Cisco Cisco Expressway メンテナンスマニュアル
n
The SIP domain that will be accessed via SSO is configured on the Expressway-C.
n
The Expressway-C is in Mobile and remote access mode and has discovered the required Unified CM
resources.
resources.
n
The hostnames of the required Unified CM resources are added to the HTTP server allow list on the
Expressway-C.
Expressway-C.
n
If you are using multiple deployments, the Unified CM resources that will be accessed by SSO are in the
same deployment as the domain that will be called from Jabber clients.
same deployment as the domain that will be called from Jabber clients.
On the Cisco Jabber clients:
n
Clients are configured to request the internal services using the correct domain names / SIP URIs / Chat
aliases.
aliases.
n
The default browser can resolve the Expressway-E and the IdP.
On the Identity Provider:
n
The domain that is on the IdP certificate must be published in the DNS so that clients can resolve the IdP.
n
The identity provider must support SAML 2.0. You must use one of the following IdPs:
l
Microsoft Active Directory Federation Services (ADFS) version 2 or 3
l
Open Access Manager (OpenAM)
l
Ping Federate
High level task list
1. Configure a synchronizable relationship between the identity provider and your on-premises directory such
that authentication can securely be owned by the IdP. See Directory Integration and Identity Management
in the
in the
document.
2. Export SAML metadata file from the IdP. Check the documentation on your identity provider for the
procedure. For example, see Enable SAML SSO through the OpenAM IdP in the SAML SSO Deployment
Guide for Cisco Unified Communications Applications.
Guide for Cisco Unified Communications Applications.
3. Import the SAML metadata file from the IdP to the Unified CM servers and Cisco Unity Connection
servers that will be accessed by single sign-on. See the Unified Communications documentation or help
for more details.
for more details.
4. Export the SAML metadata files from the Unified CM servers and Cisco Unity Connection servers. For
example, see High-Level Circle of Trust Setup in the SAML SSO Deployment Guide for Cisco Unified
Communications Applications.
Communications Applications.
5. Create the Identity Provider on the Expressway-C, by importing the SAML metadata file from the IdP.
6. Associate the IdP with SIP domain(s) on the Expressway-C.
7. Export the SAML metadata file(s) from the (master) Expressway-C; ensure that it includes the externally
resolvable address of the (master) Expressway-E.
The SAML metadata file from the Expressway-C contains the X.509 certificate for signing and encrypting
SAML interchanges between the edge and the IdP, and the binding(s) that the IdP needs to redirect
clients to the Expressway-E (peers).
The SAML metadata file from the Expressway-C contains the X.509 certificate for signing and encrypting
SAML interchanges between the edge and the IdP, and the binding(s) that the IdP needs to redirect
clients to the Expressway-E (peers).
8. Import the SAML metadata files from the Unified CM servers and Cisco Unity Connection servers to the
IdP. An example using OpenAM is in the SAML SSO Deployment Guide for Cisco Unified
Communications Applications.
Communications Applications.
9. Similarly, import the SAML metadata file from the Expressway-C to the IdP. See your IdP documentation
for details.
10. Turn on SSO at the edge (on the Expressway-C and the Expressway-E).
Cisco Expressway Administrator Guide (X8.5)
Page 74 of 394
Unified Communications
Mobile and remote access