Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3574
Views
0
Helpful
6
Replies

Smart card support for UC applications

Go to solution
Nadav
Level 7
Level 7

‎01-21-2016 09:15 AM - edited ‎03-19-2019 10:37 AM

Hi everyone,

Can CUCM or CPC be integrated with smart card authentication? Either single-sign on from my computer with a smartcard, or authenticating directly by smartcard, would meet my authentication demands.

ADFS doesn't seem to get this done, since for ADFS integration you have to supply a username and password once per session before SSO works across different UC applications. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to Nadav

‎01-23-2016 07:36 AM

That's not how SAML SSO works. When enabled, CUCM/CUC do not prompt the user to authenticate at all. Instead, the client (e.g. browser) is redirected to the IdP to authenticate. The method(s) that the IdP supports is entirely irrelevant to Cisco and CUCM/CUC do not even participate in this process. Once authentication has completed the IdP provides the client a digitally signed response which it then presents to CUCM/CUC. The Cisco app verifies the signature - without ever interacting with the IdP - and trusts whatever decision it made.

If ADFS is prompting you for a username and password instead of the client certificate on your smart card then you need to troubleshoot that on ADFS. Cisco has nothing to do with it.

I suggest watching the recording of BRKUCC-2444 - Directories Services and Single Sign-On for the Cisco Collaboration Solution (2015 San Diego) which gives an excellent walk-through of how this works.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Manish Gogna
Cisco Employee
Cisco Employee

‎01-22-2016 12:04 AM

Hi,

As per the design guide the smart card based authentication is possible " The IdP can support various authentication mechanisms, including user/password based authentication against LDAP, Kerberos authentication, SmartCard based authentication."

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html

It is also mentioned in the following link

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/8_5_1/delta/delta.html#pgfId-1854115

"Single Sign On and SmartCard Authentication

If the Single Sign-On feature is configured by the system administrator, users can access their Cisco Unified CM User Options web page without having to sign in.

These Cisco Unified IP Phones (SIP) support this feature:

  • Cisco Unified IP Phone 8961
  • Cisco Unified IP Phone 9951
  • Cisco Unified IP Phone 9971"

Manish

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Manish Gogna

‎01-22-2016 06:56 AM

Hi Manish,

From the online videos demonstrating SAML with UC applications, it seems as though the first login must always include username and password if done via ADFS (I assume it's the same for other idPs). Could smartcard users without passwords also authenticate to CUCM?

0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to Nadav

‎01-23-2016 07:36 AM

That's not how SAML SSO works. When enabled, CUCM/CUC do not prompt the user to authenticate at all. Instead, the client (e.g. browser) is redirected to the IdP to authenticate. The method(s) that the IdP supports is entirely irrelevant to Cisco and CUCM/CUC do not even participate in this process. Once authentication has completed the IdP provides the client a digitally signed response which it then presents to CUCM/CUC. The Cisco app verifies the signature - without ever interacting with the IdP - and trusts whatever decision it made.

If ADFS is prompting you for a username and password instead of the client certificate on your smart card then you need to troubleshoot that on ADFS. Cisco has nothing to do with it.

I suggest watching the recording of BRKUCC-2444 - Directories Services and Single Sign-On for the Cisco Collaboration Solution (2015 San Diego) which gives an excellent walk-through of how this works.

0 Helpful

Go to solution
Nadav
Level 7
Level 7
In response to Jonathan Schulenberg

‎01-25-2016 05:11 AM

Thanks Jonathan,

I'll look into it. 

0 Helpful

Go to solution
paul.collins1.ctr1
Level 1
Level 1
In response to Jonathan Schulenberg

‎02-16-2016 01:45 PM

Jon, Came across this post and had a questions does SAML SSO support CAC card or smart card authentication? Also was reading that this is only supported in release 10.0 and later? Paul
0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to paul.collins1.ctr1

‎02-18-2016 10:15 AM

My interpretation of the SRND is yes; however, I am not aware of other documentation that speaks specifically to smart cards. Every reference I have seen is to the IdP generically. The disadvantage I have is that none of my customers use smart cards so I lack real life experience to reference reference.

...SSO is implemented based on Security Assertion Markup Language (SAML) version 2.0 (SAML 2.0). SAML 2.0 authentication uses SAML authentication flows between the clients accessing the services, the collaboration applications providing these services, and an Identity Provider (IdP). The IdP is the component responsible for the actual authentication of users. The IdP can support various authentication mechanisms, including user/password based authentication against LDAP, Kerberos authentication, SmartCard based authentication, and others. The IdP can be any IdP available on the market. Cisco validates SSO with a number of IdPs including OpenAM, Ping Federate, Microsoft Active Directory Federated Services (ADFS), and Oracle Identity Manager.

0 Helpful
Customers Also Viewed These Support Documents