Single Sign-on Integration
Establish Trust Relationship for Cisco IdS
To enable applications to use Cisco Identity Service (Cisco IdS) for Single Sign-On, perform the metadata exchange between the Cisco IdS and the Hosted Identity Provider (IdP).
-
Download the SAML SP Metadata file, sp.xml, on the Cisco IdS publisher primary node.
-
Open Identity Service Management by doing either of the following:
-
Open the Identity Service Management window: https://<Unified CCX server address>:8553/idsadmin.
-
In Administration, navigate to Identity Service Management.
and click
-
-
On the Settings > IdS Trust tab, download the SAML SP Metadata file, sp.xml.
-
-
Download the Identity Provider Metadata file, federationmetadata.xml, from the IdP. For example,
-
For AD FS, download the Identity Provider Metadata file from the IdP at the location:
https://<ADFSServer FQDN>/federationmetadata/2007-06/federationmetadata.xml.
-
On the Identity Service Management page, upload the Identity Provider Metadata file that was downloaded in the previous step.
-
The SAML SSO uses trust authentication certificates to exchange authentication and authorization details between the IdP (such as AD FS) and the Cisco IdS. This secures the communication between the servers.
Note |
|
Integrate the Customer Instance to the Shared ADFS
Integrate Cisco IdS to the Shared Management AD FS
Procedure
Step 1 |
In AD FS, be sure that the default Authentication Type is set to Forms. (Cisco Identity Service requires the Identity Provider to provide form-based authentication.) See the Microsoft AD FS documentation for details. |
||
Step 2 |
In AD FS server, open AD FS Management. |
||
Step 3 |
Right-click AD FS -> Trust Relationships -> Relying Party Trust. |
||
Step 4 |
From the menu, choose Add Relying Party Trust to launch the Add Relying Party Trust Wizard. |
||
Step 5 |
In the Select Data Source step, choose the option Import data about the relying party from a file. |
||
Step 6 |
Browse to the sp.xml file that you downloaded from Cisco Identity Server and complete the import to establish the relying party trust. |
||
Step 7 |
Select the step Specify Display Name, and add a significant name you can use to identify the Relying Party Trust. |
||
Step 8 |
For AD FS in Windows Server, select the option I do not want to configure multi-factor authentication settings for the relying party at this time in the Step Configure Multi-factor Authentication Now. This step does not appear in AD FS 2.0 or 2.1. Continue with the next step. |
||
Step 9 |
In the Step Choose Issuance Authorization Rules, select the option Permit all users to access this relying party and click Next. |
||
Step 10 |
Click Next again to finish adding the relying party. |
||
Step 11 |
Right-click on the Relying Party Trust and click Properties. Select the Identifiers tab. |
||
Step 12 |
On the Identifiers tab, Set Display name to the name you specified when creating the Relying Party Trust, and set the Relying party identifier to the fully qualified hostname of the Cisco Identity Server from which sp.xml was downloaded. |
||
Step 13 |
Still in Properties, select the Advanced tab. |
||
Step 14 |
Select secure hash algorithm as SHA-1 and then click OK.
Follow the steps to configure these rules. |
||
Step 15 |
In Relying Party Trusts, right-click on the Relying Party Trust you created, and click Edit Claim Rules. |
||
Step 16 |
Follow these steps to add a rule with Send LDAP Attributes as Claims as the Claim rule template. |
||
Step 17 |
Follow these steps to add a second rule with the template custom claim rule. |
||
Step 18 |
Add the following rules for Federated Scenario: |
||
Step 19 |
Click OK. |
Federate the Customer ADFS to the Shared Management ADFS
Add Claim Description for Customer ADFS
Procedure
Step 1 |
Open AD FS Management Console, select . |
Step 2 |
Right click Claim Descriptions and select Add Claim Descriptions. |
Step 3 |
Create uid claim description:
|
Step 4 |
Create user_principal claim description: |
Add Claim Rules for Relying Party Trust in the Customer ADFS
Use this procedure to add the Claim rules for the Relying Party Trust in the Customer ADFS:
Procedure
Step 1 |
Open AD FS Management Console. |
Step 2 |
Select . |
Step 3 |
Select and right click the appropriate Relying party trust, then select Edit Claim Rules. |
Step 4 |
Add a rule with Send LDAP Attributes as Claims as the Claim rule template. |
Step 5 |
Add another rule with the template custom claim rule. |
Step 6 |
Click OK. |
Add Claim Rules for Claim Provider Trust in the Shared Management ADFS
Note |
Add the claim rules for Claim Provider Trust in Hosted (Shared Management) ADFS (the ADFS where Cisco IDS is registered). |
Procedure
Step 1 |
Open AD FS Management Console. |
Step 2 |
Select . |
Step 3 |
Select and right click the appropriate Claims provider trust, then select Edit Claim Rules. |
Step 4 |
In the Acceptance Transform Rules tab, click Add. |
Step 5 |
Add the rule for Name ID:
|
Step 6 |
Add the rule for uid:
|
Step 7 |
Add the rule for user_principal:
|
Optionally Customize the ADFS Sign-In Page in Windows Server to Hide Federated Domains List
Follow the procedure to automatically redirect the end-user to their organization. This is required when your Contact Center solution has multi-domain federations with partners and does not want to display the list of IdPs that it is federated with.
Procedure
Step 1 |
Open the Windows Powershell of Hosted AD FS. |
Step 2 |
Enter the Set-ADFSClaimsProviderTrust -TargetName “<adfsCPName>” -OrganizationalAccountSuffix @(“<mydomain>”) command. In the mentioned command, <adfsCPName> represents AD FS Claim Provider Trust Name and <mydomain> represents Organization Domain Name. |
Enable Signed SAML Assertions
Enable Signed SAML Assertions for the Relying Party Trust (Cisco Identity Service).
Procedure
Step 1 |
Click Start and type powershell in the Search field to display the Windows Powershell icon. |
||
Step 2 |
Right-click on the Windows Powershell program icon and select Run as administrator
|
||
Step 3 |
Run the command, Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Display Name> -SamlResponseSignature "MessageAndAssertion".
For example: Set-ADFSRelyingPartyTrust -TargetName CUICPub.PCCERCDN.cisco.com -SamlResponseSignature "MessageAndAssertion". |
||
Step 4 |
Navigate back to the Cisco Identity Service Management window. |
||
Step 5 |
Click Settings. |
||
Step 6 |
On the Download SAML SP Metadata and Upload IdP Metadata windows, click Next as you have already established trust relationship between IdP and IdS. |
||
Step 7 |
On the AD FS authentication window, provide the login credentials. |
||
Step 8 |
On successful SSO setup, the message "SSO Configuration is tested successfully" is displayed.
|