Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2)

Similar documents
Quick Start Guide for SAML SSO Access

Quick Start Guide for SAML SSO Access

SETTING UP ADFS A MANUAL

NETOP PORTAL ADFS & AZURE AD INTEGRATION

Configure the Identity Provider for Cisco Identity Service to enable SSO

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Unity Connection Version 10.5 SAML SSO Configuration Example

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Single Sign-On. Non-SSO - Continue to use existing Active Directory-based and local authentication, without SSO.

Configuring Alfresco Cloud with ADFS 3.0

UMANTIS CLOUD SSO (ADFS) CONFIGURATION GUIDE

Configuring the vrealize Automation Plug-in for ServiceNow

Configuration Guide - Single-Sign On for OneDesk

SAML-Based SSO Configuration

CLI users are not listed on the Cisco Prime Collaboration User Management page.

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Manage SAML Single Sign-On

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

SAML-Based SSO Configuration

AD FS CONFIGURATION GUIDE

Integrating YuJa Active Learning into ADFS via SAML

D9.2.2 AD FS via SAML2

Integrating YuJa Active Learning with ADFS (SAML)

Microsoft ADFS Configuration

Lifesize Cloud Table of Contents

Active Directory Federation Services (ADFS) Customer Implementation Guide Version 2.2

SAML-Based SSO Solution

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

Qualys SAML & Microsoft Active Directory Federation Services Integration

VIEVU Solution AD Sync and ADFS Guide

Setting Up the Server

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

ADFS Setup (SAML Authentication)

Colligo Console. Administrator Guide

SAML-Based SSO Solution

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Cisco CTL Client setup

October 14, SAML 2 Quick Start Guide

Configuring ADFS 2.1 or 3.0 in Windows Server 2012 or 2012 R2 for Nosco Web SSO

Configuring ADFS for Academic Works

This section includes troubleshooting topics about single sign-on (SSO) issues.

Monitor System Status

Integration Guide. SafeNet Authentication Service. NetDocuments

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Cisco CTL Client Setup

Unified Communication Cluster Setup with CA Signed Multi Server Subject Alternate Name Configuration Example

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Cloud Access Manager Configuration Guide

for SharePoint On-prem (v5)

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015


Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Five9 Plus Adapter for Agent Desktop Toolkit

Setup Guide for AD FS 3.0 on the Apprenda Platform

Secure External Phone Services Configuration Example

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

TACACs+, RADIUS, LDAP, RSA, and SAML

Cloud Secure Integration with ADFS. Deployment Guide

Branding Customizations

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Setting Up Resources in VMware Identity Manager

Oracle Access Manager Configuration Guide

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

INSTALLING OUTLOOK CRM

SAML with ADFS Setup Guide

Single Sign-On (SSO)Technical Specification

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

TECHNICAL GUIDE SSO SAML Azure AD

ADFS Authentication and Configuration January 2017

Health Professional & ADFS Integration Guide

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Configuring SAML-based Single Sign-on for Informatica Web Applications

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Troubleshooting Single Sign-On

IBM Domino WEB Federated Login

Copyright

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Cisco Unified Serviceability

Users. LDAP Synchronization Overview

Troubleshooting Single Sign-On

Install and Configure the F5 Identity Provider (IdP) for Cisco Identity Service (IdS) to enable SSO

Important notice regarding accounts used for installation and configuration

Google Auto User Provisioning

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

Single Sign-On with Sage People and Microsoft Active Directory Federation Services 2.0

Single Sign-On Technical Reference Guide Version 1.3

SAMLite Prerequisites: Installation and Configuration

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

Five9 Plus Adapter for Oracle Service Cloud

Hypertext Transfer Protocol over Secure Sockets Layer (HTTPS)

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

The information in this document is based on these software and hardware versions:

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Transcription:

Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2) Contents Introduction Prerequisites Requirements Components Used Download and Install AD FS 2.0 on your Windows Server Configure AD FS 2.0 on Your Windows Server Import the Idp Metadata to CUCM / Download the CUCM Metadata Import CUCM Metatdata to AD FS 2.0 Server and Create Claim Rules Finish Enabling SSO on CUCM and run the SSO Test Troubleshooting Set SSO logs to debug Finding Federation Service Name Dotless Certificate when Specifing the Federation Service name Time is out of sync between the CUCM and IDP servers Introduction This document describes how to configure Single Sign-On using Cisco Unified Communication Manage (CUCM) and Active Directory Federation Service (AD FS) 2.0 (Windows Server 2008 R2). Contributed by Scott Kiewert, Cisco TAC Engineer. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: Cisco Unified Communication Manager Basick Knowledge of ADFS 2.0 In order to enable SSO in your lab environment, you need this configuration Windows Server with AD FS 2.0 installed CUCM with LDAP sync configured. An End User with the Standard CCM Super Users role selected. Components Used The information in this document is based on these software and hardware versions:

Windows Server with AD FS 2.0 CUCM Cisco Internal Information Download and Install AD FS 2.0 on your Windows Server Step 1. Navigate to https://www.microsoft.com/en-us/download/details.aspx?id=10909 and click Continue. Step 2. In the popup window, make sure you select the appropriate download based on your Windows Server. Step 3. Move the downloaded file to your Windows Server. Step 4. Proceed with the installation: Step 5. When prompted, select Federation Server:

Step 6. Some dependencies may be installed automatically and you are prompted to click Finish. Now that you have AD FS 2.0 installed on your server, you need to add some configuration. Configure AD FS 2.0 on Your Windows Server Step 1. The AD FS 2.0 window should have opened after the install, however, you can find it by clicking Start and searching for AD FS 2.0 Management. Step 2.. Once you have the AD FS window open, select AD FS 2.0 Federation Server Configuration Wizard. Step 3. Next, click Create a new Federation Service.

Step 4. For a lab environment, Stand-alone federation server is sufficient.

Step 5. Next, you are asked to select a certificate that the server uses. This should auto populate as long as the server has a certificate already.

Step 6. If you have an existing AD FS database on the server, you need to remove it to continue. Step 7. Finally, you are on a summary screen where you can just click Next. Import the Idp Metadata to CUCM / Download the CUCM Metadata Step 1. Download the metadata from your AD FS server by navigating to the following URL: https://hostname/federationmetadata/2007-06/federationmetadata.xml Step 2. Navigate to Cisco Unified CM Administration > System > SAML Single Sign-On Step 3. Click Enable SAML SSO Step 4. You may receive a warning about Web Server Connections needing to be reset,

simply hit Continue Step 5. Next, CUCM instructs you to download the metadata file from your IdP. In this scenario, your AD FS server is the IdP, and we downloaded the metadata in Step 1 above, so click Next. Step 6. You are asked to import the file. Step 7. Click Browse > Select the.xml from Step 1 > Click Import IdP Metadata. Step 8. You should receive a message that the import was successful: Step 9. Click Next Step 10. Now that you have the IdP metadata imported into CUCM, you need to import CUCM's metadata into your IdP. Step 11. Click Download Trust Metadata File Step 12. Click Next Step 13. Move the.zip file that was downloaded in Step 12 to your Windows Server and extract the contents to a folder.

Import CUCM Metatdata to AD FS 2.0 Server and Create Claim Rules Step 1. At this point, go back to your AD FS server and open the AD FS 2.0 Management window by clicking Start and searching for AD FS 2.0 Management. Step 2. Click Required: Add a trusted relying party (note: if you do not see this, you may need to close the window and open it back up. This option will not show up if the window has been left open since the Federation Server Wizard completed). Step 3. Once you have the Add Relying Party Trust Wizard open, click Start. Step 4. Here, you need to import the.xml files that you extracted in Step 13, so select Import data about the relying party from a file and browse to the folder containing the files, select the.xml for your publisher. Note: Follow the same steps above for any Unified Collaboration server you want to use SSO on. Step 5. Click Next

Step 6. Edit the Display Name to whatever you'd like then click Next. Step 7. Select Permit all users to access this relying party and click Next Step 8. Click Next once more Step 9. On this screen, make sure you have Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checked, then click Close Step 10. You should now be brought to a window that looks like this: Step 11. In this window, click Add Rule. Step 12. For Claim rule template, select Send LDAP Attributes as Claims and click Next.

Step 13. On the next page, enter NameID for the Claim rule name Step 14. Select Active Directory for the Attribute store Step 15. Select SAM-Account-Name for the LDAP Attribute Step 16. Enter uid for Outgoing Claim Type Note: uid is not an option that will autofill or show up in the drop down list Step 17. Click Finish Step 18. You should now see your rule, however, we will need to add another rule so click Add Rule again. Step 19. Select Send Claims Using a Custom Rule Step 20. Enter a Claim rule name (this can be anything) Step 21. In the Custom rule field, paste the following text: c:[type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.issuer, OriginalIssuer =

c.originalissuer, Value = c.value, ValueType = c.valuetype, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:saml:2.0:nameidformat:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://<ad_fs_service_name>/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<CUCM_FQDN>"); Step 22. Make sure you modify the two blue text blocks with the appropriate values. Note: If you are not sure about the AD FS Service Name, go to the comments of this document to learn how to idendtify the AD FS Service Name. Step 23. Click Finish Step 24. Click OK Note: Claim rules are needed for any Unified Collaboration server you want to use SSO on. Finish Enabling SSO on CUCM and run the SSO Test Step 1. Now that the AD FS server is fully configured, you can go back to CUCM.

Step 2. You should be sitting on a page that looks like this: Step 3. Go ahead and select your End User which has the Standard CCM Super Users role selected and click Run SSO Test... Step 4. A popup window should appear that may take about 30 seconds to load, but eventually you should be presented with a challenge to login. Step 5. Enter the password you configured on the LDAP server for the selected user and you should then see:

Step 6. Click Close on the popup window and then Finish. SSO is now configured in your lab. Troubleshooting Set SSO logs to debug To set the SSO logs to debug you have to run this command in the CLI of the CUCM: set samltrace level debug The SSO logs can be downloaded from RTMT. The name of the log set is Cisco SSO. Finding Federation Service Name You can confirm the federation service name by clicking Start and searching for and opening AD FS 2.0 Management. Click on Edit Federation Service Properties While on the General tab look for Federation Service name Dotless Certificate when Specifing the Federation Service name

If you receive the following error message while going through the AD FS configuration wizard, you will need to create a new certificate. "The selected certificate cannot be used to determine the Federation Service name becuase the selected certificate has a dotless (short-named) Subject name (for example, fabrikam). Select another certificate without a dotless (short-named) Subject name (for example, fs.fabrikam.com), and then try again." Click Start and search for iis then open Internet Information Services (IIS) Manager

Click on your server's name Click on Server Certificates Click on Create Self-Signed Certificate Enter the name you want for the alias of your certificate

Time is out of sync between the CUCM and IDP servers If you are receiving the error listed below when trying to run the SSO test from CUCM, you may need to configure the Windows Server to use the same NTP servers as the CUCM. The process to do this is covered in the comments of. "Invalid SAML response. This may be caused when time is out of sync between the Cisco Unified Communications Manager and IDP servers. Please verify the NTP configuration on both servers. Run "utils ntp status" from the CLI to check this status on Cisco Unified Communications Manager." Once the Windows Server has the NTP servers specified you should get the metadata from the Idp again and upload it to the CUCM. Then go directly to the SSO test and see if you still get the same error.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback