Cisco Cisco TelePresence Video Communication Server Expressway
Enabling Single Sign-On at the Edge
On the VCS Control:
1. Go to
Configuration > Unified Communications > Configuration
2. Locate Single Sign-on support and select On
3. Click Save
[Optional] Extend the time-to-live of SIP authorization tokens, by entering a number of seconds for SIP token
extra time-to-live (in seconds). This setting gives users a short window in which they can still accept calls
after their credentials expire, but you should balance this convenience against the increased security
exposure.
extra time-to-live (in seconds). This setting gives users a short window in which they can still accept calls
after their credentials expire, but you should balance this convenience against the increased security
exposure.
On the VCS Expressway:
1. Go to
Configuration > Unified Communications > Configuration
2. Locate Single Sign-on support and select On
3. Click Save
[Optional] Choose how the VCS Expressway reacts to /get_edge_sso requests by selecting whether or
not the VCS Control should check the home nodes.
not the VCS Control should check the home nodes.
The /get_edge_sso request from the client asks whether the client may try to authenticate the user by
SSO. In this request, the client provides an identity of the user that the VCS Control can use to find the user's
home cluster:
SSO. In this request, the client provides an identity of the user that the VCS Control can use to find the user's
home cluster:
n
The default option is Yes to Check for internal SSO availability:
The VCS Expressway passes the request to the VCS Control. The VCS Control uses a round-robin
algorithm to select a Unified CM node, and makes a UDS query for the supplied identity against that node.
The Unified CM determines which node is the user's home node, and whether it is capable of doing
SSO for the user, and then tells the VCS Control the outcome. The VCS Control then tells the VCS
Expressway which responds true or false to the client.
The VCS Expressway passes the request to the VCS Control. The VCS Control uses a round-robin
algorithm to select a Unified CM node, and makes a UDS query for the supplied identity against that node.
The Unified CM determines which node is the user's home node, and whether it is capable of doing
SSO for the user, and then tells the VCS Control the outcome. The VCS Control then tells the VCS
Expressway which responds true or false to the client.
n
If you select No to Check for internal SSO availability:
The VCS Expressway always responds true to /get_edge_sso requests. It does not make the
inwards request to the user's home Unified CM, and thus cannot know whether SSO is really available
there.
The VCS Expressway always responds true to /get_edge_sso requests. It does not make the
inwards request to the user's home Unified CM, and thus cannot know whether SSO is really available
there.
When the client receives a true response from VCS Expressway, it will try to /get_edge_config via
SSO. If it gets false, it will try /get_edge_config using whatever credentials it has - credentials which
are independent from the identity managed by UDS inside the enterprise. If it gets true and SSO is not
actually enabled on the user's home node, then /get_edge_config will fail and the client will not try the
other authentication option.
SSO. If it gets false, it will try /get_edge_config using whatever credentials it has - credentials which
are independent from the identity managed by UDS inside the enterprise. If it gets true and SSO is not
actually enabled on the user's home node, then /get_edge_config will fail and the client will not try the
other authentication option.
The option you should choose depends entirely on your implementation. If you have a homogenous
environment, in which all Unified CM nodes are capable of SSO, you can reduce response time and overall
network traffic by selecting No. By contrast, if you want clients to use either mode of getting the edge
configuration - during rollout or because you cannot guarantee that SSO is available on all nodes - you should
select Yes.
environment, in which all Unified CM nodes are capable of SSO, you can reduce response time and overall
network traffic by selecting No. By contrast, if you want clients to use either mode of getting the edge
configuration - during rollout or because you cannot guarantee that SSO is available on all nodes - you should
select Yes.
Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide (X8.6)
Page 37 of 55
Single Sign-On (SSO) over the Collaboration Edge