Configure the Identity Provider for Cisco Identity Service to enable SSO

Similar documents
Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2)

Quick Start Guide for SAML SSO Access

Single Sign-On. Non-SSO - Continue to use existing Active Directory-based and local authentication, without SSO.

Quick Start Guide for SAML SSO Access

SETTING UP ADFS A MANUAL

Install and Configure the F5 Identity Provider (IdP) for Cisco Identity Service (IdS) to enable SSO

NETOP PORTAL ADFS & AZURE AD INTEGRATION

UMANTIS CLOUD SSO (ADFS) CONFIGURATION GUIDE

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Configuration Guide - Single-Sign On for OneDesk

Single Sign-On with Sage People and Microsoft Active Directory Federation Services 2.0

Unity Connection Version 10.5 SAML SSO Configuration Example

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Qualys SAML & Microsoft Active Directory Federation Services Integration

Cloud Access Manager Configuration Guide

SAML-Based SSO Solution

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Configuring the vrealize Automation Plug-in for ServiceNow

SAML-Based SSO Solution

VMware Identity Manager Administration

Cloud Secure Integration with ADFS. Deployment Guide

Configuring Alfresco Cloud with ADFS 3.0

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

Single Sign On (SSO) with Polarion 17.3

AD FS CONFIGURATION GUIDE

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Integrating IBM Security Privileged Identity Manager with ObserveIT Enterprise Session Recording

Manage SAML Single Sign-On

How does it look like?

SAML-Based SSO Configuration

Integrating YuJa Active Learning with ADFS (SAML)

Setting Up the Server

CLI users are not listed on the Cisco Prime Collaboration User Management page.

SAS Viya 3.3 Administration: Authentication

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

SAML-Based SSO Configuration

Lifesize Cloud Table of Contents

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

D9.2.2 AD FS via SAML2

TACACs+, RADIUS, LDAP, RSA, and SAML

Integrating YuJa Active Learning into ADFS via SAML

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Five9 Plus Adapter for Agent Desktop Toolkit

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

SSO Authentication with ADFS SAML 2.0. Ephesoft Transact Documentation

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

IWA Integration Kit. Version 3.1. User Guide

Getting Started & Deployment Best Practices

Certificates for Live Data Standalone

Microsoft ADFS Configuration

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Configuring ADFS for Academic Works

IBM Domino WEB Federated Login

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Pyramid 2018 Kerberos Guide Guidelines and best practices for how deploy Pyramid 2018 with Kerberos

Web Application Proxy

October 14, SAML 2 Quick Start Guide

Okta Integration Guide for Web Access Management with F5 BIG-IP

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

The Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018

Single Sign-On (SSO)Technical Specification

ArcGIS Enterprise Administration

TUT Integrating Access Manager into a Microsoft Environment November 2014

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

for SharePoint On-prem (v5)

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

SAS Viya 3.4 Administration: Authentication

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

This topic discusses what's required of SAML IdPs in general and provides a step-by-step procedure for setting up a OneLogin IdP.

Coveo Platform 7.0. Microsoft SharePoint Legacy Connector Guide

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

Citrix Federated Authentication Service Integration with APM

VIEVU Solution AD Sync and ADFS Guide

Five9 Plus Adapter for NetSuite

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Five9 Plus Adapter for Microsoft Dynamics CRM

O365 Solutions. Three Phase Approach. Page 1 34

Cloud Secure. Microsoft Office 365. Configuration Guide. Product Release Document Revisions Published Date

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

ADFS Authentication and Configuration January 2017

Trusted Login Connector (Hosted SSO)

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

McAfee Cloud Identity Manager

How Do I Manage Active Directory

AdminCamp Christian Henseler, Christian Henseler,

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Transcription:

Configure the Identity Provider for Cisco Identity Service to enable SSO Contents Introduction Prerequisites Requirements Components Used Background Information Overview of SSO Configuration Overview Configure Authentication Types Establish Trust Relationship ADFS 2.0: ADFS 3.0: Enable Signed SAML Assertions for the Relying Party Trust (Cisco Identity Service) For a Multi-domain Configuration for Federated ADFS Federated ADFS Configuration Primary ADFS Configuration Kerberos Authentication (Integrated Windows Authentication) Configuration for Microsoft Internet Explorer for IWA Support Configuration required for Mozilla Firefox for IWA Support Configuration required for Google Chrome for IWA Support Further Configuration for SSO: Verify Troubleshoot Introduction This document describes the configuration on the Identity Provider (IdP) to enable Single Sign On (SSO). Cisco IdS Deployment Models Product Deployment UCCX Co-resident PCCE Co-resident with CUIC (Cisco Unified Intelligence Center) and LD (Live Data) UCCE Co-resident with CUIC and LD for 2k deployments. Standalone for 4k and 12k deployments. Prerequisites Requirements

Cisco recommends that you have knowledge of these topics: Cisco Unified Contact Center Express (UCCX) Release 11.5 or Cisco Unified Contact Center Enterprise Release 11.5 or Packaged Contact Center Enterprise (PCCE) Release 11.5 as applicable. Microsoft Active Directory - AD installed on Windows Server Active Directory Federation Service (ADFS) Version 2.0/3.0 Note: This document references UCCX in the screenshots and examples, however the configuration is similar with respect to the Cisco Identitify Service (UCCX/UCCE/PCCE) and the IdP. Components Used This document is not restricted to specific software and hardware versions. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Background Information Overview of SSO Cisco provides many services in different forms and as an end user, you want to sign in only once to have the access to all of the Cisco Services. If you want to find and manage contacts from any of the Cisco application and devices, leveraging all possible sources (Corporate Directory, Outlook, Mobile contacts, Facebook, LinkedIn, History), and have them rendered in a common and consistent way which provides the needed information to know their availability and how best to contact them. SSO using SAML (Security Assertion Markup Language) targets this requirement. SAML/SSO provides the ability for users to log into multiple devices and services through a common account and authorization identity called the IdP. The SSO functionality is available in UCCX/UCCE/PCCE 11.5 onwards.

Configuration Overview Configure Authentication Types Cisco Identity Service supports only form based authentication of Identity Provider. Please refer these MSDN articles to learn how to enable Form Authentication in ADFS.

For ADFS 2.0 refer to this Microsoft TechNet article, http://social.technet.microsoft.com/wiki/contents/articles/1600.ad-fs-2-0-how-to-change-thelocal-authentication-type.aspx For ADFS 3.0 refer refer to this Microsoft TechNet article, https://blogs.msdn.microsoft.com/josrod/2014/10/15/enabled-forms-based-authentication-in- AD FS-3-0/ Note: Cisco Identity Service 11.6 and above supports both form based authentication and Kerberos authentication. Establish Trust Relationship For onboarding and enabling applications to use Cisco Identity Service for Single Sign-On, perform the metadata exchange between the Identity Service (IdS) and IdP. Download the SAML SP Metadata file sp.xml. From Settings, navigate to IdS Trust tab on the Identity Service Management page. Download the IdP Metadata file from the IdP from the URL: https://<adfsserver>/federationmetadata/2007-06/federationmetadata.xml On the Identity Service Management page, upload the Identity Provider Metadata file that was downloaded in previous step.

This is the procedure to upload the IdS metadata and add Claim Rules. This is outlined for ADFS 2.0 and 3.0 ADFS 2.0: Step 1. In ADFS server navigate to, Start > All Programs > Administrative Tools > AD FS 2.0 Management, as shown in the image:

Step 2. Navigate to Add AD FS 2.0 > Trust Relationship > Relying Party Trust, as shown in the image:

Step 3. As shown in the image, select the option Import data about the relying party from a file.

Step 4. Complete the establishing of the relying party trust.

Step 5. In the properties of the Relying Party Trust, select the Identifier tab.

Step 6. Set the identifier as the fully qualified hostname of Cisco Identity Server from which sp.xml is downloaded.

Step 7. Right click on the Relying Party Trust and then click on Edit Claim Rules. You need to add two claim rules, one is when the LDAP (Lightweight Directory Access Protocol) attributes are matched while the second is through custom claim rules. uid - This attribute is needed for the applications to identify the authenticated user. user_principal - This attribute is needed by Cisco Identity Service to identify the realm of the authenticated user. Claim Rule 1:

Add a rule by name NameID of type (Send the values of LDAP attribute as claims): Select Attribute store as Active Directory. Map Ldap attribute User-Principal-Name to user_principal (lowercase). Choose the LDAP attribute that has to be used as userid for application users to log in and map it to uid (lowercase) Example Configuration when SamAccountName is to be used as User Id: Map the LDAP attribute SamAccountName to uid. Map the LDAP attribute User-Principal-Name to user_principal. Example Configuration when UPN has to be used as user Id - Map the LDAP attribute User-Principal-Name to uid. Map the LDAP attribute User-Principal-Name to user_principal. Example Configuration when PhoneNumber has to be used as user Id - Map the LDAP attribute telephonenumber to uid. Map the LDAP attribute User-Principal-Name to user_principal.

Note: We need to ensure that the LDAP attribute configured for User ID on CUCM LDAP sync should match what is configured as the LDAP Attribute for uid in the ADFS claim rule NameID. This is for proper functioning of Cisco Unified Intelligence Center (CUIC) and Finesse login. Note: This document references constraints on the claim rule name and display names such as NameID, FQDN of UCCX, etc. Though custom fields and names may be applicable at various sections, the claim rule names and display names are kept standard throughout to maintain consistency and for best practices in naming convention.

Claim Rule 2: Add another rule of type custom claim rule with name as the Fully Qualified Hostname (FQDN) of Cisco Identity Server and add this rule text. c : [ T y p e = = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.issuer, OriginalIssuer = c.originalissuer, Value = c.value, ValueType = c.valuetype, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:saml:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = " h t t p : / / < A D F S S e r v e r F Q D N > / A D F S / s e r v i c e s / t r u s t ", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<fully qualified hostname of IdS/UCCX>"); In Cisco Identity Server cluster, all fully qualified hostnames are that of the Cisco Identity Server primary or publisher node. The <fully qualified hostname of Cisco Identity Server> is case-sensitive, so it matches exactly (including case) with the Cisco Identity Server FQDN. The <ADFS Server FQDN> is case-sensitive, so it matches exactly (including case) with the ADFS FQDN.

Step 8. Right-click on the Relying Party Trust and then click on Properties and select the advanced tab, as shown in the image.

Step 9. As shown in the image, select Secure Hash Algorithm (SHA) as SHA-1.

Step 10. Click OK. ADFS 3.0: Step 1. In ADFS server navigate to, Server Manager > Tools > AD FS Management.

Step 2. Navigate to AD FS > Trust Relationship > Relying Party Trust. Step 3. Select the option Import data about the relying party from a file.

Step 4. Complete the establishing of the relying party trust.

Step 5. In the properties of the Relying Party Trust, select the Identifier tab.

Step 6. Set the identifier as the fully qualified hostname of Cisco Identity Server from which sp.xml is downloaded.

Step 7. Right-click on the Relying Party Trust and then click on Edit Claim Rules. You need to add two claim rules, one is when the LDAP (Lightweight Directory Access Protocol) attributes are matched while the second is through custom claim rules. uid - This attribute is needed for the applications to identify the authenticated user. user_principal - This attribute is needed by Cisco Identity Service to identify the realm of the authenticated user. Claim Rule 1:

Add a rule by name NameID of type (Send the values of LDAP attribute as claims): Select Attribute store as Active Directory. Map Ldap attribute User-Principal-Name to user_principal (lowercase). Choose the LDAP attribute that has to be used as userid for application users to log in and map it to uid (lowercase) Example Configuration when SamAccountName is to be used as User Id: Map the LDAP attribute SamAccountName to uid. Map the LDAP attribute User-Principal-Name to user_principal. Example Configuration when UPN has to be used as user Id - Map the LDAP attribute User-Principal-Name to uid. Map the LDAP attribute User-Principal-Name to user_principal. Example Configuration when PhoneNumber has to be used as user Id - Map the LDAP attribute telephonenumber to uid. Map the LDAP attribute User-Principal-Name to user_principal.

Note: We need to ensure that the LDAP attribute configured for User ID on CUCM LDAP sync should match what is configured as the LDAP Attribute for uid in the ADFS claim rule NameID. This is for proper functioning of Cisco Unified Intelligence Center (CUIC) and Finesse login. Note: This document references constraints on the claim rule name and display names such as NameID, FQDN of UCCX, etc. Though custom fields and names may be applicable at various sections, the claim rule names and display names are kept standard throughout to maintain consistency and for best practices in naming convention.

Claim Rule 2: Add another rule of type custom claim rule with name as the Fully Qualified Hostname (FQDN) of Cisco Identity Server and add this rule text. c : [ T y p e = = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.issuer, OriginalIssuer = c.originalissuer, Value = c.value, ValueType = c.valuetype, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:saml:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = " h t t p : / / < A D F S S e r v e r F Q D N > / A D F S / s e r v i c e s / t r u s t ", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<fully qualified hostname of IdS/UCCX>"); In Cisco Identity Server cluster, all fully qualified hostnames are that of the Cisco Identity Server primary or publisher node. The <fully qualified hostname of Cisco Identity Server> is case-sensitive, so it matches exactly (including case) with the Cisco Identity Server FQDN. The <ADFS Server FQDN> is case-sensitive, so it matches exactly (including case) with the ADFS FQDN.

Step 8. Right-click on the Relying Party Trust and then click on Properties and select the advanced tab

Step 9. As shown in the image, select Secure Hash Algorithm (SHA) as SHA-1.

Step 10 - Click OK. These steps are mandatory after Step 10. Enable Signed SAML Assertions for the Relying Party Trust (Cisco Identity Service) Step 1. Click Start and enter powershell to open windows powershell.

Step 2. Add ADFS CmdLet to the powershell by running the command Add-PSSnapin

Microsoft.Adfs.Powershell. Step 3 - Run the command, Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Name> -SamlResponseSignature "MessageAndAssertion".

Note: Step 2 may not be needed if you are using ADFS 3.0 since the CmdLet is already installed as a part of adding the roles and features. Note: The <Relying Party Trust Identifier> is case-sensitive, so it matches (including case) with what is set in the Identifier tab of the relying party trust properties. Note: Cisco Identity Service supports SHA-1. The relying party trust uses SHA-1 for signing the SAML request and expects ADFS to do the same in the response. For a Multi-domain Configuration for Federated ADFS In case of Federation in ADFS, where a ADFS in particular domain provides federated SAML authentication for users in other configured domains, these are the additional configurations that are needed. For this sections, the term primary ADFS refers to the ADFS that has to be used in IdS. The term Federated ADFS indicates those ADFS, whose users are allowed to log in via IdS and thus, is the primary ADFS. Federated ADFS Configuration

In each of the federated ADFS, the relying party trust has to be created for primary ADFS and the claim rules configured as mentioned in the previous section. Primary ADFS Configuration For primary ADFS, apart from the relying party trust for IdS, the following additional configuration is needed. Add Claim Provider Trust with the ADFS to which federation has to be setup. In the Claim Provider Trust, ensure that the Pass through or Filter an Incoming Claim rules are configured with pass through all claim values as the option Name ID Choose Name ID from Incoming Claim Type drop box Choose Transient as the option for Incoming NameID format uid: This is a custom claim. Enter the value uid in the Incoming Claim Type drop box. user_principal: This is a custom claim. Type the value user_principal in the Incoming Claim Type drop box. In the relying party trust for IdS, add Pass though or Filter an Incoming Claim rules with pass through all claim values as the option. NameIDFromSubdomain Choose Name ID from Incoming Claim Type drop box Choose Transient as the option for Incoming NameID format uid: This is a custom claim. Type the value uid in the Incoming Claim Type drop box user_principal: This is a custom claim. Type the value user_principal in the Incoming Claim Type drop box Kerberos Authentication (Integrated Windows Authentication) Integrated Windows Authentication (IWA) provides mechanism for authentication of users, but does not allow credentials to be transmitted over the network. When you enable integrated Windows authentication, it works on the basis of tickets to allow nodes communicating over a nonsecure network to prove their identity to one another in a secure manner. It allows users to login to a domain after login into their windows machines. Note: Kerberos authentication is supported only from 11.6 and above. Domain users who are already logged into the domain controller (DC) will be seamlessly logged into SSO clients without the need to re-enter the credentials. For non-domain users, IWA falls back to NTLM (New Technology Local Area Network Manager) and login dialog appears. The qualification for IdS with IWA authentication is done with Kerberos against ADFS 3.0. Step 1. Open Windows command prompt and run as Admin user to register http service with setspn command setspn -s http/<adfs url> <domain>\<account name>.

Step 2. Disable Form Authentication and enable Windows Authentication for Intranet sites. Go to ADFS Management > Authentication Policies > Primary Authentication > Global Settings > Edit. Under Intranet, ensure that only Windows Authentication is checked (Uncheck Form Authentication). Configuration for Microsoft Internet Explorer for IWA Support Step 1. Ensure that Internet Explorer > Advanced > Enable Integrated Windows Authentication is checked.

Step 2. ADFS url needs to be added to Security >Intranet zones > Sites (winadcom215.uccx116.com is ADFS url)

Step 3. Ensure that Internet Exporer > Security > Local Intranet > Security Settings > User Authentication - Logon is configured in order to use the logged-in credentials for intranet sites.

Configuration required for Mozilla Firefox for IWA Support Step 1. Enter into the configuration mode for Firefox. Open Firefox and enter about:config on the URL. Accept the risks statement. Step 2. Search for ntlm and enable the network.automatic-ntlm-auth.allow-non-fqdn and set it to true. Step 3. Set the network.automatic-ntlm-auth.trusted-uris to the domain or explicitly the ADFS URL.

Configuration required for Google Chrome for IWA Support Google Chrome in Windows uses the Internet Explorer settings, so configure within Internet Explorer's Tools >Internet Options dialog, or from Control Panel under Internet Options within sub-category Network and Internet. Further Configuration for SSO: This document describes the configuration from the IdP aspect for SSO to integrate with the Cisco Identity Service. For further details, refer to the individual product configuration guides: UCCX UCCE PCCE Verify This procedure is used to determine if the relying party trust is established properly between Cisco IdS and IDP. From broswer enter the URL https://<adfs_fqdn>/adfs/ls/idpinitiatedsignon.aspx?logintorp=<ids_fqdn> ADFS will provide the login form. This will be available when the above configuration is right. On successful authentication, browser should redirect to https://<ids_fqdn>:8553/ids/saml/response and a checklist page will appear. Note: The Checklist page which appears as a part of the verification process is not an error but a confirmation that the trust is properly established. Troubleshoot For troubleshoot refer - https://www.cisco.com/c/en/us/support/docs/customer- collaboration/unified-contact-center-express/200662-adfs-ids-troubleshooting-and-common- Prob.html

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback