Cisco Cisco TelePresence Video Communication Server Expressway
Configuring IDPs
This topic covers any known additional configurations that are required when using a particular IDP for SSO over
MRA.
MRA.
These configuration procedures are required in addition to the prerequisites and high level tasks already mentioned,
some of which are outside of the document's scope.
some of which are outside of the document's scope.
Active Directory Federation Services 2.0
After creating Relying Party Trusts for the VCS Expressways, you must set some properties of each entity, to ensure
that AD FS formulates the SAML responses as VCS Expressway expects them.
that AD FS formulates the SAML responses as VCS Expressway expects them.
You also need to add a claim rule, for each relying party trust, that sets the uid attribute of the SAML response to the
AD attribute value that users are authenticating with.
AD attribute value that users are authenticating with.
These procedures were verified on AD FS 2.0, although the same configuration is required if you are using AD FS 3.0.
You need to:
■
Sign the whole response (message and assertion)
■
Add a claim rule to send identity as
uid
attribute
To sign the whole response:
In Windows PowerShell®, repeat the following command for each VCS Expressway's <EntityName>:
Set-ADFSRelyingPartyTrust -TargetName "<EntityName>" -SAMLResponseSignature MessageAndAssertion
To add a claim rule for each Relying Party Trust:
1.
Open the Edit Claims Rule dialog, and create a new claim rule that sends AD attributes as claims
2.
Select the AD attribute to match the one that identify the SSO users to the internal systems, typically email or
SAMAccountName
SAMAccountName
3.
Enter
uid
as the Outgoing Claim Type
Enabling Single Sign-On at the Edge
On the VCS Control:
1.
Go to Configuration > Unified Communications > Configuration.
2.
Locate Single Sign-on support and select On or Exclusive.
Select the same value on the VCS Control and VCS Expressway.
—
On: The clients will attempt authentication at the IdP; if they fail, they can fall back on authenticating at the
home node through the VCS.
home node through the VCS.
—
Exclusive: Clients may only authenticate at the IdP. This selection disables authentication at the home node
through the VCS.
through the VCS.
3.
Click Save.
Extend SIP Authorization Token Lifetime
[Optional, when Single Sign-on Support is On]
Extend the time-to-live of SIP authorization tokens, by entering a number of seconds for SIP token extra time-to-live
(in seconds). This setting gives users a short window in which they can still accept calls after their credentials expire,
but you should balance this convenience against the increased security exposure.
(in seconds). This setting gives users a short window in which they can still accept calls after their credentials expire,
but you should balance this convenience against the increased security exposure.
38
Mobile and Remote Access Through Cisco Video Communication Server Deployment Guide
Single Sign-On (SSO) over the Collaboration Edge