Single Sign On (SSO) KB for CUCM, CUC, Jabber, CUIC, Finesse, and UCCX Admin.
AF-SSO is currently the Federation server leveraging ADFS to validate credentials against Active Directory using AD Service Account: servicesso / @ngel.F1re!
Cisco IdP is the identity provider brokering the authentication between the UCCX Relying Party Trust Server
ADFS acts as the IdP for CUCM, CUC and Expressway
SAML SSO setup for CUCM, CUC and Expressway (Jabber) are configured on the corresponding admin pages for that PUB/SUB pair.
Process:
1. You visit the URL for CUCM af-dc-nm-cucm-pub.inside.angelfireresort.com or any other admin/user URL for the Cisco cluster.
2. The tomcat server redirects to AF-SSO for a SAML (Security Assertion Markup Language) client access request using Kerberos.
3. ADFS processes this request according to the Access Control Policy in place for that Relying Party Trust. (MFA through Duo is enabled except for UCCX, the Duo API resides on AF-SSO and integrates with ADFS. The Duo Authentication option is controlled through the ADFS MMC, see below)
4. A Kerberos token is created using the logged on user's NTLM credentials and passed to the Cisco sign in page.
5. The Cisco IdP (UCCX) / Cisco SP (CUCM, etc) logs the user in and the process is complete.
SSO Failure Recovery:
If AF-SSO becomes unavailable the SSO process will not be able to complete. In this case there are recovery URLs provided for each server:
CUCM Admin: https://af-dc-nm-cucm-pub.inside.angelfireresort.com/ssosp/local/login
CUCM OS Admin: https://af-dc-nm-cucm-pub/ssosp/local/login/platform
CUC OS Admin: https://af-dc-nm-cuc-pub.inside.angelfireresort.com/ssosp/local/login/platform
CUC: https://af-dc-nm-cuc-pub.inside.angelfireresort.com/ssosp/local/login
UCCX Admin: https://af-dc-nm-uccx-pub/appadmin/recovery_login.htm
UCCX Serviceability: https://af-dc-nm-uccx-pub/uccxservice/recovery_login.htm
UCCX Finesse: https://af-dc-nm-uccx-sub01.inside.angelfireresort.com:8445/cfadmin#
To access disaster recovery go to the OS Admin bypass link above, login as osadmin and select the Disaster Recovery site from the dropdown list (upper right) and click go.
In addition to these URLs SSO can be disabled via command line for each server. utils sso { enable | disable | status }
Cisco IdP (For UCCX only)
https://af-dc-nm-uccx-pub.inside.angelfireresort.com:8553/idsadmin/
Login: osadmin / W3r3g00d
The Cisco IdP communicates with ADFS, the servers must be in sync with metadata collected and shared from ADFS to the IdP and vice versa. The IdP creates this metadata file for ADFS configuration. The status page shows the current system operation, the main component is hosted on UCCX. If these are out of service for any reason there is an automatic node repair function on the home page.
ADFS on AF-SSO
There is an MMC console available from the server manager "ADFS Management." This console controls all aspects of user authentication. The most important components are the Access Control Policies which govern the actions taken like MFA authentication and Windows Based Authentication. Authenication Methods which define whether the logins are form based (fallback, older technology) or Windows Authentication provide the seamless login and is the current setting. The Relying Party Trusts which are the connections to each individual server process the AD and NTLM verification and rules regarding credential mapping. Right clicking on these will reveal all pertinent options. Note that the SAMAccount Name and User Principal are used to pass the credentials. MFA can be disabled by changing the Access Control Policy for the Relying Party Trust to Permit Everyone.
Configuring ADFS using PowerShell:
In the event that a relying party trust needs to be rebuilt the following powershell commands must be executed on the ADFS server:
Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0","Chrome")
Set-AdfsGlobalAuthenticationPolicy -WindowsIntegratedFallbackEnabled $false
setspn -s HTTP/<ADFS SERVER FQDN>.inside.angelfireresort.com servicesso
setspn -s HTTP/<ADFS SERVER> servicesso (Where servicesso is the AD Service account. Password: @ngel.F1re!)
Set-ADFSProperties -ExtendedProtectionTokenCheck None
Set-AdfsRelyingPartyTrust -TargetName <Relying Party Trust Name in ADFS MMC> -SamlResponseSignature "MessageAndAssertion" (Repeat for each Relying Party Trust)
Configuration of Firefox / Chrome
For the SSO experience to be seamless, options must be configured in Firefox and Chrome as follows (IE is WIA by default):
Firefox:
Type about:config in the address bar, change the following settings:
network.automatic-ntlm-auth.allow-non-fqdn=true
network.automatic-ntlm-auth.trusted-uris=af-sso.inside.angelfireresort.com
network.negotiate-auth.allow-non-fqdn=true
network.negotiatie-auth,delegation-uris=af-sso.inside.angelfireresort.com
network.negotiate-auth.trusted-uris=af-sso.inside.angelfireresort.com
Chrome:
Open internet options and add to the Local Intranet sites list: *.inside.angelfireresort.com and inside.angelfireresort.com , ensure it is the latest Chrome version.