Cisco Cisco Expressway
4.
Set the Digest to the required SHA hash algorithm.
The Expressway uses this digest for signing SAML authentication requests for clients to present to the IdP.
The signing algorithm must match the one expected by the IdP for verifying SAML authentication request
signatures.
The signing algorithm must match the one expected by the IdP for verifying SAML authentication request
signatures.
5.
Click Upload.
The Expressway-C can now authenticate the IdP's communications and encrypt SAML communications to the
IdP.
IdP.
Note:
You can change the signing algorithm after you have imported the metadata, by going to Configuration
> Unified Communications > Identity Providers (IdP), locating your IdP row then, in the Actions column,
clicking Configure Digest).
clicking Configure Digest).
Associating Domains with an IdP
You need to associate a domain with an IdP if you want the MRA users of that domain to authenticate via the IdP. The
IdP adds no value until you associate at least one domain with it.
IdP adds no value until you associate at least one domain with it.
There is a many-to-one relationship between domains and IdPs. A single IdP can be used for multiple domains, but
you may associate just one IdP with each domain.
you may associate just one IdP with each domain.
On the Expressway-C:
1.
Open the IdP list (Configuration > Unified Communications > Identity providers (IdP)) and verify that your IdP
is in the list.
is in the list.
The IdPs are listed by their entity IDs. The associated domains for each are shown next to the ID.
2.
Click Associate domains in the row for your IdP.
This shows a list of all the domains on this Expressway-C. There are checkmarks next to domains that are
already associated with this IdP. It also shows the IdP entity IDs if there are different IdPs associated with
other domains in the list.
already associated with this IdP. It also shows the IdP entity IDs if there are different IdPs associated with
other domains in the list.
3.
Check the boxes next to the domains you want to associate with this IdP.
If you see (Transfer) next to the checkbox, checking it will break the domain's existing association and
associate it with this IdP.
associate it with this IdP.
4.
Click Save.
The selected domains are associated with this IdP.
Exporting the SAML Metadata from the Expressway-C
Note:
The Expressway-C must have a valid connection to the Expressway-E before you can export the Expressway-
C's SAML metadata.
1.
Go to Configuration > Unified Communications > Export SAML data.
This page lists the connected Expressway-E, or all the Expressway-E peers if it's a cluster. These are listed
because data about them is included in the SAML metadata for the Expressway-C.
because data about them is included in the SAML metadata for the Expressway-C.
2.
[Conditional] If you have configured multiple deployments, you must select a deployment before you can
export the SAML metadata.
export the SAML metadata.
3.
Click Download or Download all.
The page also lists all the Expressway-C peers, and you can download SAML metadata for each one, or
export them all in a .zip file.
export them all in a .zip file.
4.
Copy the resulting file(s) to a secure location that you can access when you need to import SAML metadata to
the IdP.
the IdP.
37
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Single Sign-On (SSO) over the Collaboration Edge