Question about Cisco TMS/SSO/IIS

juriss · ‎10-18-2022

We are running Cisco TMS version 15.13.3 and its running very well and has for many years.

TMS Login/Authentication is using IIS and Integrated Authentication to use our company login credentials for TMS Login.
Recently there has been a push for MFA (Multi-Factor Authentication) and the use of a SAML based Single Sign-On setup.

My understanding is that the IIS web server is not capable of SAML based SSO and our SSO folks ask us if the TMS app can...

“consume an HTTP header that has a unique identifier like UID that we would pass to you after a user authenticates to WAM”

My questions are:

#1 - Has anyone setup MFA SSO with SAML based authentication? (If yes, can you share some details)

#2 - Has anyone been successful in changing the IIS settings for the /TMS page to do the following:
A - Block all HTTP traffic (Only accept HTTPS) we do not want HTTP redirected to HTTPS
B - Block access to https://TMS server ip addresss>/TMS (Currently it prompts for usename and password
We have lots of knowledgeable hosting/web server folks, but very limited with IIS and the specifics of the TMS setup

Thanks - Any assistance would be much appreciated

b.winter · ‎10-25-2022

Hi,
MFA options are not setup in the application server (e.g. CUCM, Unity, TMS, ...). This is a misbelieve. MFA options are setup in the IDP. The application server doesn't care how the authentication works, as long as the user is successfully authenticated through IDP and relays the successfull authentication to the application server.

Why shouldn't SSO be possible within IIS? I'm not a windows export, but just doing a quick google search, I get hundreds of entries on how-to.

Since the TMS websites are running on IIS, all of your questions are related to settings of IIS and not to the "TMS page".
So better check the MS forums or config docs, ...