(SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x By A. M. Mahesh Babu BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO SAML SSO is the Single Sign On mechanism Developed for our Unified Communications products. Single Sign On provides for a better user experience as the user needs to enter their AD authentication credentials only once for access to different UC services like Administrative, Self-care and End User applications of Call manager , Unity Connection , Presence server . BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Benefits of using SAML SSO • Seamless login to Multiple UC Web applications by entering the credentials only once. • It reduces password fatigue by removing the need for entering different user name and password combinations for different UC applications .. • It improves productivity because you spend less time re-entering credentials for the same identity. • With this Mechanism, we offload the Authentication work to Identity Provider (IdP) and UC products only take care of Authorization • Easy to Identify the changes made by an Administrator as the audit logs will indicate which AD user logged in which was not the case when using a Common Credentials . BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Example of SAML SSO Have you noticed that you are automatically logged into Cisco support forum if you have already logged into Cisco.com ? -If yes , this is done by SAML SSO BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public What exactly is SAML SSO SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration applications seamlessly after signing into one of those applications. SAML describes the exchange of security related information between trusted business partners. It is an authentication protocol used by service providers (for example, Cisco Unified Communications Manager) to authenticate a user. SAML enables exchange of security authentication information between an Identity Provider (IdP) and a service provider. To Know more about SAML Protocol http://saml.xml.org/saml-specifications BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public What users can access with one time Credentials User Web applications LDAP users with administrator rights •Call Manager Administration •IM &P Administration •Cisco Unified Serviceability •Unity Connection Administration •Cisco Unity Connection Serviceability •Cisco Personal Communications Assistant •Web Inbox •Mini Web Inbox ( desktop version) LDAP users without administrator rights •CUCM End user page (Self care Portal) •Cisco Personal Communications Assistant •Web Inbox •Mini Web Inbox ( desktop version) Note: The users (LDAP or non-LDAP) do not gain access to the following web applications using SAML SSO: Disaster Recovery System Cisco Unified Operating System Administration BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Software requirements The SAML SSO feature requires the following software components: Cisco Unified Communications applications, release 10.0(1) or later. An LDAP server that is trusted by the IdP server and supported by Cisco Unified Communications applications. Any of the following supported Identity Provider servers that complies with SAML 2.0 standard: ‒ Microsoft Active Directory Federated Service (AD FS) Federation Server version 2.0 ‒ Open Access Manager (OpenAM) version 10.1 ‒ Ping Federate version 6.10.0.4 ‒ Oracle Access Manager version 11g BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO web browsers The following operation system browsers support SAML SSO solution: On Microsoft Windows XP, Vista, and 7: ‒ Microsoft Internet Explorer (IE) 8, IE 9 ‒ Mozilla Firefox 4.x, Firefox 10.x ‒ Google Chrome 8.x On Apple OS X and later: ‒ Apple Safari 5.x ‒ Firefox 4.x, 10.x ‒ Chrome 8.x BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Basic Elements of SAML SSO BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Basic Elements of SAML SSO Client (the end user’s client): This is a browser-based client or a client that can leverage a browser instance for authentication. For example, a system administrator’s browser. Service provider: This is the application or service that the client is trying to access. For example, Cisco Unified Communications Manager. An Identity Provider (IdP) server: This is the entity that authenticates end user credentials, and issues SAML Assertions. Lightweight Directory Access Protocol (LDAP) users: These users are integrated with an LDAP directory, for example Microsoft Active Directory or OpenLDAP. Non-LDAP users reside locally on the Unified Communications server. BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Basic Elements of SAML SSO SAML Assertion: It consists of pieces of security information that get transferred from IdPs to service providers to facilitate user authentication. SAML Request: This is an authentication request that is generated by a Unified Communications application. To authenticate the LDAP user, Unified Communications application delegates an authentication request to the IdP. Circle of Trust (CoT): It consists of the various service providers that share and authenticate against one IdP in common. Metadata: This is an xml file generated by an SSO-enabled Unified Communications application (for example, Cisco Unified Communications Manager, Cisco Unity Connection etc) as well as an IdP. The exchange of SAML metadata builds a trust relationship between IdP and service provider. Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the IdP to post the final SAML response to a particular URL BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO Call Flow BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public SAML SSO Call Flow Step 1 A browser-based end user client attempts to access a protected resource on a service provider. Note The browser does not have an existing session with the service provider. Step 2 Upon receipt of the request from the browser, the service provider generates a SAML authentication request. Note The SAML request includes information indicating which service provider generated the request. Later, this allows the IdP to know which particular service provider initiated the request. The IdP must have the Assertion Consumer Service (ACS) URL to complete SAML authentication successfully. The ACS URL tells the IdP to post the final SAML response to a particular URL. Note The authentication request can be sent to the IdP, and the Assertion sent to the service provider through either Redirect or POST binding. For example, Cisco Unified Communications Manager supports POST binding in either direction. Step 3 The service provider redirects the request to the browser. Note The IdP URL is preconfigured on the service provider as part of SAML metadata exchange. Step 4 The browser follows the redirect and issues an HTTPS GET request to the IdP. The SAML request is maintained as a query parameter in the GET request. Step 5 BRKUCC2004 The IdP checks for a valid session with the browser. © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Step 6 In the absence of any existing session with the browser, the IdP generates a login request to the browser and mechanism is configured and enforced by the IdP. Note The authentication mechanism is determined by the security and authentication requirements of the customer. This could be form-based authentication using username and password, Kerberos, PKI, etc. This example assumes form-based authentication. Step 7 Note The authentication challenge for logging is between the browser and the IdP. The service provider is not involved in end user authentication. Step 8 The IdP in turn submits the credentials to the LDAP server. Step 9 The LDAP server checks the directory for credentials and sends the validation status back to the IdP. Step 10 The IdP validates the credentials and generates a SAML response which includes a SAML Assertion. Note The Assertion is digitally signed by the IdP and the end user is allowed access to the service provider protected resources. The IdP also sets its cookie here. Step 11 The IdP redirects the SAML response to the browser. Step 12 provider. The browser follows the hidden form POST instruction and posts the Assertion to the ACS URL on the service Step 13 The service provider extracts the Assertion and validates the digital signature. Note The service provider uses this digital signature to establish the circle of trust with the IdP. Step 14 The service provider then grants access to the protected resource and provides the resource content by replying 200 OK to the browser. Note The service provider sets its cookie here. If there is a subsequent request by the browser for an additional resource, the browser includes the service provider cookie in the request. The service provider checks whether a session already exists with the browser. If a session exists, the web browser returns with the resource content. The user enters the required credentials in the login form and posts them back to the IdP. BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Configuration BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Pre-requisites to SAML Enablement IdP should be configured and Metadata should be downloaded to Administrator PC . ADFS Idp Configuration with screenshots https://supportforums.cisco.com/sites/default/files/adfs_setup_for_saml_sso.docx https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20 For other Idp configuration http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration /guide/10xcucsagx/10xcucsag112.html#pgfId-1060896 DNS/FQDN must be deployed for all unified products like CUCM ,UCXN IdP and SP should be clock synched and pingable. Disclaimer: I have put in place configuration document for ADFS (Microsoft) as IdP for testing in Lab and is not the official Configuration Guide. Please refer the Microsoft/Appropriate official References while Configuring the IdP. BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Enabling SAML SSO on Call Manager Step 1: Enable SAML SSO mode. ‒To enable SAML SSO mode on Connection server, log on to the Cisco Unity Connection interface. ‒Browser to System >SAML Single Sign-On > select the option Enable SAML SSO. Step 2: IdP Metadata import. ‒On the pop up , click continue , then on page for Identity Provider (IdP) Metadata Trust File , browse and upload IdP metadata file , select the option “Import IdP Metadata”. Then select Next. ‒If the import of metadata is successful, a success message appears “Import succeeded for all servers Step 3: SAML metadata exchange. ‒Select “Trust Metadata Fileset” to download zipped metadata files (metadata files for all nodes) . ‒Select the option Next. Step 4: Import SP metadata into IDP On IdP ,Import the downloaded SP metadata (Trust Metadata Fileset) into IdP. Step 5 : Select the admin user ‒Select a valid admin user from the list of users shown .Click Run Test SSO. Click Next BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Disabling SAML SSO SAML SSO disabled via following options :- 1. Disable SAML SSO button on GUI . 2. CLI “utils sso disable” BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public List of CLI’s The following section describes the CLI commands for SAML Single Sign-On. All the commands are valid for cluster and stand- alone nodes as well: utils sso disable ‒ Sample output ‒ Disable SAML SSO Success for this node utils sso status Sample Output IdP Metadata Imported Date = Wed Aug 28 14:11:28 IST 2013 SP Metadata Exported Date = Wed Aug 28 14:13:08 IST 2013 SSO Test Result Date = Wed Aug 28 14:13:42 IST 2013 SAML SSO Test Status = passed Recovery URL Status = disabled utils sso enable Sample Output ***** W A R N I N G : SSO enable is not available from CLI ***** To enable SSO please refer to Product Administrative guide ! BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public List of CLIs (Cont..) utils sso recovery-url enable ‒Sample Output Recovery URL enabled utils sso recovery-url disable ‒Sample Output Recovery URL disabled set samltrace level <trace level> ‒Sample Output admin:set samltrace level DEBUG Command Execution Successful. SAML Trace Level is set to :DEBUG show samltrace level ‒Sample Output Current SAML Trace level is :INFO BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Troubleshooting BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Recovery URL – Local Admin Support Recovery URL is highlighted on server landing page (on all nodes) when SAML SSO and recovery URL is enabled ‒ Recovery URL to bypass Single Sign On (SSO) Why Recovery-URL? ‾ Non-LDAP Local Administrator are not supported by SAML SSO. ‾ It also provides backdoor access to administrative and serviceability GUIs via local administrators’ username/password in instances where SSO login to the GUIs fails, for example, if the network connection to the IdP fails. This URL uses FORM based authentication and an Application User account where the user’s password is locally stored in the service DB. BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Collect Logs from RTMT Following log files can be collected from RTMT: • ssoApp.log • ssospxxxxx.log ‒Below are the steps to follow on RTMT • Login to RTMT • Goto: System Tools Trace Trace & Log Central • Click on Collect files click next select Cisco SSO finish ‒Log files will be downloaded <Path will be mentioned on the screen> BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public References Cisco Unified Communication Manager SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 10.0(1) http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_g e/10_0_1/CUCM_BK_SB003832_00_saml-sso-deployment-guide-for.html Cisco Unity Connection Managing SAML SSO in Cisco Unity Connection http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/ guide/10xcucsagx/10xcucsag112.html Troubleshooting SAML SSO in Cisco Unity Connection Release 10.x http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/troubleshooting/ guide/10xcuctsgx/10xcuctsg208.html BRKUCC2004 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public Presentation BRKUCC2004 _ID © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25