configuration document for ADFS (Microsoft) as IdP for testing in Lab and is not the official Configuration Guide. Please refer the Microsoft/Appropriate official References while Configuring the IdP. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Enabling SAML SSO on Call Manager Step 1: Enable SAML SSO mode. To enable SAML SSO mode on Connection server, log on to the Cisco Unity Connection interface.

Browser to System >SAML Single Sign-On > select the option Enable SAML SSO. Step 2: IdP Metadata import. On the pop up , click continue , then on page for Identity Provider (IdP) Metadata Trust File , browse and upload IdP metadata file , select the option Import IdP Metadata. Then select Next. If the import of metadata is successful, a success message appears Import succeeded for all server Step 3: SAML metadata exchange. Select Trust Metadata Fileset to download zipped metadata files (metadata files for all nodes) . Select the option Next. Step 4: Import SP metadata into IDP On IdP ,Import the downloaded SP metadata (Trust Metadata Fileset) into IdP. Step 5 : Select the admin user Select a valid admin user from the list of users shown .Click Run Test SSO. Click Next BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public

Disabling SAML SSO SAML SSO disabled via following options :1. Disable SAML SSO button on GUI . 2. CLI utils sso disable BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public List of CLIs The following section describes the CLI commands for SAML Single Sign-On. All the commands are valid for cluster and stand- alone nodes as well: utils sso disable Sample output Disable SAML SSO Success for this node utils sso status Sample Output IdP Metadata Imported Date = Wed Aug 28 14:11:28 IST 2013 SP Metadata Exported Date = Wed Aug 28 14:13:08 IST 2013 SSO Test Result Date = Wed Aug 28 14:13:42 IST 2013 SAML SSO Test Status = passed Recovery URL Status = disabled utils sso enable

Sample Output ***** W A R N I N G : SSO enable is not available from CLI ***** To enable SSO please refer to Product Administrative guide ! BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public List of CLIs (Cont..) utils sso recovery-url enable Sample Output Recovery URL enabled utils sso recovery-url disable Sample Output Recovery URL disabled set samltrace level Sample Output admin:set samltrace level DEBUG Command Execution Successful. SAML Trace Level is set to :DEBUG show samltrace level Sample Output Current SAML Trace level is :INFO

BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Troubleshooting BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Recovery URL Local Admin Support Recovery URL is highlighted on server landing page (on all nodes) when SAML SSO and recovery URL is enabled Recovery URL to bypass Single Sign On (SSO) Why Recovery-URL? Non-LDAP Local Administrator are not supported by SAML SSO.

It also provides backdoor access to administrative and serviceability GUIs via local administrators username/password in instances where SSO login to the GUIs fails, for example, if the network connection to the IdP fails. This URL uses FORM based authentication and an Application User account where the users password is locally stored in the service DB. BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Collect Logs from RTMT Following log files can be collected from RTMT: ssoApp.log

ssospxxxxx.log Below are the steps to follow on RTMT Login to RTMT Goto: System Tools Trace Trace & Log Central Click on Collect files click next select Cisco SSO finish Log files will be downloaded BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public References

Cisco Unified Communication Manager SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.0(1) http:// www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/ 0_1/CUCM_BK_SB003832_00_saml-sso-deployment-guide-for.html Cisco Unity Connection Managing SAML SSO in Cisco Unity Connection http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/ guide/10xcucsagx/10xcucsag112.html Troubleshooting SAML SSO in Cisco Unity Connection Release 10.x http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/troubleshooting/ guide/10xcuctsgx/10xcuctsg208.html BRKUCC2004 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation BRKUCC2004 _ID

2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Recently Viewed Presentations

  • Introduction to WinFX - download.microsoft.com

    Introduction to WinFX - download.microsoft.com

    A developer / TDM-level overview of WinFX, with specific emphasis on Avalon and Indigo.
  • Statistics and Critical Thinking for the Interventionist Michael

    Statistics and Critical Thinking for the Interventionist Michael

    Based on Universal Intellectual Values. 8th Annual International Conference on Critical Thinking and Education Reform, 1987. ... Mark Twain: "Chapters from My Autobiography" 1906. Statistics and Critical Analysis. What is the question being asked? How was the study done?
  • Rate-distortion Optimized Mode Selection Based on Multi-path Channel

    Rate-distortion Optimized Mode Selection Based on Multi-path Channel

    Rate-distortion Optimized Mode Selection Based on Multi-path Channel Simulation Markus Gärtner Davide Bertozzi Project Proposal Classroom Presentation
  • Nhng Ln Tn Th  Qua V Sp n

    Nhng Ln Tn Th Qua V Sp n

    Những Lần "Tận Thế" Đã Qua Và Sắp Đến Kính thưa quí bạn, xưa nay thấy có nhiều người ham tận thế quá nên tôi lấy một phần bài phóng sự của đài CNN cách đây một ngày trình các...
  • RAILROAD COMMISSION OF TEXAS Regulatory Conference San Antonio

    RAILROAD COMMISSION OF TEXAS Regulatory Conference San Antonio

    So with that in mind let's get started. ... *SWR Exceptions are shown at surface* Horizontal Well-A well that is developed with one or more horizontal drain holes having a horizontal drain hole displacement of at least 100 feet. *SWR...
  • Development in Organization Theory

    Development in Organization Theory

    Development in Organization Theory Human Relations Approach Learning Objectives Understand the reasons for emergence of Human relations approach Identify the key features and proponent of Human relations approach Describes the differences between the Human relations approach and Classical approach to...
  • Hierarchical Manufacturing and Modeling for Phase Transforming Active

    Hierarchical Manufacturing and Modeling for Phase Transforming Active

    Indium-Thallium (In-21at%Tl) Nanowires Various diameters of In-21at%Tl nanowires fabricated (750nm, 380nm, 280nm, 70nm, 33nm). For nanowires of diameters >70nm, twins observed at room temperature along entire length of nanowires The as-deposited films were partly crystalline as seen in the xrd...
  • ETA Environmental Health and Safety Monthly Metrics May,

    ETA Environmental Health and Safety Monthly Metrics May,

    I completed my 8-hour Hazardous Waste Operations and Emergency Response (Hazwoper) renewal training. Short Term Safety Outlook 6/19. Complete the Lab Area Safety Lead self-assessment project. Complete an annual update of the ETA Integrated Safety Management (ISM) Plan.