Cisco Cisco TelePresence Video Communication Server Expressway
1. Go to
Configuration > Unified Communications > Export SAML data
.
This page lists the connected VCS Expressway, or all the VCS Expressway peers if it's a cluster. These
are listed because data about them is included in the SAML metadata for the VCS Control.
are listed because data about them is included in the SAML metadata for the VCS Control.
2. Click Download or Download all.
The page also lists all the VCS Control peers, and you can download SAML metadata for each one, or
export them all in a .zip file.
export them all in a .zip file.
3. Copy the resulting file(s) to a secure location that you can access when you need to import
SAML metadata to the IdP.
Configuring IDPs
This topic covers any known additional configurations that are required when using a particular IDP for
SSO over MRA.
SSO over MRA.
These configuration procedures are required in addition to the prerequisites and high level tasks already
mentioned, some of which are outside of the document's scope.
mentioned, some of which are outside of the document's scope.
Active Directory Federation Services 2.0
After creating Relying Party Trusts for the VCS Expressways, you must set some properties of each entity,
to ensure that AD FS formulates the SAML responses as VCS Expressway expects them.
to ensure that AD FS formulates the SAML responses as VCS Expressway expects them.
These procedures were verified on AD FS 2.0, although the same configuration is required if you are using
AD FS 3.0.
AD FS 3.0.
You need to:
n
Sign the whole response (message and assertion)
To set these relying party trust properties for each entity:
In Windows PowerShell®, repeat the following command for each VCS Expressway's <EntityName>:
Set-ADFSRelyingPartyTrust -TargetName "<EntityName>" -SAMLResponseSignature
MessageAndAssertion
Enabling Single Sign-On at the edge
On the VCS Control:
1. Go to
Configuration > Unified Communications > Configuration
2. Locate Single Sign-on support and select On
3. Click Save
[Optional] Extend the time-to-live of SIP authorization tokens, by entering a number of seconds for SIP token
extra time-to-live (in seconds). This setting gives users a short window in which they can still accept calls
after their credentials expire, but you should balance this convenience against the increased security
exposure.
extra time-to-live (in seconds). This setting gives users a short window in which they can still accept calls
after their credentials expire, but you should balance this convenience against the increased security
exposure.
On the VCS Expressway:
1. Go to
Configuration > Unified Communications > Configuration
2. Locate Single Sign-on support and select On
Unified Communications Mobile and Remote Access via Cisco VCS Deployment Guide (X8.5.1)
Page 33 of 50
Single Sign-On (SSO) over the Collaboration Edge