Configuring SAML Single Sign On for Cisco Call Manager, IM&P, Unity Connection, and Expressway with Azure as Identity Provider
What is single sign-on (SSO)?
Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials — for example, a username and password — to access multiple applications.
SSO builds a Circle of Trust (CoT) by exchanging metadata and certificates between the Identity Provider (IdP) and the Service Provider (SP).
The Cisco UC applications are the Service Providers , and Microsoft Azure will be the Identity Provider in this setup.
Overview
We will be configuring SAML SSO for the applications and versions below using Microsoft Azure as the Identity Provider :
Cisco Unified Communications Manager (CUCM) – version 14 SU2
Cisco Instant Messaging and Presence (IMP) – version 14 SU2
Cisco Unity Connection (CUC) – version 14 SU2
Expressway – version 14.0.6
Note – This configuration example may be supported on other versions than what is listed above.
High Level Tasks to implement
-
- Export metadata from all UC apps
- Create a certificate to be used in Azure
- Create Enterprise Applications in Azure
- Enable SSO on each UC application
1 Export metadata from all UC apps
For CUCM and IM&P:
From CUCM Administration go to System > SAML Single Sign On.
For the SSO mode, the options are Cluster wide or Per node. Cluster wide will provide one metadata file and be easier to manage. Per node will provide a meta data file from each node in the cluster, CUCM and IM&P nodes. If selected, Per node will also require one enterprise application for each node in Azure.
We will select Cluster wide and Use system generated self-signed certificate for this example. If you select Use Tomcat Certificate, keep in mind the expiration of this certificate. When it expires, metadata will have to be exported again.
Click on Export All Metadata and wait for it to be processed and downloaded.
For Unity Connection:
From Unity Connection Administration go to System Settings > SAML Single Sign On.
For the SSO mode, the options are Cluster wide or Per node. Cluster wide will provide one metadata file and be easier to manage. Per node will provide a meta data file from each node in the cluster. If selected, Per node will also require one enterprise application for each node in Azure.
We will select Cluster wide and Use system generated self-signed certificate for this example. If you select Use Tomcat Certificate, keep in mind the expiration of this certificate. When it expires, metadata will have to be exported again.
Click on Export All Metadata and wait for it to be processed and downloaded.
For Expressway C:
From Expressway C web interface, go to Configuration > Unified Communications > Configuration.
For Authentication path, Select SAML SSO authentication or SAML SSO and UCM/LDAP. We will be selecting SAML SSO and UCM/LDAP.
For Authorize by OAuth token, select ON.
For Authorize by user credential, select ON.
For SAML Metadata, select Cluster.
Save the config.
Click on the Export SAML data link.
Regenerate certificate if needed and then download the SAML data.
2 Create a certificate to be used in Azure
There are several ways to accomplish the certificate creation , so it will not be covered here.
This certificate does not need to be publicly signed. It must be in PFX format and password protected. It can be created with openssl, an internal CA, or other methods.
This certificate will be uploaded to Azure for each enterprise application created and will be included in the IdP metadata export.
It does not need to be installed on any of the Cisco applications. It will not be uploaded to the enterprise app that will be created for the Expressway C.
3 Create Enterprise Applications in Azure – Starting Point
Note – The screenshots below may be different as Azure makes changes to their environment.
In the Azure portal, navigate to Enterprise applications. Select New application.
Click on Create your own application. Name your app something that makes sense for each application. Example – Cisco_CUCM_IMP_SSO. Select non-gallery app.
Click Create.
Click “Get started” under Set up single sign on.
Then Select SAML for your SSO method.
Click on Upload metadata file. Select the metadata file that was exported from CUCM, Unity, or Expressway depending on which app you are creating.
Save the Basic SAML Configuration. This will auto populate data under Basic SAML Configuration.
Next we will edit the Attributes and Claims.
For Required Claim we need to edit it to look like this and save:
Delete all entries under Additional Claims. Then Click on Add new claim.
For the Name field enter uid. Leave the Namespace field as it is.
From Source Attribute drop down, select user.onpremisessamaccountname. Click save.
This Source Attribute must match what is already configured in the LDAP Directory integration in CUCM and Unity.
Note – The LDAP integration must be with an on-premise LDAP server.
When completed, it should look like this:
Next we will need to edit the SAML Certificates section.
There will already be a certificate present and active. However, we will import the PFX file created earlier and enter the password.
Note – The PFX file does not need to be imported for the Expressway C app.
It will show as Inactive.
We will make it Active and then delete the original certificate which should now show as “inactive”.
The PFX cert should be the only one in the list now and active.
Now download the Federation Metadata XML. This will be uploaded to CUCM, Unity, or Expressway C later.
From left hand navigation, select Properties. Only Change “Visible to Users” to No.
From left hand navigation, select Users and Groups. Here you can assign individual users or groups depending on what works best for your environment.
The Enterprise App has now been created and configured for CUCM and IM&P. This process will need to be completed again for Unity and Expressway C.
Please go back to “Create Enterprise Applications in Azure – Starting Point” to create Enterprise apps for Unity and Expressway C.
Unity will follow the same steps as CUCM. Expressway C does have a few additional steps which will be outlined next.
Expressway C Differences in Enterprise App creation in Azure :
The PFX file does not need to be imported when editing the SAML Signing Certificate. However, we do need to make a change under SAML Signing Certificate.
The signing option needs to be changed to Sign SAML response and assertion. No other changes are needed. Since the PFX file was not imported for Expressway,
Make sure to download the Federation Metadata XML specific for the Expressway app.
4 Enable SSO on each UC application
For CUCM and IM&P:
From CUCM Administration go to System > SAML Single Sign On.
Click on Enable SAML SSO and follow the prompts.
Choose the Federation Metadata XML that was downloaded from Azure and click on Import Idp Metadata. When import succeeds , then click Next.
You should not need to export metadata again. Click Next. On the Test SSO page, select a user to test with.
This user must have administrator rights and also exist in the Idp (assigned to the app.)
Note – Disable pop up blockers
Click on Run SSO Test…
It will Clear previous test results and launch a new window. Log in to Azure with your test user credentials.
If MFA is setup, approve it.
You should see a SSO Test Succeeded! Message.
This test was only for the publisher. Click Finish and it will enable SSO and restart several services.
Tomcat is restarted on all servers in the cluster, so there will be no web access while it restarts.
This restart may take about 10 15-20 minutes and you may see a 503 service unavailable error.
This is expected behavior.
When all the services have restarted, SSO will now be enabled. The web access page will now look a little different.
Notice there are recovery URLs as well. Test SSO on each server either by going directly to the respective web interface or
go back to System > SAML Sign-On. Click on Run SSO Test for each node.
The process to enable SSO on Unity Connection will be the same as CUCM , so return to this step “4 Enable SSO on each UC application.”
Enabling SSO on the Expressway C is different and will be outlined below.
From Expressway C web interface, go to Configuration > Unified Communications > Configuration.
Click on Configure identity providers (IdP).
Click on Import new IdP from SAML.
Choose the Federation Metadata XML file that was downloaded from Azure and click on Upload.
After upload, click on Associate domains.
Check the box to Associate with this IdP. Click Save.
Digest defaults to SHA-256 and should not need to be changed. Congratulations! SSO is now enabled for all Cisco UC apps.
Test MRA logins for Jabber and desk phones. If you have any questions on how to do this, please leave a comment and we’d be happy to assist.