Directories Services and Single Sign-On for Collaboration Paulo Jorge Correia BRKUCC-2664
Agenda Identity Challenges and Market Analysis SSO Technologies and protocol Deep Dive OAuth Protocol SAML Protocol Identity Management for on-premise Identity Management for WebEx Identity Management for Spark SSO with IDaaS vendors Conclusions and Key Takeaways
Identity Challenges and Market Analysis
2016 Internet Security Report BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Known breaches Breaches don t happen only in Web organisations that mainly target consumers Source http://www.informationisbeautiful. net/visualizations/worlds-biggestdata-breaches-hacks/ BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Need For Strong Authentication Additional identification steps significantly increases security Username and passwords are no match for today s sophisticated hackers Solution is easy to deploy and easy to use ensuring user adoption Strong Authentication strengthens identity and access security by combining two or more identifiable elements Something you HAVE Something you KNOW Something you ARE BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
SSO Technologies and Protocol Deep Dive
Identity Framework Explicit Initial Trust Agreement IdP Identity Provider RP Relying Party Users BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Authentication and Authorisation (AuthN and AuthZ) The process of authorisation is distinct from that of authentication. Whereas authentication is the process of verifying that "you are who you say you are", authorisation is the process of verifying that "you are permitted to do what you are trying to do". When you enter a hotel and walk up to reception, the receptionist authenticates you by checking your passport. Authentication Your room key is your authorisation token to enter your room and any resource that you are entitled in the Hotel Paulo You do not need your passport to enter your room. Your room key authorises you to enter your room only, and not any other rooms. The room key / authorisation token does not identify the holder of the key / token. Authorisation After authentication has taken place, the receptionist gives you a room key. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Single Sign-On Definition Single Sign-On (SSO) is a session/user authentication process that permits a user to provide credentials only once in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session. With SSO the barriers for deploying stronger authentication is much lower. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Role of Identity Providers (IdP) Validate who you are? Review personally identifying information to prove you are who you say you are (identity proofing), such as drivers license, passport, or biometric data Assign attributes [(name, role, email address] in the identity management system. Validate and transact authentication requests? Verifying that the person seeking access to a resource is the one previously identified and approved by utilising some form of authentication system, often a username and password. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Which IdP Does Cisco Supports? Cisco supports any IdP vendor that is compliant with the SAMLv2 Oasis Standard. Internally in our development test cycles, we test our products against selected authentication methods of the follow IdP s : Microsoft Active Directory Federation Services (ADFS) 2.0 Open Access Manager (OpenAM) 11.0 PingFederate 6.10.0.4 BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
OAuth Protocol
OAuth 2.0 The OAuth 2.0 authorisation protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf. It is an Authorisation protocol Valet key concept Eliminate the need for web sites to ask for passwords when you are accessing to your information. The resource owner authorise a client to access to resources in a server Client can be web app, desktop/phone app, JS in browser BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
OAuth main purpose OAuth provides the ability for these applications to access a user s data securely, without requiring the user to hand over his account password Web applications that use OAuth (over 16,000 API s) https://www.programmableweb.com/apis/directory/1? auth=oauth A common protocol for handling API authorisation greatly improves the developer experience because it lessens the learning curve required to integrate with a new API BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
SAML Protocol
SAML 2.0? The SAML standard is managed by the OASIS Security Services Technical Committee http://www.oasis-open.org/committees/security SAML is a protocol specification to use when two servers need to share users identity information. Nothing in the SAML specification provides the actual authentication service, with it we can : Single Sign-On across domains Cookies prevent the need for reauthorisation SSO interoperability between different entities Web Service Security (SAML allows for the exchange of assertions within a SOAP document) Federated Identity (consolidate identities across organisational boundaries) BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
SAML 2.0 SP inititate Flow 5. Authentication Statement 3. SAML request 4. Authenticate method define by IdP IdP Identity Provider 6. SAML Subject passes statement to RP ( this includes any attributes that are requested ) 1. Resource Request 2. Authentication Request RP Relying Party Ex: Spark, WebEx, CUCM, etc. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19 19
SAML Cookies to Prevent Re-authentication IdP Identity Provider RP Relying Party Ex: CUCM BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
SAML Cookies to Prevent Re-authentication IdP Cookie -> our recommendation for the Session Timer is 48 hours But most of the IdP s issue session base cookies Service Cookie -> Our recommendation for the Session Timer is 30 minutes BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
SAML 2.0 Cookies to Prevent Re-authentication Cisco Jabber 4. Authentication method define by IdP 3.GET with SAML authentication request Identity Provider IdP Cookie 5. Signed response in hiden HTML form with IdP cookie 1. Resource Request 6. POST signed response 2. Redirect with SAML authentication request CUCM Cookie CUCM 7. Supply resource with cookie BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
SAML 2.0 Cookies to Prevent Re-authentication Cisco Jabber 3.GET with SAML authentication request with IdP Cookie No Authentication needed since IdP Cookie is valid CUCM Cookie IdP Cookie IdP Cookie 4. Signed response in hidden HTML form Identity Provider 5. POST signed response 1. Resource Request 2. Redirect with SAML authentication request 6. Supply resource with cookie WebEx Cookie CUCM Unity Connections WebEx MC BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
SAML Establish Initial Agreement
Establish Trust Metadata File exchange IdP Identity Provider Metadata Exchange RP Relying Party Ex: WebEx BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Establish Trust CUCM Metadata file Single Cluster always Agreement the CUCM & IM&P cluster IdP Identity Provider With Single Cluster agreement the entityid is Publisher FQDN <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor entityid="cucm0a.identitylab20.ciscolabs.com" ID="cucm0a.identitylab20.ciscolabs.com" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:spssodescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol" WantAssertionsSigned="false" We don t require for AuthN or AuthnRequestsSigned="false"> <md:keydescriptor use="signing"> signed Assertions but comply <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> to what the IdP requests <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> We use the Tomcat Multi <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> Server SAN for Signing <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:transient</md:nameidformat> <md:assertionconsumerservice index="0" Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:assertionconsumerservice index="1 Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" URL for the Client to POST the Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:assertionconsumerservice index="2" answer from the IdP, two per Location="https://cucm0b.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0b.identitylab20.ciscolabs.com" node in the cluster Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>.. </md:spssodescriptor> </md:entitydescriptor> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Establish Trust CUCM Metadata files Per node Agreement CUCM & IM&P cluster IdP Identity Provider <?xml version="1.0" encoding="utf-8"?> <md:entitydescriptor entityid="cucm0a.identitylab20.ciscolabs.com" ID="cucm0a.identitylab20.ciscolabs.com" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:spssodescriptor protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol" WantAssertionsSigned="false" AuthnRequestsSigned="false"> <md:keydescriptor use="signing"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:keydescriptor use="encryption"> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> <ds:x509certificate>miigjjcc..</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameid-format:transient</md:nameidformat> <md:assertionconsumerservice index="0" Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/> <md:assertionconsumerservice index="1 Location="https://cucm0a.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0a.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/> <md:assertionconsumerservice index="2" Location="https://cucm0b.identitylab20.ciscolabs.com:8443/ssosp/saml/SSO/alias/cucm0b.identitylab20.ciscolabs.com" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>.. </md:spssodescriptor> </md:entitydescriptor> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Identity Management for On- Premise
Identity Management for WebEx
Identity Management for Spark
Spark Client Spark Service Common Identity Customer IdP Access to Service Prompt for Email address, metric service contacted BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Spark Client Spark Service Common Identity Customer IdP Verify Email Address BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Spark Client Spark Service Common Identity Customer IdP OAuth Server Exchange Go to CI OAuth Server and request a token -> URL for Authentication Server will be provided BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Spark Client Spark Service Common Identity Customer IdP Identity Broker Exchange If SSO is enabled, Identity Broker redirect to the IdP. IdP URL was provided in the metadata Exchange, when configured SAML initial agreement BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Spark Client Spark Service Common Identity Customer IdP HTTP POST Spark will request a SAML assertion from the IdP by doing a SAML HTTP POST 35
Spark Client Spark Service Common Identity Customer IdP Authentication Authentication will happen between Operating System Web resource and the IdP BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Spark Client Spark Service Common Identity Customer IdP HTTP POST Client does an HTTP POST back to CI with the attributes provided by the IdP and agreed with the initial agreement 37
SAML Assertion from IdP to Spark Same Relay state as the SAML request from the Spark <saml2p:response Destination="https://idbroker.webex.com/idb/Consumer/metaAlias/ea7c1420-711d- 4916-95f8-22de53230d1e/sp" ID="_157561492b8068bb78f4cb242ad4f006" InResponseTo="s2e747a3b284812b71ccd8ac1dce98d00cbfa7555b" IssueInstant="2017-01-30T17:13:22.572Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol" > <saml2:issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" >https://shib9a.cisco.net/idp/shibboleth</saml2:issuer> <saml2p:status> <saml2p:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </saml2p:status> <saml2:assertion ID="_574a68c9ba24935315c606a48902e50f" IssueInstant="2017-01-30T17:13:22.572Z" Sucessefull SAML Version="2.0" Assertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" xmlns:xs="http://www.w3.org/2001/xmlschema" > <saml2:issuer Format="urn:oasis:names:tc:SAML:2.0:nameidformat:entity">https://shib9a.cisco.net/idp/shibboleth</saml2:Issuer> When the assertion was created <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:signedinfo> <ds:canonicalizationmethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:signaturemethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:reference URI="#_574a68c9ba24935315c606a48902e50f"> <ds:transforms> <ds:transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <ec:inclusivenamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:transform> </ds:transforms> <ds:digestmethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:digestvalue>f4b90sjgqwcrjauycrl7xs2ncdw=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue>l0n0sdiaxfyl4eg6sc9jrajnia85a9oj77bftwflk8vcqomtleqtcopc08zxhsdszyw hivi/wfyqjnjninmmda8f7xdfh+qfrhlsbgw0d4wry4qt3xz59ucsgfdwkafy6ou2kqrb5zzracexx/pqyvsrfkl 7zhw83KvU5Wm/hYbaHpI4eu+0lZ/O4Dyr2r7tz/MF/XBipN3IMATQbswiFDtFFlqpFtfnp0mPqSYwgakDG4ZSslCEw O2ateKlI8c2pelKkDOxO1fvbJV8CjykxBV/k8a+GPuxCrl27EP12MN3MZ/VxPgaNiLQeNXS8z3UlO47kN/wYmxfNcQ YEbHWHg==</ds:SignatureValue> <ds:keyinfo> <ds:x509data> IdP Signature and Certificate for Spark to validate <ds:x509certificate>miidkzccahogawibagiunxwxwlgu07iluaaqto3xa/xhfi0wdqyjkozihvcnaqefbqawg zezmbcg 6k9FCGi2Hd3q9GW0iYUJi68=</ds:X509Certificate> </ds:x509data> </ds:keyinfo> </ds:signature> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
SAML Assertion from IdP to Spark <saml2:subject> <saml2:nameid Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameID format, Spark NameQualifier="https://shib9a.cisco.net/idp/shibboleth" SPNameQualifier="https://idbroker.webex.com/ea7c1420-711d-4916-95f8-22de53230d1e">_306e0e97b606cc3199a28e72c95aa206 supported transient, </saml2:nameid> <saml2:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:subjectconfirmationdata Address="172.16.36.50" InResponseTo="s2e747a3b284812b71ccd8ac1dce98d00cbfa7555b NotOnOrAfter="2017-01-30T17:18:22.572Z" Recipient="https://idbroker.webex.com/idb/Consumer/metaAlias/ea7c1420-711d-4916-95f8-22de53230d1e/sp"/> </saml2:subjectconfirmation> </saml2:subject> <saml2:conditions NotBefore="2017-01-30T17:13:22.572Z" NotOnOrAfter="2017-01-30T17:18:22.572Z"> <saml2:audiencerestriction> <saml2:audience>https://idbroker.webex.com/ea7c1420-711d-4916-95f8-22de53230d1e</saml2:audience> </saml2:audiencerestriction> </saml2:conditions> Entity ID that this assertion should apply to Time window when this SAML assertion is accepted unspecified and email BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
NameID formats support by Spark UNSPECIFIED <saml2:nameid Format="urn:oasis:names:tc:SAML:1.1:nameidformat:unspecified NameQualifier="https://shib9a.cisco.net/idp/shibboleth" SPNameQualifier="https://idbroker.webex.com/ea7c1420-711d-4916-95f8-22de53230d1e"> _306e0e97b606cc3199a28e72c95aa206 </saml2:nameid> <saml2:attributestatement> <saml2:attribute Name="uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat:unspecified"> <saml2:attributevalue xmlns:xsi=http://www.w3.org/2001/xmlschema-instance xsi:type="xs:string"> paucorre@identitylab20.ciscolabs.com </saml2:attributevalue> </saml2:attribute> </saml2:attributestatement> NameID format unspecified require SPNameQualifier and the extra attribute (uid) statement NameID format transient require SPNameQualifier and the extra attribute (uid) statement NameID format email require SPNameQualifier but doesn t require any extra attribute EMAIL <saml:nameid Format="urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress SPNameQualifier="https://idbroker.webex.com/ea7c1420-711d- 4916-95f8-22de53230d1e"> paucorre@identitylab20.ciscolabs.com </saml:nameid> TRANSIENT <saml:nameid Format="urn:oasis:names:tc:SAML:2.0:nameidformat:transient" NameQualifier="ping8a.uc8sevtlab13.com SPNameQualifier="https://idbroker.webex.com/8538f9ff-4f12-440a-9880-3488bc3eb146"> RbtO77X6eKfPUF5OhPrAKTCE88e </saml:nameid> <saml:attributestatement> <saml:attribute Name="uid NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:attributevalue xsi:type="xs:string xmlns:xs=http://www.w3.org/2001/xmlschema xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"> paucorre@uc8sevtlab13.com </saml:attributevalue> </saml:attribute> </saml:attributestatement> BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Spark Client Spark Service Common Identity Customer IdP HTTP POST Gets an authorisation Code that will be replaced with an OAuth access and refresh Token, and will be use from here on to access resources on behalf of the user BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Cisco Spark Spark Thick Client Embedded Browser Spark Service Common Identity OAuth Identity Broker Customer IdP Access Service Redirect to Authorisation Service Authz URL AuthZ URL Redirect to the AuthN AuthN Request Provide IdP URL for SAML Exchange SAML GET Authentication request Authentication Provided SAML POST with uid and IdP cookie Access_token POST SAML Assertion Redirect to the Oauth Service with SAML cookie and UID of the user Provides SAML cookie and UID to OAuth Service Send back OAuth Token Validates Assertion and create the SAML SP cookie Verifies Entitlement and Scope for the user and generate OAuth Token Access to the Spark Service BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
SSO with IDaaS Vendors
What is an IDaaS? Cloud-based service in a multitenant or dedicated and hosted delivery model. The service brokers a set of functionality across multiple IAM functions specifically, identity and governance administration (IGA), access enforcement, and analytics functions. Gartner predicts that 40% of identity and access management (IAM) purchases will use the identity and access management as a service (IDaaS) delivery model by 2020, up from just 20% in 2016. Source : Gartner - Magic Quadrant for Identity and Access Management as a Service BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Cisco Cloud Collaboration Services Integration Some of the IDaaS vendor already have templates defined that almost doesn t need any configuration apart from providing the ORG id. The provide services for thousands of SSO enabled apps, where the users of a customer just need to login to a single apps and all other will receive information from the first login. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Cisco On-premise Integration with IDaaS before 11.5 Before 11.5 CUCM & IM&P cluster Before CSR 11.5 Cisco on-premise collaboration products require on IdP agreement per node in the cluster. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Cisco On-premise Integration with IDaaS before 11.5 Before 11.5 CUCM & IM&P cluster But a single cluster can import a single metadata file from the IdP BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cisco On-premise Integration with IDaaS on 11.5 11.5 and forward CUCM & IM&P cluster With CSR 11.5 and after Cisco on-premise collaboration products require on the IdP a single agreement per cluster. To achieve single cluster agreement, Cisco uses a SAML specification that allow for multiple AssertionConsumerService tags BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Cisco On-premise Integration with IDaaS on 11.5 All the IDaaS vendor don t support multiple AssertionConsumerServices tags, you can only specify one. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cisco On-premise Integration with OKTA on 11.5 With the exception of OKTA that develop the support for multiple AssertionConsumerService. In order to integrate with customer that have SAML enabled applications where multiple nodes need to access to a single IdP agreement. BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Cisco On-premise Integration with OKTA on 11.5 For the integration to be configured we need to open the CUCM cluster metadata file and copy the AssertionConsumerService that have the bindings HTTP- POST. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Conclusion and Key Takeaways
Q & A
Complete Your Online Session Evaluation Give us your feedback and receive a Cisco Live 2017 Cap by completing the overall event evaluation and 5 session evaluations. All evaluations can be completed via the Cisco Live Mobile App. Caps can be collected Friday 10 March at Registration. Learn online with Cisco Live! Visit us online after the conference for full access to session videos and presentations. www.ciscoliveapac.com BRKUCC-2664 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Thank you