Cisco Cisco Expressway
Configuring IDPs
This topic covers any known additional configurations that are required when using a particular IDP for SSO over
MRA.
MRA.
These configuration procedures are required in addition to the prerequisites and high level tasks already mentioned,
some of which are outside of the document's scope.
some of which are outside of the document's scope.
Active Directory Federation Services 2.0
After creating Relying Party Trusts for the Expressway-Es, you must set some properties of each entity, to ensure that
AD FS formulates the SAML responses as Expressway-E expects them.
AD FS formulates the SAML responses as Expressway-E expects them.
You also need to add a claim rule, for each relying party trust, that sets the uid attribute of the SAML response to the
AD attribute value that users are authenticating with.
AD attribute value that users are authenticating with.
These procedures were verified on AD FS 2.0, although the same configuration is required if you are using AD FS 3.0.
You need to:
■
Sign the whole response (message and assertion)
■
Add a claim rule to send identity as
uid
attribute
To sign the whole response:
In Windows PowerShell®, repeat the following command for each Expressway-E's <EntityName>:
Set-ADFSRelyingPartyTrust -TargetName "<EntityName>" -SAMLResponseSignature MessageAndAssertion
To add a claim rule for each Relying Party Trust:
1.
Open the Edit Claims Rule dialog, and create a new claim rule that sends AD attributes as claims
2.
Select the AD attribute to match the one that identify the SSO users to the internal systems, typically email or
SAMAccountName
SAMAccountName
3.
Enter
uid
as the Outgoing Claim Type
Enabling Single Sign-On at the Edge
On the Expressway-C:
1.
Go to Configuration > Unified Communications > Configuration
2.
Locate Single Sign-on support and select On
3.
Click Save
[Optional] Extend the time-to-live of SIP authorization tokens, by entering a number of seconds for SIP token extra
time-to-live (in seconds). This setting gives users a short window in which they can still accept calls after their
credentials expire, but you should balance this convenience against the increased security exposure.
time-to-live (in seconds). This setting gives users a short window in which they can still accept calls after their
credentials expire, but you should balance this convenience against the increased security exposure.
On the Expressway-E:
1.
Go to Configuration > Unified Communications > Configuration
2.
Locate Single Sign-on support and select On
3.
Click Save
[Optional] Choose how the Expressway-E reacts to
/get_edge_sso
requests by selecting whether or not the
Expressway-C should check the home nodes.
The
/get_edge_sso
request from the client asks whether the client may try to authenticate the user by SSO. In this
request, the client provides an identity of the user that the Expressway-C can use to find the user's home cluster:
30
Mobile and Remote Access Through Cisco Expressway Deployment Guide
Single Sign-On (SSO) over the Collaboration Edge