Cisco Cisco TelePresence Video Communication Server Expressway
■
SAML 2.0 is not compatible with SAML 1.1 and you must select an IdP that uses the SAML 2.0 standard.
■
SAML-based identity management is implemented in different ways by vendors in the computing and
networking industry, and there are no widely accepted regulations for compliance to the SAML standards.
networking industry, and there are no widely accepted regulations for compliance to the SAML standards.
■
The configuration of and policies governing your selected IdP are outside the scope of Cisco TAC (Technical
Assistance Center) support. Please use your relationship and support contract with your IdP Vendor to assist
in configuring the IDP properly. Cisco cannot accept responsibility for any errors, limitations, or specific
configuration of the IdP.
Assistance Center) support. Please use your relationship and support contract with your IdP Vendor to assist
in configuring the IDP properly. Cisco cannot accept responsibility for any errors, limitations, or specific
configuration of the IdP.
Although Cisco Collaboration infrastructure may prove to be compatible with other IdPs claiming SAML 2.0
compliance, only the following IdPs have been tested with Cisco Collaboration solutions:
compliance, only the following IdPs have been tested with Cisco Collaboration solutions:
■
OpenAM 10.0.1
■
Active Directory Federation Services 2.0 (AD FS 2.0)
■
PingFederate
®
6.10.0.4
High Level Task List
1.
Configure a synchronizable relationship between the identity provider and your on-premises directory such
that authentication can securely be owned by the IdP. See Directory Integration and Identity Management in
the
that authentication can securely be owned by the IdP. See Directory Integration and Identity Management in
the
2.
Export SAML metadata file from the IdP. Check the documentation on your identity provider for the procedure.
For example, see Enable SAML SSO through the OpenAM IdP in the SAML SSO Deployment Guide for Cisco
Unified Communications Applications.
For example, see Enable SAML SSO through the OpenAM IdP in the SAML SSO Deployment Guide for Cisco
Unified Communications Applications.
3.
Import the SAML metadata file from the IdP to the Unified CM servers and Cisco Unity Connection servers that
will be accessed by single sign-on. See the Unified Communications documentation or help for more details.
will be accessed by single sign-on. See the Unified Communications documentation or help for more details.
4.
Export the SAML metadata files from the Unified CM servers and Cisco Unity Connection servers. For example,
see High-Level Circle of Trust Setup in the SAML SSO Deployment Guide for Cisco Unified Communications
Applications.
see High-Level Circle of Trust Setup in the SAML SSO Deployment Guide for Cisco Unified Communications
Applications.
5.
Create the Identity Provider on the VCS Control, by importing the SAML metadata file from the IdP.
6.
Associate the IdP with SIP domain(s) on the VCS Control.
7.
Export the SAML metadata file(s) from the (primary) VCS Control; ensure that it includes the externally
resolvable address of the (primary) VCS Expressway.
resolvable address of the (primary) VCS Expressway.
The SAML metadata file from the VCS Control contains the X.509 certificate for signing and encrypting SAML
interchanges between the edge and the IdP, and the binding(s) that the IdP needs to redirect clients to the
VCS Expressway (peers).
interchanges between the edge and the IdP, and the binding(s) that the IdP needs to redirect clients to the
VCS Expressway (peers).
8.
Import the SAML metadata files from the Unified CM servers and Cisco Unity Connection servers to the IdP. An
example using OpenAM is in the SAML SSO Deployment Guide for Cisco Unified Communications
Applications.
example using OpenAM is in the SAML SSO Deployment Guide for Cisco Unified Communications
Applications.
9.
Similarly, import the SAML metadata file from the VCS Control to the IdP. See your IdP documentation for
details.
details.
10.
Turn on SSO at the edge (on the VCS Control and the VCS Expressway).
Importing the SAML Metadata from the IdP
1.
On the VCS Control, go to Configuration > Unified Communications > Identity providers (IdP).
You only need to do this on the primary peer of the cluster.
2.
Click Import new IdP from SAML.
3.
Use the Import SAML file control to locate the SAML metadata file from the IdP.
28
Mobile and Remote Access Through Cisco Video Communication Server Deployment Guide
Single Sign-On (SSO) over the Collaboration Edge