Getting Started & Deployment Best Practices

Transcription

1

2 Contact Center Enterprise SSO Getting Started & Deployment Best Practices Mudit Mathur (mudmathu), Technical Solutions Manager, Engineering

3 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

4 Agenda What s Single Sign-On (SSO)? Active Directory Federation Services (ADFS) o Identity Provider (IdP) SSO Support for Contact Center o Cisco Identity Server (IdS) SSO Message Flow UI/UX Walkthrough + Demo Best Practices, Tools, and Troubleshooting Summary and Q & A

5 Account: Username and Password 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 Multiple Accounts and Passwords Application 1 Application 2 Application Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Multiple Attack Vectors Data Breach Application 1 Application 2 Application Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 The Problem With Passwords That s amazing! I ve got the same combination on my luggage! ~President Skroob 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 Managing Multiple Accounts and Passwords OK, I made this one up but this one s for real, y all Create a NEW password: Enter a new password for some.application.service.com. Your password must be at least eight but not more than nine characters long. It must contain one number and two letters, one upper case and one lower case. It must have the 2 nd letter of your childhood best friend s grandfather s dog s name. It must not contain a human name. It must contain the 6 th, 23 rd, 11 th, 4 th, and 9 th letters from Supercalifragilisticexpialidocious Cisco and/or its affiliates. All rights reserved. Cisco Public 9

10 Remembering Multiple Accounts and Passwords 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Current Contact Center Interfaces Finesse CUIC ECE Media Sense CCE Administration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

12 A Common, Trusted Identity Is Needed Finesse CUIC EIM WIM SSO, please! Media Sense ISE CCE Administration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

13 Dude, Where s My Identity? Contact Center Users o System administrators o Serviceability users o Reporting users o Agents and supervisors Identity Storage o Database (SQL, Informix) o Active Directory / LDAP Authentication Methods o JDBC / ODBC o LDAP Administrators, Agents and Supervisors Finesse SQL UCCE Active Directory UCCX Informix Media Sense CUCM AXL 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 Defining Single Sign-On - Definition Single Sign-on (SSO) is a session/user authentication process that permits a user to provide credentials only once in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further security prompts when switching applications in a particular session. With SSO, the barriers for deploying stronger authentication are much lower. With Single Sign On (SSO) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

15 Multiple Attack Vectors Data Breach Single sign-on account is less exposed and strongly protected CRM Hackers prefer the most vulnerable vectors Larger attack surface Smaller attack surface Biometrics Enforcement o Multi-factor authentication 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Defining Single Sign-On - Protocols Available SSO Services and Protocols o o +25 flavors to choose from Security Assertion Markup Language (SAMLv2) o XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. o User authentication via either an external or internal Identity Provider (IdP) Open Authorization (OAuthv2) o Open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. o User authorization to resources (e.g. Finesse, CUIC) through an Identity Service (IdS) o Performs intra-token exchange and management of service providers/resources 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Defining Single Sign-On Authentication and Authorization Authentication Authentication is the process of verifying that "you are who you say you are" This is your Identity Provider (IdP) Authorization Authorization is the process of verifying that "you are permitted to do what you are trying to do" This is your Cisco Identity Service (IdS) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Defining Single Sign-On - Components Browser Session Federated Identity Services Service Provider / Resources OAUTH Cloud SAMLv2 Docs Identity Provider (IdP) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 You ve Been Using SSO XYZ Company Single Sign-on Services Trust Google / Facebook vouches for you XYZ Company trusts Google / Facebook Information is shared ( , name, picture) Authorization to perform tasks 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 Summary and Review of Terms Single Sign-on Term/Concept SSO IdP SAML Cisco IdS OAuth Definition Single Sign-on. Providing credentials only once. Identity Provider. Provides Federated authentication. Where credentials live. SAMLv2 XML-based, open-standard data format for exchanging authentication Cisco Identity Service. Provides Federated authorization using OAuth. Open standard protocol for authorization through resource token exchange Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Active Directory Federation Services

22 Federation Services Federated Services allows for a single authentication credential--user ID and password, smart card, one-time password token or a biometric device--to access multiple or different systems within a single organization. A federated identity management system provides single access to multiple systems across different enterprises. : What is Federation or to be federated? o A trust process joining two distinct networks based upon a shared standard for access o Allowing users to send messages from one network to the other. o Does not imply that users can operate on both networks. o Example: In 2009, Google allowed Gmail users to log onto their AOL IM from Gmail but this didn t allow you to send messages from Google (Gtalk) to the AIM application Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Microsoft Active Directory Federation Services Microsoft Active Directory Federation Services (ADFS or AD FS), a software component developed by Microsoft, can run on Windows Server operating systems to provide users with single sign-on access to systems and applications located across organizational boundaries. o This is your Identity Provider (IdP) o This is where your identity is authenticated (username, password, biometrics, etc.) o Third-party provided or in-house Active Directory Trusts vs. Federated Trust o Active Directory trusts such as external, 2-way, transitive, Forest (root), etc. are connected trusts. Meaning, there s constant data flow between two networks. o Federated trusts such as Relying-Party and Claims Provider are non-connected trusts. Expected token exchange formats are pre-defined between two networks via certificate and metadata exchange Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Microsoft ADFS Protocols MS Federation Services Protocols o WS-Fed o SAML (Security Assertion Markup Language) o SOAP (Simple Object Access Protocol) o XML o WSDL (Web Services Description Language) o UDDI (Universal Description, Discovery and Integration) Federation Services Protocols Defines How Authentication Tokens/Claims Are Handled Across Federated Services o Federated trusts are a conduit for exchanging tokens/claims Cisco Contact Center SSO Uses SAML Authentication Protocol Multi-Factor Authentication Support in ADFS, Must Provide SAMLv2 Assertion 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Summary and Review of Terms AD Federation Term/Concept Federation (IT) ADFS Trusts Relying-Party Trust ADFS Claim Definition Joining two distinct networks based upon a shared standard for authentication and access. Active Directory Federation Services. A software component developed by Microsoft running on Windows Server OS to provide users with single signon access to systems and applications located across organizational boundaries. Active Directory trusts are connected while Federated trusts are nonconnected. Built on claims. A relying party (RP) application consumes the tokens issued by a Security Token Service (STS) and extracts the claims from tokens to use them for identity related tasks. A statement an entity makes about itself in order to establish access. When you build an application that relies on claims, you are building claims aware applications and claims-based applications Cisco and/or its affiliates. All rights reserved. Cisco Public 28

26 SSO Comes to the Contact Center

27 Welcome Cisco Contact Center SSO! v11.6 Single Sign-On capability for Agents and Supervisors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30

28 Supported Identity Providers (IDP) Version 11.6 Roadmap We want YOU to make it happen 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

29 Contact Center SSO Specifications Unified Contact Center Enterprise o concurrent agents and supervisors (4000 in Ver. 11.5) o Deployment options: Non-SSO, Full-SSO, or Hybrid Packaged Contact Center Enterprise o Up to 2000 concurrent agents and supervisors (max. system limit) o Deployment options: Non-SSO, Full-SSO, or Hybrid HCS Contact Center Contact Director (Initial) Support for Agents and Supervisors only o Up to concurrent agents and supervisors per Instance. 24k Max o Deployment options: Non-SSO, Full-SSO, or Hybrid 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

30 Contact Center SSO Specifications CUIC login supported ECE gadget login supported MediaSense Search and Play gadget supported SocialMiner supported Cloud-based gadgets authenticate in the cloud, not against ADFS o Cisco Context Service o ECE Solve egain ECE gadget leverages JavaScript DK libraries located in the Finesse container o Currently not opened for general 3 rd party gadgets requires IdS registration NOTE: Customized Finesse Desktops via the API currently support SSO capability Cisco and/or its affiliates. All rights reserved. Cisco Public 33

31 UCCE Identity Server

32 UCCE SSO Cisco Identity Server (IdS) Cisco VOS Appliance OAuth Session and Token Management Across UCCE SSO Components Two-Node Redundant Cluster Deployment o Primary/Secondary Active/Active o Latency: 80ms RTT o Connects to ONLY one IdP Where s My IdS? o UCCE Co-resident on CUIC/LiveData servers or on separate VM hosts o PCCE Co-resident on CUIC/LiveData servers o UCCX Embedded with the CC application Remote Data Center (Global) Deployment Will Be Supported in Future Release 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

33 UCCE SSO Cisco Identity Server (IdS) Server Log On: Provides OAuth Federation of SP s o E.g. Finesse, CUIC, Principle AW 80MS RTT IdS IdS idsclientlib SSO Valve CC Applications 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

34 Defining Single Sign-On - Components Remember This Slide From Earlier? Browser Session Federated Identity Services Service Provider / Resources OAUTH Cloud SAMLv2 Docs Identity Provider (IdP) 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37

35 Where The Cisco Identity Server (IdS) Sits Browser Session Federated Identity Provider (IdP) Federated Identity Service (IdS) Service Provider / Resources SAMLv2 IdP IdS OAuth CUIC ECE Relying-Party Trust MediaSense 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

36 Cisco Identity Server (IdS) Setup Step 1 of 4 1. Establish Trust Relationship Between IdP and Cisco IdS o Perform metadata exchange Download IdP metadata: Server>/federationmetadata/ /federationmetadata.xml Download Cisco IdS metadata: sp.xml 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

37 Cisco Identity Server (IdS) Setup - Step 2 of 4 2. Exchange metadata with the ADFS Identity Provider, IdP Import data about the relying party (Cisco IdS s sp.xml) resource into ADFS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

38 Cisco Identity Server (IdS) Setup - Step 3 of 4 3. Exchange metadata with the Cisco Identity Server, IdS Import the IdP federationmetadata.xml into the Cisco IdS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

39 Cisco Identity Server (IdS) Setup - Step 4 of 4 4. Test Cisco IdS SSO Setup 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

40 Cisco Identity Server (IdS) Setup - Step 4 of 4 Enter any ADFS UPN user account located on the IdP to generate a SAML assertion across the relying-party trust Cisco and/or its affiliates. All rights reserved. Cisco Public 43

41 Cisco Identity Server (IdS) Setup - Step 4 of Cisco and/or its affiliates. All rights reserved. Cisco Public 44

42 UCCE SSO UX Walkthrough Cisco IdS o o o o Refresh Token Expiry: Long-lived token used to obtain a new or renewed access token. CCE/IdS will issue a new token upon expiry. Authorization Code Expiry: Maximum time which the users must present the authorization code to the IdS server to get the OAuth tokens (access token & refresh token) for resource access. Access Token Expiry: Short-lived token that provides access to a resource. CCE uses a reference token whereas this token requires validation between the IdS and protected resource (Finesse, CUIC). Encrypt Token: Encrypts tokens using AES-128 CBC HMAC SHA-256 AES + CBC provides strong encryption HMAC + SHA-256 provides complex hashing 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

43 UCCE SSO UX Walkthrough Cisco IdS Use only for troubleshooting and/or re-creating the relying-party trust between ADFS IdP and Cisco IdS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

44 SSO Messaging and Event Flow

45 Finesse User IdS IdP SAML & Oauth flow for achieving SSO in Finesse with IdS 1 (1) Agent/Supervisor accesses the Finesse desktop URL 3 2 4b 4a (2) Finesse detects that authentication mode is SSO and redirects the browser to IDS (3) Browser sends the redirect authorize request to IDS. (4a) IdS detects user has invalid access token (4b) IdS redirects the browser to Idenity Provider (IdP) 4c (4c) Browser sends SAML GET to IdP 5a (5a) IdP provides login page for authenticating the user (5b) User enters their credential 5b (6a) IdP sends SAML assertion back to browser which has UID, IdP Cookie 6b 6a (6b) Browser sends SAML assertion to the IdS (6c) IdS validates SAML assertion, creates the access token & authcode and sends back to the Browser 7 8 6c (7) Browser issues GET of the Finesse desktop with access token (8) Finesse gets the access token and validates it with IdS (9) IdS sends back that token is valid 10 9 (10) Finesse checks user role and provides user access to resource 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

46 ECE Gadget in Finesse Interaction diagram ECE Gadget Finesse Browser IdS IdP ECE Service GetToken() ECE Req with Token GET /userinfo (token validation) OK userid (token validation) ECE response Role based access control +Cache 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

47 UX Walkthrough + Demo

48 CCE SSO UX Walkthrough Configuration Log in to CCE Web Administrator: Configure Single Sing-on Register CCE components Configure agents/supervisors Test SSO functionality across CCE components Set SSO type View current CCE SSO status 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

49 CCE SSO UX Walkthrough Configuration Register CCE Components UCCE - Manual Registration PCCE Auto Registration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

50 CCE SSO UX Walkthrough Configuration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53

51 CCE SSO UX Walkthrough Configuration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

52 CCE SSO UX Walkthrough Configuration Cisco IdS Is Ready! Set The SSO Mode Non-SSO: Nothing changes. Hybrid: Designate SSO Agent/Supervisors. Non-SSO users may still log in via legacy username and password stored in CCE DB. SSO: All Agents/Supervisors must use UPN for login. All users will authenticate against Active Directory Max. UCCE SSO Users: Max. PCCE SSO Users: Cisco and/or its affiliates. All rights reserved. Cisco Public 55

53 CCE SSO UX Walkthrough Enable SSO Users Packaged CCE UCCE SSO Enabled: Users authenticate with ADFS SSO Not Enabled: Users authenticate with Finesse through AW DB 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

54 Non-SSO Deployment No experience change 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57

55 UCCE SSO UX Walkthrough Cisco Finesse 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58

56 Hybrid UCCE SSO Deployed Non-SSO User SSO User 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

57 UCCE SSO UX Walkthrough Cisco Finesse SSO user requires UPN username UCCE resources (Finesse, CUIC, etc) will never know or ask for user password! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

58 SSO Deployed Must Use UPN For All CCE AD Account Logins 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

59 UCCE Agent Authentication Flow Non- SSO vs. SSO Demonstration

60 Non-SSO Agent Log In Demonstration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63

61 SSO Enabled Agent Log In Demonstration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64

62 SSO Enabled Supervisor Log In Demonstration 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65

63 Best Practices and Troubleshooting

64 Planning For SSO In The Contact Center Understand The Deployment Options o CCE allows hybrid deployment but be aware of these Remote resources located outside the datacenter that contains the IdS is not supported. The move to SSO for an agent / supervisor is ONE-WAY. No tool for SSO Non-SSO! o CCX does not allow hybrid deployment SSO is enabled or disabled globally Active Directory Users Must Use UPN Username For Sign-On o E.g. username@cisco.com required for ALL CCE users, even non-sso! o This means Web Administrators as well even though they are not SSO enabled Migration Tool o No migration tool for CCX users. Current users (agents / supervisors) authenticating through CUCM DB via AXL will need to be recreated in ADFS and reconfigured in AppAdmin o Bulk migration tool IS provided for CCE users. CSV file provided via CCE WebAdmin 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67

65 Planning For SSO In The Contact Center CCE Bulk Migration Tool Web Admin 1 Export UserName, FirstName, lastname, newusername 2 CSV File 3 Import (1) Download a list of Agents/Supervisor that are not SSO enabled (filtering by peripheral and team) as a CSV file (2) Update the list with their new SSO names ( addresses) 4 (3) Bulk import the list to apply the changes (4) Contact IdP admin to update the IdP with those users and add the appropriate credentials based on their policies in place Cisco and/or its affiliates. All rights reserved. Cisco Public 68

66 Planning For SSO In The Contact Center CCE Bulk Migration Tool Example Column Name username firstname lastname newusername Description The person's old non sso user name The person's first name. The person's last name. The new sso user name UserName, FirstName, lastname, newusername CSV File ssomigration.csv 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69

67 CCE SSO Account Administrative Considerations Single Or Bulk Authentication (Credential) Management o Identity Provider (IdP) defines administration capabilities. o Identity Provider (IdP) must run Windows ADFS + SAMLv2 SSO Enabled Users Credentials Are Managed Within The IdP Non-SSO Enabled Users Credentials Continued To Be Managed Within CCE Changing A User s SSO Credential While Logged In o Periodic heartbeat between user s browser and IdP will update the SAML assertion token, however o Contact Center applications will continue to remain authorized for the user through OAuth token rules provided within the Cisco Identity Server (IdS) There s no active synchronization between IdP and IdS Authorization is updated the next time the user logs in or when the OAuth token expires based on values YOU set within the IdS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70

68 Leveraging SSO In Multi-Forest Environments Microsoft Active Directory Multi-Forest Deployments CCE Still Only Supports a Single AD Forest Deployment Topology o AD trusts between forests are NOT supported o If you have Agents and Supervisors located across multiple Forests, you can leverage SSO to Federate these users! Root OU Cisco_ICM UCCE Servers Forest 1 X Forest 2 CCE Users X Agents and Supervisors CCE Users Config, Setup, Agents, Supervisors CCE Users X Agents and Supervisors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

69 Leveraging SSO In Multi-Forest Environments SUPPORTED! Microsoft Active Directory Multi-Forest Deployments o Install ADFS servers between forests o Create relying-party trusts o Perform simple DNS forwarding to allow users across forests to access CCE URL s Root OU Cisco_ICM UCCE Servers Forest 1 ADFS Relying-Party Trust ADFS Forest 2 CCE Users Agents and Supervisors CCE Users Config, Setup, Agents, Supervisors CCE Users Agents and Supervisors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

70 Hurray For Federation Services! Single Sign-On capability for Agents and Supervisors 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73

71 Other Design Considerations CUCM, CCMP, CCDM, VIM Are SSO Supported o CUCM supports direct ADFS IdP integration via LDAP/Kerberos o CCMP or VIM supports SSO for Administrator logins and provide their own IdS that ONLY integrates with and ADFS 3.0 IdP o A single IdP may be used Third-Party Applications (Gadgets) Does Not Presently Support SSO IdS (OAuth) Token Expiry Is 10 hrs By Default o Remember to adjust both the Refresh and Access token timers to suit your needs Users Across Multiple Domains May Be Handled By IdP via ADFS Farm o This means that Cisco Contact Center and IdS are transparent to the Federation setup. o IdS will simply request Authentication to the trusted IdP (only one IdP is supported). Federation happens behind the ADFS IdP! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74

72 Troubleshooting SSO Debugging Tools Collect IdS Logs o Cisco Unified System CLI Server Side o Cisco Unified Real-time Monitoring Tool (RTMT) ADFS Event Log o Diagnose Relying Party trust issues o Diagnose Federated Token failures o Correlate and trace ActivityID s with CallerID s to claim values 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

73 Troubleshooting SSO Debugging Tools Cisco Identity Server (IdS) Logging o Dynamic o Default: Info o Debug and Trace for more detail o Use Trace ONLY if advised by Cisco TAC Server Side 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76

74 Troubleshooting SSO Debugging Tools SAML Tracer For Firefox Client Side o Browser add-on and essential debugging tool for SAML developers o Captures SAML authentication requests and responses during the SSO login process. o Cisco and/or its affiliates. All rights reserved. Cisco Public 77

75 Troubleshooting SSO Debugging Tools Client Side SAML Message Decoder For Chrome o Chrome extension that captures SAML authentication requests and responses during the SSO login process. o Cisco and/or its affiliates. All rights reserved. Cisco Public 78

76 Troubleshooting SSO Debugging Tools Client Side SAML Message Decoder For Internet Explorer o Good ol HTTP Watch o You may also want to try Fiddler Web Debugger Cisco and/or its affiliates. All rights reserved. Cisco Public 79

77 Troubleshooting SSO Unified System CLI Log Collection How to Collect CUIC IdS Logs o show trace devicetype cuic absdatetime MM-DD-YYYY:hh:hh MM-DD-YYYY:hh:hh Collects specified date/time range o show trace devicetype cuic Collects past 24 hours by default 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

78 Troubleshooting SSO RTMT Log Collection How to Collect CUIC IdS Logs o Keep clicking on Next to navigate to Cisco Identity Service 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81

79 Troubleshooting SSO RTMT Log Collection Recommended Logs to Collect From the Cisco IdS 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82

80 Troubleshooting SSO SAML Tracer 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83

81 Troubleshooting SSO SAML Tracer 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84

82 Troubleshooting SSO SAML Tracer Event Flow Initial Finesse Login Request 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

83 Troubleshooting SSO SAML Tracer Event Flow Initial Finesse Login Request No valid access token, redirect to IdP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86

84 Troubleshooting SSO SAML Tracer Event Flow Initial Finesse Login Request No valid access token, redirect to IdP IdP login page 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

85 Troubleshooting SSO SAML Tracer Initial Finesse Login Request No valid access token, redirect to IdP IdP login page SAML assertion 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

86 Troubleshooting SSO SAML Tracer Initial Finesse Login Request No valid access token, redirect to IdP Redirect back to Finesse with authorization code to IdS IdP login page SAML assertion 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89

87 Troubleshooting SSO SAML Tracer Initial Finesse Login Request No valid access token, redirect to IdP Redirect back to Finesse with authorization code to IdS Agent enters their extension IdP login page SAML assertion 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 90

88 Troubleshooting SSO Cisco IdS Logs Disable Cisco IdS token encryption User requesting Finesse access and Finesse checking OAuth token with the IdS Refresh and access tokens are not valid, IdS redirects user to IdP 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91

89 Troubleshooting SSO Cisco IdS Logs This is the SAML request sent to the IdP Here is the SAML response relayed to the Cisco IdS This is the SAML cookie! You can view this cookie in SAML Tracer under the HTTP tab 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92

90 Troubleshooting SSO Cisco IdS Logs Lastly, the Cisco IdS creates the OAuth tokens for resource access Resource Access Granted! 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93

91 Troubleshooting SSO Summary Identify Components Involved o User Cisco Identity Server (IdS) ADFS Identity Provider (IdP) SAML Tracer for End-User Logging o Provides HTTP (GET, POST) and SAML exchanges Cisco CCE Unified System CLI / RTMT o Pull CUIC IdS logs Microsoft Windows AD FS Event Logs o Capture ADFS logs Parameters For Event Tracing o client_id token refresh-token access-token o Let SAML Tracer parameters be your guide! SAML for dummies Cisco and/or its affiliates. All rights reserved. Cisco Public 94

92 References and Session Summary

93 Contact Center SSO References Differences Between Federation and SSO UCCE Configuration Guide Configuring IdP and IdS terprise/icm_enterprise_11_5_1/configuration/guide/ucce_bk_u882d859_00_uccefeatures-guide/ucce_bk_u882d859_00_ucce-features-guide_chapter_0110.pdf Learn More About Microsoft AD FS Microsoft AD FS Multi-Factor Authentication Support Cisco and/or its affiliates. All rights reserved. Cisco Public 96

94 Contact Center SSO Summary First Supported in Contact Center 11.5(1) Reduce Your Attack Surface o Lessens the frequency of password exchanges o Secure tokens o SAML for authentication OAUTH for authorization Log In Once, Access Multiple Resources IdP Must Support SAMLv2 Running ADFS o Server 2008, 2012, and 2012 R2 IdS OAUTH Federation Provides Secure Token Exchange o Allows multiple resource access IdP Federation Avoids the Need to Create AD Trusts Federate Agent and Supervisor Logins Across Multiple AD Forests 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97

95 Q & A 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98

96 Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion 3. Install Spark or go directly to the space 4. Enter messages/questions in the space cs.co/ciscolivebot# 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

97 Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Complete Your Online Session Evaluation Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at Cisco and/or its affiliates. All rights reserved. Cisco Public

98 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Tech Circle Meet the Engineer 1:1 meetings Related sessions 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101

99 Thank you

100