(SAML) Single Sign-On (SSO) for Cisco
Unified Communications 10.x
By
A. M. Mahesh Babu
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SAML SSO
 SAML SSO is the Single Sign On mechanism Developed for our
Unified Communications products.
 Single Sign On provides for a better user experience as the user
needs to enter their AD authentication credentials only once for
access to different UC services like Administrative, Self-care and
End User applications of Call manager , Unity Connection ,
Presence server .
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Benefits of using SAML SSO
•
Seamless login to Multiple UC Web applications by entering the
credentials only once.
•
It reduces password fatigue by removing the need for entering different
user name and password combinations for different UC applications ..
•
It improves productivity because you spend less time re-entering
credentials for the same identity.
•
With this Mechanism, we offload the Authentication work to Identity
Provider (IdP) and UC products only take care of Authorization
•
Easy to Identify the changes made by an Administrator as the audit logs
will indicate which AD user logged in which was not the case when
using a Common Credentials .
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Example of SAML SSO
 Have you noticed that you are automatically logged into Cisco support
forum if you have already logged into Cisco.com ?
 -If yes , this is done by SAML SSO
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
What exactly is SAML SSO
 SAML is an XML-based open standard data format that enables administrators to
access a defined set of Cisco collaboration applications seamlessly after signing
into one of those applications.
 SAML describes the exchange of security related information between trusted
business partners.
 It is an authentication protocol used by service providers (for example, Cisco
Unified Communications Manager) to authenticate a user.
 SAML enables exchange of security authentication information between an
Identity Provider (IdP) and a service provider.
 To Know more about SAML Protocol
 http://saml.xml.org/saml-specifications
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
What users can access with one time Credentials
User
Web applications
LDAP users with
administrator rights
•Call Manager Administration
•IM &P Administration
•Cisco Unified Serviceability
•Unity Connection Administration
•Cisco Unity Connection Serviceability
•Cisco Personal Communications Assistant
•Web Inbox
•Mini Web Inbox ( desktop version)
LDAP users without
administrator rights
•CUCM End user page (Self care Portal)
•Cisco Personal Communications Assistant
•Web Inbox
•Mini Web Inbox ( desktop version)
Note: The users (LDAP or non-LDAP) do not gain access to the following web applications
using SAML SSO:
Disaster Recovery System
Cisco Unified Operating System Administration
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Software requirements
 The SAML SSO feature requires the following software components:
 Cisco Unified Communications applications, release 10.0(1) or later.
 An LDAP server that is trusted by the IdP server and supported by Cisco
Unified Communications applications.
 Any of the following supported Identity Provider servers that complies
with SAML 2.0 standard:
‒ Microsoft Active Directory Federated Service (AD FS) Federation
Server version 2.0
‒ Open Access Manager (OpenAM) version 10.1
‒ Ping Federate version 6.10.0.4
‒ Oracle Access Manager version 11g
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SAML SSO web browsers
The following operation system browsers support SAML SSO solution:
 On Microsoft Windows XP, Vista, and 7:
‒ Microsoft Internet Explorer (IE) 8, IE 9
‒ Mozilla Firefox 4.x, Firefox 10.x
‒ Google Chrome 8.x
 On Apple OS X and later:
‒ Apple Safari 5.x
‒ Firefox 4.x, 10.x
‒ Chrome 8.x
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Basic Elements of SAML SSO
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Basic Elements of SAML SSO
 Client (the end user’s client): This is a browser-based client or a client
that can leverage a browser instance for authentication. For example, a
system administrator’s browser.
 Service provider: This is the application or service that the client is trying
to access. For example, Cisco Unified Communications Manager.
 An Identity Provider (IdP) server: This is the entity that authenticates end
user credentials, and issues SAML Assertions.
 Lightweight Directory Access Protocol (LDAP) users: These users are
integrated with an LDAP directory, for example Microsoft Active Directory
or OpenLDAP. Non-LDAP users reside locally on the Unified
Communications server.
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Basic Elements of SAML SSO
 SAML Assertion: It consists of pieces of security information that get transferred
from IdPs to service providers to facilitate user authentication.
 SAML Request: This is an authentication request that is generated by a Unified
Communications application. To authenticate the LDAP user, Unified
Communications application delegates an authentication request to the IdP.
 Circle of Trust (CoT): It consists of the various service providers that share and
authenticate against one IdP in common.
 Metadata: This is an xml file generated by an SSO-enabled Unified
Communications application (for example, Cisco Unified Communications
Manager, Cisco Unity Connection etc) as well as an IdP. The exchange of SAML
metadata builds a trust relationship between IdP and service provider.
 Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to
post assertions. The ACS URL tells the IdP to post the final SAML response to a
particular URL
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SAML SSO Call Flow
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
SAML SSO Call Flow

Step 1
A browser-based end user client attempts to access a protected resource on a service provider.

Note
The browser does not have an existing session with the service provider.

Step 2
Upon receipt of the request from the browser, the service provider generates a SAML authentication request.

Note
The SAML request includes information indicating which service provider generated the request. Later, this
allows the IdP to know which particular service provider initiated the request.

The IdP must have the Assertion Consumer Service (ACS) URL to complete SAML authentication successfully. The ACS
URL tells the IdP to post the final SAML response to a particular URL.

Note
The authentication request can be sent to the IdP, and the Assertion sent to the service provider through
either Redirect or POST binding. For example, Cisco Unified Communications Manager supports POST binding in either
direction.

Step 3
The service provider redirects the request to the browser.

Note
The IdP URL is preconfigured on the service provider as part of SAML metadata exchange.

Step 4
The browser follows the redirect and issues an HTTPS GET request to the IdP. The SAML request is
maintained as a query parameter in the GET request.

Step 5
BRKUCC2004
The IdP checks for a valid session with the browser.
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public

Step 6
In the absence of any existing session with the browser, the IdP generates a login request to the browser and
mechanism is configured and enforced by the IdP.

Note
The authentication mechanism is determined by the security and authentication requirements of the customer. This
could be form-based authentication using username and password, Kerberos, PKI, etc. This example assumes form-based
authentication.

Step 7

Note
The authentication challenge for logging is between the browser and the IdP. The service provider is not involved in
end user authentication.

Step 8
The IdP in turn submits the credentials to the LDAP server.

Step 9
The LDAP server checks the directory for credentials and sends the validation status back to the IdP.

Step 10
The IdP validates the credentials and generates a SAML response which includes a SAML Assertion.

Note
The Assertion is digitally signed by the IdP and the end user is allowed access to the service provider protected
resources. The IdP also sets its cookie here.

Step 11
The IdP redirects the SAML response to the browser.

Step 12
provider.
The browser follows the hidden form POST instruction and posts the Assertion to the ACS URL on the service

Step 13
The service provider extracts the Assertion and validates the digital signature.

Note
The service provider uses this digital signature to establish the circle of trust with the IdP.

Step 14
The service provider then grants access to the protected resource and provides the resource content by replying 200
OK to the browser.

Note
The service provider sets its cookie here. If there is a subsequent request by the browser for an additional resource,
the browser includes the service provider cookie in the request. The service provider checks whether a session already exists with
the browser. If a session exists, the web browser returns with the resource content.
The user enters the required credentials in the login form and posts them back to the IdP.
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Configuration
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Pre-requisites to SAML Enablement
 IdP should be configured and Metadata should be downloaded to Administrator PC .
ADFS Idp Configuration with screenshots
https://supportforums.cisco.com/sites/default/files/adfs_setup_for_saml_sso.docx
https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20
For other Idp configuration
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration
/guide/10xcucsagx/10xcucsag112.html#pgfId-1060896
 DNS/FQDN must be deployed for all unified products like CUCM ,UCXN
 IdP and SP should be clock synched and pingable.
Disclaimer:
I have put in place configuration document for ADFS (Microsoft) as IdP for testing in Lab
and is not the official Configuration Guide. Please refer the Microsoft/Appropriate official References while Configuring
the IdP.
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Enabling SAML SSO on Call Manager
Step 1: Enable SAML SSO mode.
‒To enable SAML SSO mode on Connection server, log on to the Cisco Unity Connection interface.
‒Browser to System >SAML Single Sign-On > select the option Enable SAML SSO.
Step 2: IdP Metadata import.
‒On the pop up , click continue , then on page for Identity Provider (IdP) Metadata Trust File , browse
and upload IdP metadata file , select the option “Import IdP Metadata”. Then select Next.
‒If the import of metadata is successful, a success message appears “Import succeeded for all servers
Step 3: SAML metadata exchange.
‒Select “Trust Metadata Fileset” to download zipped metadata files (metadata files for all nodes) .
‒Select the option Next.
Step 4: Import SP metadata into IDP
On IdP ,Import the downloaded SP metadata (Trust Metadata Fileset) into IdP.
Step 5 : Select the admin user
‒Select a valid admin user from the list of users shown .Click Run Test SSO. Click Next
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Disabling SAML SSO
SAML SSO disabled via following options :-
1. Disable SAML SSO button on GUI .
2. CLI “utils sso disable”
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
List of CLI’s
The following section describes the CLI commands for SAML Single Sign-On. All the
commands are valid for cluster and stand- alone nodes as well:
 utils sso disable
‒ Sample output
‒ Disable SAML SSO Success for this node
 utils sso status
Sample Output
IdP Metadata Imported Date = Wed Aug 28 14:11:28 IST 2013
SP Metadata Exported Date = Wed Aug 28 14:13:08 IST 2013
SSO Test Result Date = Wed Aug 28 14:13:42 IST 2013
SAML SSO Test Status = passed
Recovery URL Status = disabled
 utils sso enable
Sample Output
***** W A R N I N G : SSO enable is not available from CLI *****
To enable SSO please refer to Product Administrative guide !
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
List of CLIs (Cont..)
 utils sso recovery-url enable
‒Sample Output
Recovery URL enabled
 utils sso recovery-url disable
‒Sample Output
Recovery URL disabled
 set samltrace level <trace level>
‒Sample Output
admin:set samltrace level DEBUG
Command Execution Successful.
SAML Trace Level is set to :DEBUG
 show samltrace level
‒Sample Output
Current SAML Trace level is :INFO
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Troubleshooting
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Recovery URL – Local Admin Support
 Recovery URL is highlighted on server landing page (on all nodes) when SAML
SSO and recovery URL is enabled
‒ Recovery URL to bypass Single Sign On (SSO)
 Why Recovery-URL?
‾
Non-LDAP Local Administrator are not supported by SAML SSO.
‾
It also provides backdoor access to administrative and serviceability GUIs via local
administrators’ username/password in instances where SSO login to the GUIs fails,
for example, if the network connection to the IdP fails.
 This URL uses FORM based authentication and an Application User account
where the user’s password is locally stored in the service DB.
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Collect Logs from RTMT
Following log files can be collected from RTMT:
•
ssoApp.log
•
ssospxxxxx.log
‒Below are the steps to follow on RTMT
•
Login to RTMT
•
Goto: System  Tools  Trace  Trace & Log Central
•
Click on Collect files  click next  select Cisco SSO  finish
‒Log files will be downloaded <Path will be mentioned on the screen>
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
References
 Cisco Unified Communication Manager
SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release
10.0(1)
 http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_g
e/10_0_1/CUCM_BK_SB003832_00_saml-sso-deployment-guide-for.html
 Cisco Unity Connection
Managing SAML SSO in Cisco Unity Connection
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/
guide/10xcucsagx/10xcucsag112.html
Troubleshooting SAML SSO in Cisco Unity Connection Release 10.x
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/troubleshooting/
guide/10xcuctsgx/10xcuctsg208.html
BRKUCC2004
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Presentation
BRKUCC2004
_ID
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
25