Single Sign On (SSO) KB for CUCM, CUC, Jabber, CUIC, Finesse, and UCCX Admin.


AF-SSO is currently the Federation server leveraging ADFS to validate credentials against Active Directory using AD Service Account: servicesso / @ngel.F1re!


Cisco IdP is the identity provider brokering the authentication between the UCCX Relying Party Trust Server

ADFS acts as the IdP for CUCM, CUC and Expressway

SAML SSO setup for CUCM, CUC and Expressway (Jabber) are configured on the corresponding admin pages for that PUB/SUB pair.


Process:

1. You visit the URL for CUCM af-dc-nm-cucm-pub.inside.angelfireresort.com or any other admin/user URL for the Cisco cluster.

2. The tomcat server redirects to AF-SSO for a SAML (Security Assertion Markup Language) client access request using Kerberos.

3. ADFS processes this request according to the Access Control Policy in place for that Relying Party Trust. (MFA through Duo is enabled except for UCCX, the Duo API resides on AF-SSO and integrates with ADFS. The Duo Authentication option is controlled through the ADFS MMC, see below)

4. A Kerberos token is created using the logged on user's NTLM credentials and passed to the Cisco sign in page.

5. The Cisco IdP (UCCX) / Cisco SP (CUCM, etc) logs the user in and the process is complete.


SSO Failure Recovery:

If AF-SSO becomes unavailable the SSO process will not be able to complete. In this case there are recovery URLs provided for each server:


CUCM Admin: https://af-dc-nm-cucm-pub.inside.angelfireresort.com/ssosp/local/login

CUCM OS Admin: https://af-dc-nm-cucm-pub/ssosp/local/login/platform

CUC OS Admin: https://af-dc-nm-cuc-pub.inside.angelfireresort.com/ssosp/local/login/platform

CUC: https://af-dc-nm-cuc-pub.inside.angelfireresort.com/ssosp/local/login

UCCX Admin: https://af-dc-nm-uccx-pub/appadmin/recovery_login.htm

UCCX Serviceability: https://af-dc-nm-uccx-pub/uccxservice/recovery_login.htm

UCCX Finesse: https://af-dc-nm-uccx-sub01.inside.angelfireresort.com:8445/cfadmin#


To access disaster recovery go to the OS Admin bypass link above, login as osadmin and select the Disaster Recovery site from the dropdown list (upper right) and click go.


In addition to these URLs SSO can be disabled via command line for each server. utils sso { enable | disable | status }


Cisco IdP (For UCCX only)


https://af-dc-nm-uccx-pub.inside.angelfireresort.com:8553/idsadmin/

Login: osadmin / W3r3g00d


The Cisco IdP communicates with ADFS, the servers must be in sync with metadata collected and shared from ADFS to the IdP and vice versa. The IdP creates this metadata file for ADFS configuration. The status page shows the current system operation, the main component is hosted on UCCX. If these are out of service for any reason there is an automatic node repair function on the home page.



ADFS on AF-SSO


There is an MMC console available from the server manager "ADFS Management." This console controls all aspects of user authentication. The most important components are the Access Control Policies which govern the actions taken like MFA authentication and Windows Based Authentication. Authenication Methods which define whether the logins are form based (fallback, older technology) or Windows Authentication provide the seamless login and is the current setting. The Relying Party Trusts which are the connections to each individual server process the AD and NTLM verification and rules regarding credential mapping. Right clicking on these will reveal all pertinent options. Note that the SAMAccount Name and User Principal are used to pass the credentials. MFA can be disabled by changing the Access Control Policy for the Relying Party Trust to Permit Everyone.


Configuring ADFS using PowerShell:


In the event that a relying party trust needs to be rebuilt the following powershell commands must be executed on the ADFS server:


Set-ADFSProperties -WIASupportedUserAgents @("MSAuthHost/1.0/In-Domain", "MSIE 6.0", "MSIE 7.0", "MSIE 8.0", "MSIE 9.0", "MSIE 10.0", "Trident/7.0", "MSIPC", "Windows Rights Management Client", "Mozilla/5.0","Chrome")


Set-AdfsGlobalAuthenticationPolicy -WindowsIntegratedFallbackEnabled $false


setspn -s HTTP/<ADFS SERVER FQDN>.inside.angelfireresort.com servicesso

setspn -s HTTP/<ADFS SERVER> servicesso (Where servicesso is the AD Service account. Password: @ngel.F1re!)


Set-ADFSProperties -ExtendedProtectionTokenCheck None


Set-AdfsRelyingPartyTrust -TargetName <Relying Party Trust Name in ADFS MMC> -SamlResponseSignature "MessageAndAssertion" (Repeat for each Relying Party Trust)


Configuration of Firefox / Chrome


For the SSO experience to be seamless, options must be configured in Firefox and Chrome as follows (IE is WIA by default):


Firefox:


Type about:config in the address bar, change the following settings:

network.automatic-ntlm-auth.allow-non-fqdn=true

network.automatic-ntlm-auth.trusted-uris=af-sso.inside.angelfireresort.com

network.negotiate-auth.allow-non-fqdn=true

network.negotiatie-auth,delegation-uris=af-sso.inside.angelfireresort.com

network.negotiate-auth.trusted-uris=af-sso.inside.angelfireresort.com


Chrome:


Open internet options and add  to the Local Intranet sites list: *.inside.angelfireresort.com and inside.angelfireresort.com , ensure it is the latest Chrome version.