01-21-2016 09:15 AM - edited 03-19-2019 10:37 AM
Hi everyone,
Can CUCM or CPC be integrated with smart card authentication? Either single-sign on from my computer with a smartcard, or authenticating directly by smartcard, would meet my authentication demands.
ADFS doesn't seem to get this done, since for ADFS integration you have to supply a username and password once per session before SSO works across different UC applications.
Solved! Go to Solution.
01-23-2016 07:36 AM
That's not how SAML SSO works. When enabled, CUCM/CUC do not prompt the user to authenticate at all. Instead, the client (e.g. browser) is redirected to the IdP to authenticate. The method(s) that the IdP supports is entirely irrelevant to Cisco and CUCM/CUC do not even participate in this process. Once authentication has completed the IdP provides the client a digitally signed response which it then presents to CUCM/CUC. The Cisco app verifies the signature - without ever interacting with the IdP - and trusts whatever decision it made.
If ADFS is prompting you for a username and password instead of the client certificate on your smart card then you need to troubleshoot that on ADFS. Cisco has nothing to do with it.
I suggest watching the recording of BRKUCC-2444 - Directories Services and Single Sign-On for the Cisco Collaboration Solution (2015 San Diego) which gives an excellent walk-through of how this works.
01-22-2016 12:04 AM
Hi,
As per the design guide the smart card based authentication is possible " The IdP can support various authentication mechanisms, including user/password based authentication against LDAP, Kerberos authentication, SmartCard based authentication."
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/srnd/collab10/collab10/directry.html
It is also mentioned in the following link
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/8_5_1/delta/delta.html#pgfId-1854115
If the Single Sign-On feature is configured by the system administrator, users can access their Cisco Unified CM User Options web page without having to sign in.
These Cisco Unified IP Phones (SIP) support this feature:
Manish
01-22-2016 06:56 AM
Hi Manish,
From the online videos demonstrating SAML with UC applications, it seems as though the first login must always include username and password if done via ADFS (I assume it's the same for other idPs). Could smartcard users without passwords also authenticate to CUCM?
01-23-2016 07:36 AM
That's not how SAML SSO works. When enabled, CUCM/CUC do not prompt the user to authenticate at all. Instead, the client (e.g. browser) is redirected to the IdP to authenticate. The method(s) that the IdP supports is entirely irrelevant to Cisco and CUCM/CUC do not even participate in this process. Once authentication has completed the IdP provides the client a digitally signed response which it then presents to CUCM/CUC. The Cisco app verifies the signature - without ever interacting with the IdP - and trusts whatever decision it made.
If ADFS is prompting you for a username and password instead of the client certificate on your smart card then you need to troubleshoot that on ADFS. Cisco has nothing to do with it.
I suggest watching the recording of BRKUCC-2444 - Directories Services and Single Sign-On for the Cisco Collaboration Solution (2015 San Diego) which gives an excellent walk-through of how this works.
01-25-2016 05:11 AM
Thanks Jonathan,
I'll look into it.
02-16-2016 01:45 PM
02-18-2016 10:15 AM
My interpretation of the SRND is yes; however, I am not aware of other documentation that speaks specifically to smart cards. Every reference I have seen is to the IdP generically. The disadvantage I have is that none of my customers use smart cards so I lack real life experience to reference reference.
...SSO is implemented based on Security Assertion Markup Language (SAML) version 2.0 (SAML 2.0). SAML 2.0 authentication uses SAML authentication flows between the clients accessing the services, the collaboration applications providing these services, and an Identity Provider (IdP). The IdP is the component responsible for the actual authentication of users. The IdP can support various authentication mechanisms, including user/password based authentication against LDAP, Kerberos authentication, SmartCard based authentication, and others. The IdP can be any IdP available on the market. Cisco validates SSO with a number of IdPs including OpenAM, Ping Federate, Microsoft Active Directory Federated Services (ADFS), and Oracle Identity Manager.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide