Single Sign-on Administration
Set up the System Inventory for Single Sign-On
Set up the System Inventory before configuring the Cisco Identity Service (Cisco IdS) and the components for single sign-on. By default, the System Inventory displays a list of all AWs, Routers, and Peripheral Gateways in the deployment.
The Principal AW (Admin Workstation) is responsible for managing background tasks that are run periodically to sync configuration with other solution components, such as SSO management, Smart Licensing, etc.
Select the Principal AW to manage to register the components with the Cisco IdS and enabling them for SSO. Add the remaining SSO-capable machines to the System Inventory, and select the default Cisco IdS for each of the SSO-capable machines.
Procedure
Step 1 |
In Unified CCE Administration, navigate to . |
||
Step 2 |
Set the Principal AW: |
||
Step 3 |
Add the SSO-capable machines to the System Inventory: |
||
Step 4 |
Select the default Identity Service for each of the following machines:
|
What to do next
Be sure to update the System Inventory if you change your deployment:
-
If you add or remove contact center solution components from your deployment, make the corresponding changes in the System Inventory.
-
If you add or remove Cisco Identity Service machines or coresident CUIC-LD-IdS machines, update the System Inventory appropriately and reconfigure the Cisco IdS. Reassociate the components with a default Cisco IdS.
Configure the Cisco Identity Service
The Cisco Identity Service (Cisco IdS) provides authorization between the Identity Provider (IdP) and applications.
When you configure the Cisco IdS, you set up a metadata exchange between the Cisco IdS and the IdP. This exchange establishes a trust relationship that then allows applications to use the Cisco IdS for single sign-on. You establish the trust relationship by downloading a metadata file from the Cisco IdS and uploading it to the IdP. You can then select settings related to security, identify clients of the Cisco IdS service, and set log levels and, if desired, enable Syslog format.
Note |
If you are working with a Cisco IdS cluster, perform these steps on the Cisco IdS primary publisher node. Be sure that the Principal AW is configured and functional before using the tool in Unified CCE Administration. |
Procedure
Step 1 |
In Unified CCE Administration, navigate to .
|
||
Step 2 |
Click Identity Service Management. The Cisco Identity Service Management window opens. |
||
Step 3 |
Enter your user name, and then click Next. |
||
Step 4 |
Enter your password, and then click Sign In.
|
||
Step 5 |
Click Nodes. |
||
Step 6 |
Click Settings. |
||
Step 7 |
Click IdS Trust. |
||
Step 8 |
To begin the Cisco IdS trust relationship setup between the Cisco IdS and the IdP, click Download Metadata File to download the file from the Cisco IdS Server. |
||
Step 9 |
Click Next. |
||
Step 10 |
To upload the trusted metadata file from your IdP, browse to locate the file. |
||
Step 11 |
Clear the browser cache. |
||
Step 12 |
Enter the valid credentials, when page is redirected to IdP. |
||
Step 13 |
Click Next. |
||
Step 14 |
Click Test SSO Setup. |
||
Step 15 |
Click Settings. |
||
Step 16 |
Click Security. |
||
Step 17 |
Click Tokens.
|
||
Step 18 |
Set the Encrypt Token (optional); the default setting is On. |
||
Step 19 |
Click Save. |
||
Step 20 |
Click Keys and Certificates.
|
||
Step 21 |
Click Save. |
||
Step 22 |
Click Clients. |
||
Step 23 |
To add a client:
|
||
Step 24 |
To edit or delete a client, highlight the client row and click the ellipses under Actions. Then:
|
||
Step 25 |
Click Settings. |
||
Step 26 |
From the Settings page, click Troubleshooting to perform some optional troubleshooting. |
||
Step 27 |
Set the local log level by choosing from Error, Warning, Info (the default), Debug, or Trace. |
||
Step 28 |
To receive errors in Syslog format, enter the name of the Remote Syslog Server in the Host (Optional) field. |
||
Step 29 |
Click Save. |
-
Register components with the Cisco IdS.
-
Enable (or disable) SSO for the entire deployment.
Register Components and Set Single Sign-On Mode
If you add any SSO-compatible machines to the System Inventory after you register components with the Cisco IdS, those machines are registered automatically.
Before you begin
-
Configure the Cisco Identity Service (Cisco IdS).
-
Disable popup blockers. It enables viewing all test results correctly.
Procedure
Step 1 |
In the Unified CCE Administration, navigate to . |
Step 2 |
Click the Register button to register all SSO-compatible components with the Cisco IdS. The component status table displays the registration status of each component. If a component fails to register, correct the error and click Retry. |
Step 3 |
Click the Test button. When the new browser tab opens, you may be prompted to accept a certificate. For the page to load, accept any certificates. Then, when presented with a log-in dialog, log in as a user with SSO credentials. The test process verifies that each component is configured correctly to reach the Identity Provider, and that the Cisco IdS successfully generates access tokens. Each component that you are setting up for SSO is tested. The component status table displays the status of testing each component. If a test is unsuccessful, correct the error, and then click Test again. Save the test results. If you refresh the page, run the test again before enabling SSO. |
Step 4 |
Select the SSO mode for the system from the Set Mode drop-down menu:
The component status table displays the status of setting the SSO mode on each component. If the SSO mode fails to be, set on a component, correct the error, and then select the mode again. |