Directories Services and Single Sign-On for Collaboration

Similar documents
Kaltura MediaSpace SAML Integration Guide. Version: 5.0

Leave Policy. SAML Support for PPO

Configure ISE 2.3 Guest Portal with OKTA SAML SSO

Media Shuttle SAML Configuration. October 2017 Revision 2.0

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Single Sign-On (SSO) Using SAML

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

Generic Structure of the Treatment Relationship Assertion

Security Assertion Markup Language (SAML) applied to AppGate XDP

SAML-Based SSO Solution

Single Sign-On Implementation Guide

SAML 2.0 Single Sign On with Citrix NetScaler

eidas SAML Message Format

SAML-Based SSO Solution

Integration Guide. SafeNet Authentication Service. Protecting Syncplicity with SAS

FAS SAML Integration Guide

i-ready Support for Single Sign-On (SSO)

Single Sign-On Implementation Guide

GFIPM Web Browser User-to-System Profile Version 1.2

Advanced Configuration for SAML Authentication

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Introducing Shibboleth. Sebastian Rieger

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Configuring Alfresco Cloud with ADFS 3.0

Using VMware Horizon Workspace to Enable SSO in VMware vcloud Director 5.1

Suomi.fi e-identification Technical interface description

eidas-node and SAML Version 2.0

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

SAML-Based SSO Configuration

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Integrating PingFederate with Citrix NetScaler Unified Gateway as SAML IDP

SAML V2.0 Deployment Profiles for X.509 Subjects

SAML-Based SSO Configuration

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Research Collaboration IAM Needs

Authentication. Katarina

Web Services Security: SAML Interop 1 Scenarios

User Management Interfaces for Earth Observation Services

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Higgins SAML2 IdP Tutorial

eidas Technical Specifications

AAI Login Demo. SWITCHaai Introduction Course Bern, 1. March Daniel Lutz

SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 12.0(1)

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Warm Up to Identity Protocol Soup

Web Based Single Sign-On and Access Control

SAML SSO Okta Identity Provider 2

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

Okta Embedded-OCC Implementation Guide

McAfee Cloud Identity Manager

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Unity Connection Version 10.5 SAML SSO Configuration Example

Quick Start Guide for SAML SSO Access

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Manage SAML Single Sign-On

October 14, SAML 2 Quick Start Guide

All about SAML End-to-end Tableau and OKTA integration

Configuration Guide - Single-Sign On for OneDesk

Access Management Handbook

OIO Bootstrap Token Profile

Quick Start Guide for SAML SSO Access

Liferay Security Features Overview. How Liferay Approaches Security

SAML 2.0 SSO Extension for Dynamically Choosing Attribute Values

Single Sign-On Administrator Guide

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Single Sign-On Administrator Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

SAML2 Metadata Exchange & Tagging

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

This section includes troubleshooting topics about single sign-on (SSO) issues.

edugain Policy Framework SAML Profile

DDS Identity Federation Service

Single Sign-On User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

DRAFT For Discussion Purposes Only

Identity Provider for SAP Single Sign-On and SAP Identity Management

Exostar Identity Access Platform (SAM) User Guide September 2018

Okta Integration Guide for Web Access Management with F5 BIG-IP

RSA SecurID Access SAML Configuration for Brainshark

April Understanding Federated Single Sign-On (SSO) Process

Electronic ID at work: issues and perspective

AdminCamp Christian Henseler, Christian Henseler,

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Specifications for interoperable access to edelivery and esafe systems

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Exostar Identity Access Platform (SAM) User Guide July 2018

Formatted: Font: Century Gothic, 12 pt

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Building a Well Managed Cloud Application. Okta Inc. 301 Brannan Street San Francisco, CA

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Qualys SAML & Microsoft Active Directory Federation Services Integration

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

NETOP PORTAL ADFS & AZURE AD INTEGRATION

SELF SERVICE INTERFACE CODE OF CONNECTION

Delegated authentication Electronic identity: delegated and federated authentication, policy-based access control

Oracle Utilities Opower Solution Extension Partner SSO

Transcription:

Directories Services and Single Sign-On for Collaboration Paulo Jorge Correia BRKUCC-2664

Agenda Identity Challenges and Market Analysis SSO Technologies and protocol Deep Dive OAuth Protocol SAML Protocol Identity Management for on-premise Identity Management for WebEx Identity Management for Spark SSO with IDaaS vendors Conclusions and Key Takeaways

Identity Challenges and Market Analysis

2016 Internet Security Report BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Known breaches Breaches don t happen only in Web organisations that mainly target consumers Source http://www.informationisbeautiful. net/visualizations/worlds-biggestdata-breaches-hacks/ BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6

Need For Strong Authentication Additional identification steps significantly increases security Username and passwords are no match for today s sophisticated hackers Solution is easy to deploy and easy to use ensuring user adoption Strong Authentication strengthens identity and access security by combining two or more identifiable elements Something you HAVE Something you KNOW Something you ARE BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

SSO Technologies and Protocol Deep Dive

Identity Framework Explicit Initial Trust Agreement IdP Identity Provider RP Relying Party Users BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Authentication and Authorisation (AuthN and AuthZ) The process of authorisation is distinct from that of authentication. Whereas authentication is the process of verifying that "you are who you say you are", authorisation is the process of verifying that "you are permitted to do what you are trying to do". When you enter a hotel and walk up to reception, the receptionist authenticates you by checking your passport. Authentication Your room key is your authorisation token to enter your room and any resource that you are entitled in the Hotel Paulo You do not need your passport to enter your room. Your room key authorises you to enter your room only, and not any other rooms. The room key / authorisation token does not identify the holder of the key / token. Authorisation After authentication has taken place, the receptionist gives you a room key. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10

Single Sign-On Definition Single Sign-On (SSO) is a session/user authentication process that permits a user to provide credentials only once in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. With SSO the barriers for deploying stronger authentication is much lower. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11

Role of Identity Providers (IdP) Validate who you are? Review personally identifying information to prove you are who you say you are (identity proofing), such as drivers license, passport, or biometric data Assign attributes [(name, role, email address] in the identity management system. Validate and transact authentication requests? Verifying that the person seeking access to a resource is the one previously identified and approved by utilising some form of authentication system, often a username and password. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Which IdP Does Cisco Supports? Cisco supports any IdP vendor that is compliant with the SAMLv2 Oasis Standard. Internally in our development test cycles, we test our products against selected authentication methods of the follow IdP s : Microsoft Active Directory Federation Services (ADFS) 2.0 Open Access Manager (OpenAM) 11.0 PingFederate 6.10.0.4 BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

OAuth Protocol

OAuth 2.0 The OAuth 2.0 authorisation protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. It is an Authorisation protocol Valet key concept Eliminate the need for web sites to ask for passwords when you are accessing to your information. The resource owner authorise a client to access to resources in a server Client can be web app, desktop/phone app, JS in browser BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

OAuth main purpose OAuth provides the ability for these applications to access a user s data securely, without requiring the user to hand over his account password Web applications that use OAuth (over 16,000 API s) https://www.programmableweb.com/apis/directory/1? auth=oauth A common protocol for handling API authorisation greatly improves the developer experience because it lessens the learning curve required to integrate with a new API BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

SAML Protocol

SAML 2.0? The SAML standard is managed by the OASIS Security Services Technical Committee http://www.oasis-open.org/committees/security SAML is a protocol specification to use when two servers need to share users identity information. Nothing in the SAML specification provides the actual authentication service, with it we can : Single Sign-On across domains Cookies prevent the need for reauthorisation SSO interoperability between different entities Web Service Security (SAML allows for the exchange of assertions within a SOAP document) Federated Identity (consolidate identities across organisational boundaries) BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18

SAML 2.0 SP inititate Flow 5. Authentication Statement 3. SAML request 4. Authenticate method define by IdP IdP Identity Provider 6. SAML Subject passes statement to RP ( this includes any attributes that are requested ) 1. Resource Request 2. Authentication Request RP Relying Party Ex: Spark, WebEx, CUCM, etc. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 19

SAML Cookies to Prevent Re-authentication IdP Identity Provider RP Relying Party Ex: CUCM BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

SAML Cookies to Prevent Re-authentication IdP Cookie -> our recommendation for the Session Timer is 48 hours But most of the IdP s issue session base cookies Service Cookie -> Our recommendation for the Session Timer is 30 minutes BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21

SAML 2.0 Cookies to Prevent Re-authentication Cisco Jabber 4. Authentication method define by IdP 3.GET with SAML authentication request Identity Provider IdP Cookie 5. Signed response in hiden HTML form with IdP cookie 1. Resource Request 6. POST signed response 2. Redirect with SAML authentication request CUCM Cookie CUCM 7. Supply resource with cookie BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

SAML 2.0 Cookies to Prevent Re-authentication Cisco Jabber 3.GET with SAML authentication request with IdP Cookie No Authentication needed since IdP Cookie is valid CUCM Cookie IdP Cookie IdP Cookie 4. Signed response in hidden HTML form Identity Provider 5. POST signed response 1. Resource Request 2. Redirect with SAML authentication request 6. Supply resource with cookie WebEx Cookie CUCM Unity Connections WebEx MC BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

SAML Establish Initial Agreement

Establish Trust Metadata File exchange IdP Identity Provider Metadata Exchange RP Relying Party Ex: WebEx BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Establish Trust CUCM Metadata file Single Cluster always Agreement the CUCM & IM&P cluster IdP Identity Provider With Single Cluster agreement the entityid is Publisher FQDN <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor entityid="cucm0a.identitylab20.ciscolabs.com" ID="cucm0a.identitylab20.ciscolabs.com" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:spssodescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol" WantAssertionsSigned="false" We don t require for AuthN or AuthnRequestsSigned="false"> <md:keydescriptor use="signing"> signed Assertions but comply <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> to what the IdP requests <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> We use the Tomcat Multi <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> Server SAN for Signing <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:transient</md:nameidformat> <md:assertionconsumerservice index="0" Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:assertionconsumerservice index="1 Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" URL for the Client to POST the Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:assertionconsumerservice index="2" answer from the IdP, two per Location="https://cucm0b.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0b.identitylab20.ciscolabs.com" node in the cluster Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>.. </md:spssodescriptor> </md:entitydescriptor> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

Establish Trust CUCM Metadata files Per node Agreement CUCM & IM&P cluster IdP Identity Provider <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor entityid="cucm0a.identitylab20.ciscolabs.com" ID="cucm0a.identitylab20.ciscolabs.com" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:spssodescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol" WantAssertionsSigned="false" AuthnRequestsSigned="false"> <md:keydescriptor use="signing"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:transient</md:nameidformat> <md:assertionconsumerservice index="0" Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:assertionconsumerservice index="1 Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:assertionconsumerservice index="2" Location="https://cucm0b.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0b.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>.. </md:spssodescriptor> </md:entitydescriptor> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27

Identity Management for On- Premise

Identity Management for WebEx

Identity Management for Spark

Spark Client Spark Service Common Identity Customer IdP Access to Service Prompt for Email address, metric service contacted BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Spark Client Spark Service Common Identity Customer IdP Verify Email Address BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32

Spark Client Spark Service Common Identity Customer IdP OAuth Server Exchange Go to CI OAuth Server and request a token -> URL for Authentication Server will be provided BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33

Spark Client Spark Service Common Identity Customer IdP Identity Broker Exchange If SSO is enabled, Identity Broker redirect to the IdP. IdP URL was provided in the metadata Exchange, when configured SAML initial agreement BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34

Spark Client Spark Service Common Identity Customer IdP HTTP POST Spark will request a SAML assertion from the IdP by doing a SAML HTTP POST 35

Spark Client Spark Service Common Identity Customer IdP Authentication Authentication will happen between Operating System Web resource and the IdP BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Spark Client Spark Service Common Identity Customer IdP HTTP POST Client does an HTTP POST back to CI with the attributes provided by the IdP and agreed with the initial agreement 37

SAML Assertion from IdP to Spark Same Relay state as the SAML request from the Spark <saml2p:response Destination="https://idbroker.webex.com/idb/Consumer/metaAlias/ea7c1420-711d- 4916-95f8-22de53230d1e/sp" ID="_157561492b8068bb78f4cb242ad4f006" InResponseTo="s2e747a3b284812b71ccd8ac1dce98d00cbfa7555b" IssueInstant="2017-01-30T17:13:22.572Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol" > <saml2:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" >https://shib9a.cisco.net/idp/shibboleth</saml2:issuer> <saml2p:status> <saml2p:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:status> <saml2:assertion ID="_574a68c9ba24935315c606a48902e50f" IssueInstant="2017-01-30T17:13:22.572Z" Sucessefull SAML Version="2.0" Assertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" xmlns:xs="http://www.w3.org/2001/xmlschema" > <saml2:issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">https://shib9a.cisco.net/idp/shibboleth</saml2:Issuer> When the assertion was created <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:signaturemethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:reference URI="#_574a68c9ba24935315c606a48902e50f"> <ds:transforms> <ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:inclusivenamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:transform> </ds:transforms> <ds:digestmethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:digestvalue>f4b90sjgqwcrjauycrl7xs2ncdw=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue>l0n0sdiaxfyl4eg6sc9jrajnia85a9oj77bftwflk8vcqomtleqtcopc08zxhsdszyw hivi/wfyqjnjninmmda8f7xdfh+qfrhlsbgw0d4wry4qt3xz59ucsgfdwkafy6ou2kqrb5zzracexx/pqyvsrfkl 7zhw83KvU5Wm/hYbaHpI4eu+0lZ/O4Dyr2r7tz/MF/XBipN3IMATQbswiFDtFFlqpFtfnp0mPqSYwgakDG4ZSslCEw O2ateKlI8c2pelKkDOxO1fvbJV8CjykxBV/k8a+GPuxCrl27EP12MN3MZ/VxPgaNiLQeNXS8z3UlO47kN/wYmxfNcQ YEbHWHg==</ds:SignatureValue> <ds:keyinfo> <ds:x509data> IdP Signature and Certificate for Spark to validate <ds:x509certificate>miidkzccahogawibagiunxwxwlgu07iluaaqto3xa/xhfi0wdqyjkozihvcnaqefbqawg zezmbcg 6k9FCGi2Hd3q9GW0iYUJi68=</ds:X509Certificate> </ds:x509data> </ds:keyinfo> </ds:signature> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

SAML Assertion from IdP to Spark <saml2:subject> <saml2:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameID format, Spark NameQualifier="https://shib9a.cisco.net/idp/shibboleth" SPNameQualifier="https://idbroker.webex.com/ea7c1420-711d-4916-95f8-22de53230d1e">_306e0e97b606cc3199a28e72c95aa206 supported transient, </saml2:nameid> <saml2:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:subjectconfirmationdata Address="172.16.36.50" InResponseTo="s2e747a3b284812b71ccd8ac1dce98d00cbfa7555b NotOnOrAfter="2017-01-30T17:18:22.572Z" Recipient="https://idbroker.webex.com/idb/Consumer/metaAlias/ea7c1420-711d-4916-95f8-22de53230d1e/sp"/> </saml2:subjectconfirmation> </saml2:subject> <saml2:conditions NotBefore="2017-01-30T17:13:22.572Z" NotOnOrAfter="2017-01-30T17:18:22.572Z"> <saml2:audiencerestriction> <saml2:audience>https://idbroker.webex.com/ea7c1420-711d-4916-95f8-22de53230d1e</saml2:audience> </saml2:audiencerestriction> </saml2:conditions> Entity ID that this assertion should apply to Time window when this SAML assertion is accepted unspecified and email BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

NameID formats support by Spark UNSPECIFIED <saml2:nameid Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified NameQualifier="https://shib9a.cisco.net/idp/shibboleth" SPNameQualifier="https://idbroker.webex.com/ea7c1420-711d-4916-95f8-22de53230d1e"> _306e0e97b606cc3199a28e72c95aa206 </saml2:nameid> <saml2:attributestatement> <saml2:attribute Name="uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat:unspecified"> <saml2:attributevalue xmlns:xsi=http://www.w3.org/2001/xmlschema-instance xsi:type="xs:string"> paucorre@identitylab20.ciscolabs.com </saml2:attributevalue> </saml2:attribute> </saml2:attributestatement> NameID format unspecified require SPNameQualifier and the extra attribute (uid) statement NameID format transient require SPNameQualifier and the extra attribute (uid) statement NameID format email require SPNameQualifier but doesn t require any extra attribute EMAIL <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress SPNameQualifier="https://idbroker.webex.com/ea7c1420-711d- 4916-95f8-22de53230d1e"> paucorre@identitylab20.ciscolabs.com </saml:nameid> TRANSIENT <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient" NameQualifier="ping8a.uc8sevtlab13.com SPNameQualifier="https://idbroker.webex.com/8538f9ff-4f12-440a-9880-3488bc3eb146"> RbtO77X6eKfPUF5OhPrAKTCE88e </saml:nameid> <saml:attributestatement> <saml:attribute Name="uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:attributevalue xsi:type="xs:string xmlns:xs=http://www.w3.org/2001/xmlschema xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> paucorre@uc8sevtlab13.com </saml:attributevalue> </saml:attribute> </saml:attributestatement> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Spark Client Spark Service Common Identity Customer IdP HTTP POST Gets an authorisation Code that will be replaced with an OAuth access and refresh Token, and will be use from here on to access resources on behalf of the user BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41

Cisco Spark Spark Thick Client Embedded Browser Spark Service Common Identity OAuth Identity Broker Customer IdP Access Service Redirect to Authorisation Service Authz URL AuthZ URL Redirect to the AuthN AuthN Request Provide IdP URL for SAML Exchange SAML GET Authentication request Authentication Provided SAML POST with uid and IdP cookie Access_token POST SAML Assertion Redirect to the Oauth Service with SAML cookie and UID of the user Provides SAML cookie and UID to OAuth Service Send back OAuth Token Validates Assertion and create the SAML SP cookie Verifies Entitlement and Scope for the user and generate OAuth Token Access to the Spark Service BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

SSO with IDaaS Vendors

What is an IDaaS? Cloud-based service in a multitenant or dedicated and hosted delivery model. The service brokers a set of functionality across multiple IAM functions specifically, identity and governance administration (IGA), access enforcement, and analytics functions. Gartner predicts that 40% of identity and access management (IAM) purchases will use the identity and access management as a service (IDaaS) delivery model by 2020, up from just 20% in 2016. Source : Gartner - Magic Quadrant for Identity and Access Management as a Service BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Cisco Cloud Collaboration Services Integration Some of the IDaaS vendor already have templates defined that almost doesn t need any configuration apart from providing the ORG id. The provide services for thousands of SSO enabled apps, where the users of a customer just need to login to a single apps and all other will receive information from the first login. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45

Cisco On-premise Integration with IDaaS before 11.5 Before 11.5 CUCM & IM&P cluster Before CSR 11.5 Cisco on-premise collaboration products require on IdP agreement per node in the cluster. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Cisco On-premise Integration with IDaaS before 11.5 Before 11.5 CUCM & IM&P cluster But a single cluster can import a single metadata file from the IdP BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Cisco On-premise Integration with IDaaS on 11.5 11.5 and forward CUCM & IM&P cluster With CSR 11.5 and after Cisco on-premise collaboration products require on the IdP a single agreement per cluster. To achieve single cluster agreement, Cisco uses a SAML specification that allow for multiple AssertionConsumerService tags BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Cisco On-premise Integration with IDaaS on 11.5 All the IDaaS vendor don t support multiple AssertionConsumerServices tags, you can only specify one. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Cisco On-premise Integration with OKTA on 11.5 With the exception of OKTA that develop the support for multiple AssertionConsumerService. In order to integrate with customer that have SAML enabled applications where multiple nodes need to access to a single IdP agreement. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50

Cisco On-premise Integration with OKTA on 11.5 For the integration to be configured we need to open the CUCM cluster metadata file and copy the AssertionConsumerService that have the bindings HTTP- POST. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51

Conclusion and Key Takeaways

Q & A

Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2017 Cap by completing the overall event evaluation and 5 session evaluations. All evaluations can be completed via the Cisco Live Mobile App. Caps can be collected Friday 10 March at Registration. Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback