(SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x

© 2012 Cisco and/or its affiliates. All rights reserved.BRKUCC-2004 Cisco Public

(SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.xBy A. M. Mahesh Babu


SAML SSO

SAML SSO is the Single Sign On mechanism Developed for our Unified Communications products.

Single Sign On provides for a better user experience as the user needs to enter their AD authentication credentials only once for access to different UC services like Administrative, Self-care and End User applications of Call manager , Unity Connection , Presence server .


Benefits of using SAML SSO

• Seamless login to Multiple UC Web applications by entering the credentials only once.

• It reduces password fatigue by removing the need for entering different user name and password combinations for different UC applications ..

• It improves productivity because you spend less time re-entering credentials for the same identity.

• With this Mechanism, we offload the Authentication work to Identity Provider (IdP) and UC products only take care of Authorization

• Easy to Identify the changes made by an Administrator as the audit logs will indicate which AD user logged in which was not the case when using a Common Credentials .


Example of SAML SSO

Have you noticed that you are automatically logged into Cisco support forum if you have already logged into Cisco.com ?

-If yes , this is done by SAML SSO


What exactly is SAML SSO

SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration applications seamlessly after signing into one of those applications.

SAML describes the exchange of security related information between trusted business partners.

It is an authentication protocol used by service providers (for example, Cisco Unified Communications Manager) to authenticate a user.

SAML enables exchange of security authentication information between an

Identity Provider (IdP) and a service provider.

To Know more about SAML Protocol http://saml.xml.org/saml-specifications

http://saml.xml.org/saml-specifications

http://saml.xml.org/saml-specifications


User Web applications

LDAP users with administrator rights

•Call Manager Administration •IM &P Administration•Cisco Unified Serviceability•Unity Connection Administration•Cisco Unity Connection Serviceability•Cisco Personal Communications Assistant•Web Inbox•Mini Web Inbox ( desktop version)

LDAP users without administrator rights

•CUCM End user page (Self care Portal)•Cisco Personal Communications Assistant•Web Inbox•Mini Web Inbox ( desktop version)

What users can access with one time Credentials

Note: The users (LDAP or non-LDAP) do not gain access to the following web applications using SAML SSO:

Disaster Recovery SystemCisco Unified Operating System Administration


Software requirements

The SAML SSO feature requires the following software components: Cisco Unified Communications applications, release 10.0(1) or later. An LDAP server that is trusted by the IdP server and supported by Cisco

Unified Communications applications. Any of the following supported Identity Provider servers that complies

with SAML 2.0 standard:

‒ Microsoft Active Directory Federated Service (AD FS) Federation Server version 2.0

‒ Open Access Manager (OpenAM) version 10.1

‒ Ping Federate version 6.10.0.4

‒ Oracle Access Manager version 11g


SAML SSO web browsers

The following operation system browsers support SAML SSO solution:

On Microsoft Windows XP, Vista, and 7:

‒ Microsoft Internet Explorer (IE) 8, IE 9

‒ Mozilla Firefox 4.x, Firefox 10.x

‒ Google Chrome 8.x On Apple OS X and later:

‒ Apple Safari 5.x

‒ Firefox 4.x, 10.x

‒ Chrome 8.x


Basic Elements of SAML SSO



Client (the end user’s client): This is a browser-based client or a client that can leverage a browser instance for authentication. For example, a system administrator’s browser.

Service provider: This is the application or service that the client is trying to access. For example, Cisco Unified Communications Manager.

An Identity Provider (IdP) server: This is the entity that authenticates end user credentials, and issues SAML Assertions.

Lightweight Directory Access Protocol (LDAP) users: These users are integrated with an LDAP directory, for example Microsoft Active Directory or OpenLDAP. Non-LDAP users reside locally on the Unified Communications server.



SAML Assertion: It consists of pieces of security information that get transferred from IdPs to service providers to facilitate user authentication.

SAML Request: This is an authentication request that is generated by a Unified Communications application. To authenticate the LDAP user, Unified Communications application delegates an authentication request to the IdP.

Circle of Trust (CoT): It consists of the various service providers that share and authenticate against one IdP in common.

Metadata: This is an xml file generated by an SSO-enabled Unified Communications application (for example, Cisco Unified Communications Manager, Cisco Unity Connection etc) as well as an IdP. The exchange of SAML metadata builds a trust relationship between IdP and service provider.

Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the IdP to post the final SAML response to a particular URL


SAML SSO Call Flow


SAML SSO Call Flow Step 1 A browser-based end user client attempts to access a protected resource on a service provider.

Note The browser does not have an existing session with the service provider.

Step 2 Upon receipt of the request from the browser, the service provider generates a SAML authentication request.

Note The SAML request includes information indicating which service provider generated the request. Later, this allows the IdP to know which particular service provider initiated the request.

The IdP must have the Assertion Consumer Service (ACS) URL to complete SAML authentication successfully. The ACS URL tells the IdP to post the final SAML response to a particular URL.

Note The authentication request can be sent to the IdP, and the Assertion sent to the service provider through either Redirect or POST binding. For example, Cisco Unified Communications Manager supports POST binding in either direction.

Step 3 The service provider redirects the request to the browser.

Note The IdP URL is preconfigured on the service provider as part of SAML metadata exchange.

Step 4 The browser follows the redirect and issues an HTTPS GET request to the IdP. The SAML request is maintained as a query parameter in the GET request.

Step 5 The IdP checks for a valid session with the browser.


Step 6 In the absence of any existing session with the browser, the IdP generates a login request to the browser and mechanism is configured and enforced by the IdP.

Note The authentication mechanism is determined by the security and authentication requirements of the customer. This could be form-based authentication using username and password, Kerberos, PKI, etc. This example assumes form-based authentication.

Step 7 The user enters the required credentials in the login form and posts them back to the IdP.

Note The authentication challenge for logging is between the browser and the IdP. The service provider is not involved in end user authentication.

Step 8 The IdP in turn submits the credentials to the LDAP server.

Step 9 The LDAP server checks the directory for credentials and sends the validation status back to the IdP.

Step 10 The IdP validates the credentials and generates a SAML response which includes a SAML Assertion.

Note The Assertion is digitally signed by the IdP and the end user is allowed access to the service provider protected resources. The IdP also sets its cookie here.

Step 11 The IdP redirects the SAML response to the browser.

Step 12 The browser follows the hidden form POST instruction and posts the Assertion to the ACS URL on the service provider.

Step 13 The service provider extracts the Assertion and validates the digital signature.

Note The service provider uses this digital signature to establish the circle of trust with the IdP.

Step 14 The service provider then grants access to the protected resource and provides the resource content by replying 200 OK to the browser.

Note The service provider sets its cookie here. If there is a subsequent request by the browser for an additional resource, the browser includes the service provider cookie in the request. The service provider checks whether a session already exists with the browser. If a session exists, the web browser returns with the resource content.


Configuration


IdP should be configured and Metadata should be downloaded to Administrator PC .

ADFS Idp Configuration with screenshots

https://supportforums.cisco.com/sites/default/files/adfs_setup_for_saml_sso.docx

https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20

For other Idp configuration

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration

/guide/10xcucsagx/10xcucsag112.html#pgfId-1060896

DNS/FQDN must be deployed for all unified products like CUCM ,UCXN IdP and SP should be clock synched and pingable.

Disclaimer:

I have put in place configuration document for ADFS (Microsoft) as IdP for testing in Lab

and is not the official Configuration Guide. Please refer the Microsoft/Appropriate official References while Configuring

the IdP.

Pre-requisites to SAML Enablement



https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag112.html#pgfId-1060896





Step 1: Enable SAML SSO mode.‒To enable SAML SSO mode on Connection server, log on to the Cisco Unity Connection interface.

‒Browser to System >SAML Single Sign-On > select the option Enable SAML SSO.

Step 2: IdP Metadata import.‒On the pop up , click continue , then on page for Identity Provider (IdP) Metadata Trust File , browse and upload IdP metadata file , select the option “Import IdP Metadata”. Then select Next.

‒If the import of metadata is successful, a success message appears “Import succeeded for all servers”.

Step 3: SAML metadata exchange.‒Select “Trust Metadata Fileset” to download zipped metadata files (metadata files for all nodes) .

‒Select the option Next.

Step 4: Import SP metadata into IDP

On IdP ,Import the downloaded SP metadata (Trust Metadata Fileset) into IdP.

Step 5 : Select the admin user‒Select a valid admin user from the list of users shown .Click Run Test SSO. Click Next

Enabling SAML SSO on Call Manager


Disabling SAML SSO

SAML SSO disabled via following options :-1. Disable SAML SSO button on GUI .2. CLI “utils sso disable”


The following section describes the CLI commands for SAML Single Sign-On. All the commands are valid for cluster and stand- alone nodes as well: utils sso disable

‒ Sample output ‒ Disable SAML SSO Success for this node

utils sso status Sample Output

IdP Metadata Imported Date = Wed Aug 28 14:11:28 IST 2013

SP Metadata Exported Date = Wed Aug 28 14:13:08 IST 2013

SSO Test Result Date = Wed Aug 28 14:13:42 IST 2013

SAML SSO Test Status = passedRecovery URL Status = disabled

utils sso enable Sample Output

***** W A R N I N G : SSO enable is not available from CLI *****

To enable SSO please refer to Product Administrative guide !

List of CLI’s


utils sso recovery-url enable

‒Sample OutputRecovery URL enabled

utils sso recovery-url disable

‒Sample Output Recovery URL disabled

set samltrace level <trace level>

‒Sample Output admin:set samltrace level DEBUG

Command Execution Successful.SAML Trace Level is set to :DEBUG

show samltrace level

‒Sample Output Current SAML Trace level is :INFO

List of CLIs (Cont..)


Troubleshooting


Recovery URL is highlighted on server landing page (on all nodes) when SAML SSO and recovery URL is enabled ‒ Recovery URL to bypass Single Sign On (SSO)

Why Recovery-URL? ‾ Non-LDAP Local Administrator are not supported by SAML SSO.

‾ It also provides backdoor access to administrative and serviceability GUIs via local administrators’ username/password in instances where SSO login to the GUIs fails, for example, if the network connection to the IdP fails.

This URL uses FORM based authentication and an Application User account where the user’s password is locally stored in the service DB.

Recovery URL – Local Admin Support

http://ucbu-aricent-vm456/ssosp/local/login


Following log files can be collected from RTMT:• ssoApp.log

• ssospxxxxx.log

‒Below are the steps to follow on RTMT• Login to RTMT

• Goto: System Tools Trace Trace & Log Central

• Click on Collect files click next select Cisco SSO finish

‒Log files will be downloaded <Path will be mentioned on the screen>

Collect Logs from RTMT


Cisco Unified Communication Manager

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.0(1) http://

www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/10_0_1/CUCM_BK_SB003832_00_saml-sso-deployment-guide-for.html

Cisco Unity Connection

Managing SAML SSO in Cisco Unity Connection

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/

guide/10xcucsagx/10xcucsag112.html

Troubleshooting SAML SSO in Cisco Unity Connection Release 10.x

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/troubleshooting/

guide/10xcuctsgx/10xcuctsg208.html

References

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/10_0_1/CUCM_BK_SB003832_00_saml-sso-deployment-guide-for.html



http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag112.html




http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/troubleshooting/guide/10xcuctsgx/10xcuctsg208.html




© 2012 Cisco and/or its affiliates. All rights reserved.BRKUCC-2004 Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public 25

Documents

(SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x