cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

CUCM 10.x SAML/SSO with ADFS2.0

11351
Views
20
Helpful
17
Comments
Cisco Employee

(view in My Videos)
 

Introduction

 

Cisco provides many services in different form. As an end user, I want to sign on once for all of my Cisco Services. I want to find and manage my contacts from any of my Cisco application and devices, leveraging all possible sources (Corporate Directory, Outlook, Mobile contacts, Facebook, LinkedIn, History) and have them rendered in a common and consistent way which provides me with the information I need to know their availability and how best to contact them.

Singlo Sign On using SAML basically targets at this requirement. Through SAML/SSO we provide the baility to log into multiple devices through a common account and authorization identity called the IDP.

 

The overall objective of this work is to provide a scalable and standards based Single Sign On mechanism for our Unified Communications products. Single Sign On provides for a better user experience as the user needs to enter their authentication credentials only once for access to different UC services.
In order to create such solution, common Identity Infrastructure could be provided and has been agreed to take up on. As a outcome of this, Common Identity Stack Architecture (CIS) has been proposed and decided to have following functionalities:
o Common Identity/Directory Source
o SAML Base authentication
o SSO via SAML
o OAuth base Authorization

So here is how the flow works when using SAML/SSO with CUCM10.x and ADFS2.0

    1.    We create an SAML integration between CUCM10.x and ADFS.
    2.    When you try to log on to the CUCM admin page or user page the request is redirected to the IDP (adfs).
    3.    The IDP then prompts to enter the credentials for login.
    4.    Once the credentials are authorized it redirects us back to CUCM.
 

 

 

Prerequisites

 

In order to configure SAML/SSO with CUCM 10.x and ADFS2.0 as the IDP following are the prerequisites:

 

  1. DNS server and DNS enabled in the network.
  2. LDAP integration of CUCM with an Active Directory server.
  3. An Active Directory server running Active Directory Federation Service version 2.0 (adfs2.0).

 

Components Used

 

  1. Windows 2008R2 server with Active Directory and domain controller roles.
  2. Active Directory Federation service version 2.0 on one of the Active Directories within the domain.
  3. CUCM version 10.x.
  4. DNS server.

 

Configure

 

  1. Attached with the dosument is a video which talks about configuring SAML/SSO with cucm 10.x and adfs2.0. The first video talks about installation of ADFS on a windows 2008 R2 server with AD. The second video contains the integration steps.    ADFS2.0 installation video can be found on the following URL: https://supportforums.cisco.com/video/12155571/cucm-10x-samlsso-adfs20-installation  
  2. Also attached is a small troubleshooting guide to help you find the Claim Rules.
  3. A configuration guide pdf is attached as well.
  4. The call manager image used in the video is CUCM 10.0.0.98000-309.
17 Comments
Beginner

Hi Sarthak,

 

I am using Chrome to do but I can try firefox and see if I can get something. For the SAML/SSO logs is it from CUCM that we can collect and analyse?

 

Regards

Sriram

 

Cisco Employee

yes

here are the locations:

 

•Configuration logs:

  ccmadmin: Only on the node where admin configures sso.

      /var/log/active/tomcat/logs/ccmadmin/log4j/ccmadmin*.log

 

  Backend: On all the nodes in the cluster

      /var/log/active/platform/logs/ssoApp*.log

 

•SAML Request/Response processing

  /var/log/active/tomcat/logs/ssosp/log4j/ssosp*

 

Thanks

Sarthak

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards