10-26-2015 01:06 AM - edited 03-19-2019 10:16 AM
Hello!
I have a question about LDAP authentication with applications that are connected via AXL through an SSO enabled CUCM 10.5.
Short description about environment.
We have an SSO enabled CUCM 10.5 with SAML 2.0 integrated ADFS from Microsoft. SSO is working very good, really great solution in my opinion :).
Now we have applications like UCCX 10.6 (and other like ANDTEK) that doesn't Support SSO, so they are still connected to AXL and want an authentication for user access.
So how will the authentication work with CUCM? Will the CUCM use the LDAP authentication (System -> LDAP -> LDAP authentication) or did he try SSO connection to ADFS?
At the moment only local user of CUCM can get acces to UCCX and ANDTEK not LDAP synchronized... That's why I ask so how is the authentication work, so I can look which troubleshooting I can do.
Hope you can help me!
best regards
Benjamin
Solved! Go to Solution.
10-30-2015 03:47 AM
Hi Benjamin,
not sure how UCCX authnticate users against CUCM but I know that there is also an AXL User needed which does the autnetication as far as I know.
Not sure why Andtek should only authticate local users from CUCM since Andetek also using AXL.
AXL has a method to authenticate users on the basis of pin or password. This is done by "DoAuthenticateUserReq". What CUCM is doing with this request is another story but it shouldn't make a difference if it is a local user (check password against CUCM database) or synced user (CUCM check against LDAP).
There is no method to do a SSO against CUCM since CUCM is not the identity provider.
Most people think everyone can use Cisco SSO also for other application but thats not true. ADFS and SSO is quite a complex thing behid the scenes since you need specific Claim Rules to get a token back. Why should a user get access to a 3rd party application just because the user is authenticated against CUCM.
SSO works the same as you may login with your google ID or Facebook ID into tripadvisor. There must be a trust between the systems. So tripadvisor trust the token given by facebook but that doesnt that you can access your doodle account because you have a token from facebook. In that case doodle need to trust facebook.
So in general CUCM with all its websites trust AD (ADFS) so that you do not need to login for all the CUCM and IM&P sites. But you still need to authenticate for other applications.
I guess you are from germany so maybe it is a good idea to read that article http://www.faq-o-matic.net/2014/04/02/adfs-grundlagen-und-architektur/
It explains it very well how SSO or ADFS works.
Eike
10-30-2015 06:21 AM
In short since you already have LDAP integration on CUCM that is extended to CCX via AXL, users when logging into Finesse will be prompted for username and password which is their AD credentials.
10-30-2015 03:47 AM
Hi Benjamin,
not sure how UCCX authnticate users against CUCM but I know that there is also an AXL User needed which does the autnetication as far as I know.
Not sure why Andtek should only authticate local users from CUCM since Andetek also using AXL.
AXL has a method to authenticate users on the basis of pin or password. This is done by "DoAuthenticateUserReq". What CUCM is doing with this request is another story but it shouldn't make a difference if it is a local user (check password against CUCM database) or synced user (CUCM check against LDAP).
There is no method to do a SSO against CUCM since CUCM is not the identity provider.
Most people think everyone can use Cisco SSO also for other application but thats not true. ADFS and SSO is quite a complex thing behid the scenes since you need specific Claim Rules to get a token back. Why should a user get access to a 3rd party application just because the user is authenticated against CUCM.
SSO works the same as you may login with your google ID or Facebook ID into tripadvisor. There must be a trust between the systems. So tripadvisor trust the token given by facebook but that doesnt that you can access your doodle account because you have a token from facebook. In that case doodle need to trust facebook.
So in general CUCM with all its websites trust AD (ADFS) so that you do not need to login for all the CUCM and IM&P sites. But you still need to authenticate for other applications.
I guess you are from germany so maybe it is a good idea to read that article http://www.faq-o-matic.net/2014/04/02/adfs-grundlagen-und-architektur/
It explains it very well how SSO or ADFS works.
Eike
10-30-2015 06:21 AM
In short since you already have LDAP integration on CUCM that is extended to CCX via AXL, users when logging into Finesse will be prompted for username and password which is their AD credentials.
10-31-2015 01:43 AM
Hi Eike, Hi Chris!
Yes your both right, they using different ways for authentication.
1.) SSO only between CUCM and IdP (ADFS)
2.) LDAP authentication over CUCM from UCCX and Third-Party applications.
It is now working. The issue was that I have a problem with certificates and fgdn name of LDAP servers. With TAC SR and the command "utils ldap config ipaddr" we forece to use IP address instead of fqdn when using LDAP authentication and know it looks like that it is working. Not sure why the certificates in my trust-store didn't worked with fqdn.
Thanks alot for your replay and your help :)!
best regards
Benjamin
10-31-2015 06:23 AM
Interesting...
Is the certificate on the LDAP server issued against it's IP address instead of FQDN? That would be the only logical explanation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide