Cisco Cisco TelePresence Video Communication Server Expressway
1. Go to
Configuration > Unified Communications > Export SAML data
.
This page lists the connected VCS Expressway, or all the VCS Expressway peers if it's a cluster. These
are listed because data about them is included in the SAML metadata for the VCS Control.
are listed because data about them is included in the SAML metadata for the VCS Control.
2. [Conditional] If you have configured multiple deployments, you must select a deployment before you can
export the SAML metadata.
3. Click Download or Download all.
The page also lists all the VCS Control peers, and you can download SAML metadata for each one, or
export them all in a .zip file.
export them all in a .zip file.
4. Copy the resulting file(s) to a secure location that you can access when you need to import
SAML metadata to the IdP.
Configuring IDPs
This topic covers any known additional configurations that are required when using a particular IDP for
SSO over MRA.
SSO over MRA.
These configuration procedures are required in addition to the prerequisites and high level tasks already
mentioned, some of which are outside of the document's scope.
mentioned, some of which are outside of the document's scope.
Active Directory Federation Services 2.0
After creating Relying Party Trusts for the VCS Expressways, you must set some properties of each entity,
to ensure that AD FS formulates the SAML responses as VCS Expressway expects them.
to ensure that AD FS formulates the SAML responses as VCS Expressway expects them.
You also need to add a claim rule, for each relying party trust, that sets the uid attribute of the
SAML response to the AD attribute value that users are authenticating with.
SAML response to the AD attribute value that users are authenticating with.
These procedures were verified on AD FS 2.0, although the same configuration is required if you are using
AD FS 3.0.
AD FS 3.0.
You need to:
n
Sign the whole response (message and assertion)
n
Add a claim rule to send identity as uid attribute
To sign the whole response:
In Windows PowerShell®, repeat the following command for each VCS Expressway's <EntityName>:
Set-ADFSRelyingPartyTrust -TargetName "<EntityName>" -SAMLResponseSignature
MessageAndAssertion
To add a claim rule for each Relying Party Trust:
1. Open the Edit Claims Rule dialog, and create a new claim rule that sends AD attributes as claims
2. Select the AD attribute to match the one that identify the SSO users to the internal systems, typically
email or SAMAccountName
3. Enter uid as the Outgoing Claim Type
Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide (X8.6)
Page 36 of 55
Single Sign-On (SSO) over the Collaboration Edge