Cisco Cisco Expressway
Figure 7 Single sign-on for on-premises UC services
Single Sign-On Prerequisites
On the Expressway pair:
■
An Expressway-E and an Expressway-C are configured to work together at your network edge.
■
A Unified Communications traversal zone is configured between the Expressway-C and the Expressway-E.
■
The SIP domain that will be accessed via SSO is configured on the Expressway-C.
■
The Expressway-C is in Mobile and remote access mode and has discovered the required Unified CM
resources.
resources.
■
The required Unified CM resources are in the HTTP allow list on the Expressway-C.
■
If you are using multiple deployments, the Unified CM resources that will be accessed by SSO are in the same
deployment as the domain that will be called from Jabber clients.
deployment as the domain that will be called from Jabber clients.
On the Cisco Jabber clients:
■
Clients are configured to request the internal services using the correct domain names / SIP URIs / Chat
aliases.
aliases.
■
The default browser can resolve the Expressway-E and the IdP.
On the Identity Provider:
The domain that is on the IdP certificate must be published in the DNS so that clients can resolve the IdP.
Selecting an Identity Provider (IdP)
Cisco Collaboration solutions use SAML 2.0 (Security Assertion Markup Language) to enable SSO (single sign-on) for
clients consuming Unified Communications services.
clients consuming Unified Communications services.
SAML-based SSO is an option for authenticating UC service requests originating from inside the enterprise network,
and it is now extended to clients requesting UC services from outside via Mobile and Remote Access (MRA).
and it is now extended to clients requesting UC services from outside via Mobile and Remote Access (MRA).
If you choose SAML-based SSO for your environment, note the following:
35
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Single Sign-On (SSO) over the Collaboration Edge