Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays
Community Manager

Ask the Expert: SAML Single Sign-On (SSO) for Cisco Unified Communications 10.x



Welcome to this Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Security Assertion for Markup Language (SAML) Single Sign-On (SSO) for Cisco Unified Communications 10.x. 

Cisco provides many unified communications products. As an end user, you want to sign on once for all of your Cisco Unified Communications applications to avoid entering same credentials multiple times.

With Unified Communications 10.x, SSO using SAML can achieve this requirement. Through SAML/SSO we provide the ability to log into different unified communications services such as administrative, self-care, and end-user applications of Call Manager, Unity Connection, and Presence server.


For more information:


A. M. Mahesh Babu is a support engineer in the Cisco Technical Assistance Center in Bangalore. He is an expert on Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Communication Applications such as Jabber. He has worked on Cisco Unified Communications Manager and voice gateways and has been helping customers as well as Cisco partners with installation, configuration, and troubleshooting Unified Communications products for four years. He holds a bachelor's degree in electronics and communication and  CCNP (voice) and RHCE certifications.

Sarthak Saksena has worked in the Cisco Technical Assistance Center for over four years, serving Cisco partners and customers in the Asia-Pacific time zone. As part of the call control and multiservices modules, he focuses on Cisco Unified Communications Manager, Cisco Unified Attended Console, gateways, Cisco Unity Connection, and other VoIP-related devices. Prior to joining Cisco he was a systems engineer with Infosys Technologies LTD. He holds a bachelor of engineering degree in information technology from College of Engineering Roorkee and holds RHCE and CCIE certifications. 

Remember to use the rating system to let Mahesh and Sarthak know if you have received an adequate response. 

Because of the volume expected during this event, our experts might not be able to answer every question. Remember that you can continue the conversation in the Collaboration, Voice, and Video community under subcommunity Unified Communications Applications shortly after the event. This event lasts through April 11, 2014. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.


Hi Mahesh and Sartakh,


Right now I am labbing to deploy CWMS 2.0 using SSO. we are using ADFS 2.0 in the lab.

When user want to sign in the meeting URL, the page says "Click Sign In to access your account from your company's single sign-on (SSO) page." and then when user sign in, the SSO redirection failed and the page says "No X.509 certificate found in the system".

I have tried to import certificate from ADFS to webex and always failed.


What's your suggest?




Hi Helmi,

CWMS SSO works independent of the New SAML SSO architecture that we have posted here which is specific to CUCM,CUC,IM&P.

But with the error you mentioned , its seems that there is no IdP (ADFS) certificate( in format base 64 x.509)   uploaded to CWMS.



Hi Mahesh,


To avoid this confusion, can you please move this article out of the Conferencing community. It was posted twice in this community and it is not relevant to this community.


I appreciate it.



Conferencing TAC


Hello Dejan,

The discussion has been moved.  Thank you for the clarification.




Hello Mahesh & Sarthak,

Could you please tell me how does SAML SSO help administrators or users?  

Thank you.



Hi Henry

SAML SSO provides us with a single sign on feature across all our UC prodcuts using a comon account. Hence it makes the administration and management of these devices extremely simple.

Let me take two example here.

For an Administrator : Pre 10.x when you login to the administration page of your Call manager publisher to make any changes and then wish to navigate to your call manager subscriber or Unity Connection you need to login to them individually all over again. Post 10.x and SAML intergration allows you to login ONLY ONCE into any of these devices and then navigate to any page of the same or different device without having to login into it all over again. If you have a common user in your Identity Provider (IDP) for all your UC devices (such as CUCM, CUC, Presence) then you have to login once in any of these devices and then you can open pages on any other device without having to login into them since the user would have been authenticated once by your IDP and the session will last as long as your browser session lasts.

For a user : If and end user is using a jabber client or a presence client with Call amanger 10.x then once if they login to that device they can access and end user pages or resources these users have permissions to without having to login all over again for the new requested resource.

We have a small video demonstrating the above along with its configuration posted here:




That was indeed very helpful Sarthak.

I must say you have a very deep insight and knowledge in this topic.

Cisco must be very lucky to have you on board I think. You are like a shining Genin their Crown.

I wanted to take a moment to say how much I appreciated the great insight you offered at this 
brainstorming session. Your examples got us all energized about the road ahead, and is 
just the kind of innovative thinking we needed to push our project to the next level. 

We want you to know that we are very pleased with the quality of service your company provides. We sincerely appreciate your responsiveness and the way you conduct business. We have recommended your company to others because of our satisfaction with your service. We look forward to doing business with you for years to come.


Thanks for your help on this guys. I really appreciate your quick reply. Just another question. Is LDAP integration for SAML SSO required?



Yes, LDAP integration is Mandatory as Authentication is done by AD

Cisco Employee

Yes, LDAP integration is mandatory as the authentication will be done by AD

Content for Community-Ad