Cisco Cisco Expressway
Enabling Single Sign-On at the Edge
On the Expressway-C:
1. Go to
Configuration > Unified Communications > Configuration
2. Locate Single Sign-on support and select On
3. Click Save
[Optional] Extend the time-to-live of SIP authorization tokens, by entering a number of seconds for SIP token
extra time-to-live (in seconds). This setting gives users a short window in which they can still accept calls
after their credentials expire, but you should balance this convenience against the increased security
exposure.
extra time-to-live (in seconds). This setting gives users a short window in which they can still accept calls
after their credentials expire, but you should balance this convenience against the increased security
exposure.
On the Expressway-E:
1. Go to
Configuration > Unified Communications > Configuration
2. Locate Single Sign-on support and select On
3. Click Save
[Optional] Choose how the Expressway-E reacts to /get_edge_sso requests by selecting whether or not
the Expressway-C should check the home nodes.
the Expressway-C should check the home nodes.
The /get_edge_sso request from the client asks whether the client may try to authenticate the user by
SSO. In this request, the client provides an identity of the user that the Expressway-C can use to find the
user's home cluster:
SSO. In this request, the client provides an identity of the user that the Expressway-C can use to find the
user's home cluster:
n
The default option is Yes to Check for internal SSO availability:
The Expressway-E passes the request to the Expressway-C. The Expressway-C uses a round-robin
algorithm to select a Unified CM node, and makes a UDS query for the supplied identity against that node.
The Unified CM determines which node is the user's home node, and whether it is capable of doing
SSO for the user, and then tells the Expressway-C the outcome. The Expressway-C then tells the
Expressway-E which responds true or false to the client.
The Expressway-E passes the request to the Expressway-C. The Expressway-C uses a round-robin
algorithm to select a Unified CM node, and makes a UDS query for the supplied identity against that node.
The Unified CM determines which node is the user's home node, and whether it is capable of doing
SSO for the user, and then tells the Expressway-C the outcome. The Expressway-C then tells the
Expressway-E which responds true or false to the client.
n
If you select No to Check for internal SSO availability:
The Expressway-E always responds true to /get_edge_sso requests. It does not make the inwards
request to the user's home Unified CM, and thus cannot know whether SSO is really available there.
The Expressway-E always responds true to /get_edge_sso requests. It does not make the inwards
request to the user's home Unified CM, and thus cannot know whether SSO is really available there.
When the client receives a true response from Expressway-E, it will try to /get_edge_config via SSO.
If it gets false, it will try /get_edge_config using whatever credentials it has - credentials which are
independent from the identity managed by UDS inside the enterprise. If it gets true and SSO is not actually
enabled on the user's home node, then /get_edge_config will fail and the client will not try the other
authentication option.
If it gets false, it will try /get_edge_config using whatever credentials it has - credentials which are
independent from the identity managed by UDS inside the enterprise. If it gets true and SSO is not actually
enabled on the user's home node, then /get_edge_config will fail and the client will not try the other
authentication option.
The option you should choose depends entirely on your implementation. If you have a homogenous
environment, in which all Unified CM nodes are capable of SSO, you can reduce response time and overall
network traffic by selecting No. By contrast, if you want clients to use either mode of getting the edge
configuration - during rollout or because you cannot guarantee that SSO is available on all nodes - you should
select Yes.
environment, in which all Unified CM nodes are capable of SSO, you can reduce response time and overall
network traffic by selecting No. By contrast, if you want clients to use either mode of getting the edge
configuration - during rollout or because you cannot guarantee that SSO is available on all nodes - you should
select Yes.
Unified Communications Mobile and Remote Access via Cisco Expressway Deployment Guide (X8.6)
Page 37 of 55
Single Sign-On (SSO) over the Collaboration Edge