Cisco Unified Communications Manager Features and Services Guide, Release 8.5(1)
Single Sign-On
Download this chapter
Single Sign-OnSingle Sign-On
Download the complete book
Cisco Unified Communications Manager Features and Services Guide, Release 8.5(1)Cisco Unified Communications Manager Features and Services Guide, Release 8.5(1) (PDF - 12 MB)
 Feedback

Table Of Contents

Single Sign On

Configuration Checklist for Single Sign On

Introducing Single Sign On for Cisco Unified Communications Manager

System Requirements for Single Sign On

Installing and Activating Single Sign On

Configuring Single Sign On

Configuring OpenAM

Importing the OpenAM Certificate into Cisco Unified Communications Manager

Configuring Windows Single Sign On with Active Directory and OpenAM

Configuring Client Browsers for Single Sign On

Configuring Internet Explorer for Single Sign On

Configuring FireFox for Single Sign On

Running CLI Commands for Single Sign On

utils sso enable

utils sso disable

utils sso status

Related Topics


Single Sign On

The single sign on feature allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without signing on again.

For more information about the single sign on feature, refer to the Cisco white paper A complete guide for installation, configuration and integration of CUCM8.5 with Open Access Manager and Active Directory for SSO.

This chapter, which provides information on the single sign on feature for Cisco Unified Communications Manager, contains the following topics:

Configuration Checklist for Single Sign On

Introducing Single Sign On for Cisco Unified Communications Manager

System Requirements for Single Sign On

Installing and Activating Single Sign On

Configuring Single Sign On

Related Topics

Configuration Checklist for Single Sign On

The single sign on feature allows end users to log into a Windows client machine, then use certain Cisco Unified Communications Manager applications without signing on again.

Table 39-1 provides a checklist for configuring single sign on in your network. Use Table 39-1 in conjunction with the "Related Topics" section.

For information about configuring single sign on with Cisco Unified Communication interface for Microsoft Office Communicator, refer to the Cisco Unified Communication interface for Microsoft Office Communicator documentation.

Table 39-1 Single Sign On Configuration Checklist 

Configuration Steps
Related Topics and Documentation

Step 1 

Ensure that your environment meets the requirements described in the "System Requirements for Single Sign On" section

Step 2 

Provision the OpenAM server in Active Directory, then generate keytab files.

Note If your Windows version does not include the ktpass tool for generating keytab files, then you must obtain it separately.

Microsoft Active Directory documentation

Step 3 

Import the OpenAM server certificate into the Cisco Unified Communications Manager tomcat-trust store.

"Importing the OpenAM Certificate into Cisco Unified Communications Manager" section

Step 4 

Configure Windows single sign on with Active Directory and OpenAM.

"Configuring Windows Single Sign On with Active Directory and OpenAM" section

Step 5 

Configure client browsers for single sign on.

"Configuring Client Browsers for Single Sign On" section

Step 6 

Enable single sign on in Cisco Unified Communications Manager.

"Running CLI Commands for Single Sign On" section

Introducing Single Sign On for Cisco Unified Communications Manager

The single sign on feature allows end users to log into Windows, then use the following Cisco Unified Communications Manager applications without signing on again:

User Options Pages

Cisco Unified Communication interface for Microsoft Office Communicator

System Requirements for Single Sign On

The following single sign on system requirements exist for Cisco Unified Communications Manager:

Cisco Unified Communications Manager release 8.5(1) on each server in the cluster

The feature requires the following third-party applications:

Microsoft Windows Server 2003 or Microsoft Windows Server 2008

Microsoft Active Directory

ForgeRock Open Access Manager (OpenAM) version 9.0

The single sign on feature uses Active Directory and OpenAM in combination to provide single sign on access to client applications.

These third party products must meet the following configuration requirements:

Active Directory must be deployed in a Windows domain-based network configuration, not just as an LDAP server.

The OpenAM server must be accessible on the network to all client systems and the Active Directory server.

The Active Directory (Domain Controller) server, Windows clients, Cisco Unified Communications Manager, and OpenAM must be in the same domain.

DNS must be enabled in the domain.

No third-party products may be installed on the Cisco Unified Communications Manager server.

The clocks of all the entities participating in SSO must be synchronized

See the third-party product documentation for more information about those products.

Installing and Activating Single Sign On

After you install Cisco Unified Communications Manager 8.5(1), your network can support single sign on if you perform the necessary configuration tasks. For information on configuration tasks that you must perform, see the "Configuration Checklist for Single Sign On" section.

Configuring Single Sign On

This section contains information on the following topics:

Configuring OpenAM

Configuring Windows Single Sign On with Active Directory and OpenAM

Configuring Client Browsers for Single Sign On

Running CLI Commands for Single Sign On

Tip Before you configure single sign on, review the "Configuration Checklist for Single Sign On" section.

Configuring OpenAM

Perform the following tasks using OpenAM:

Configure policies in OpenAM for the following:

CUCM User and UDS web application

Query Parameters

Configure a J2EE Agent Profile for Policy Agent 3.0.

Configure a Windows Desktop SSO login module instance.

Configure "Login Form URI" and "OpenAM Login URL" for the PA.

Disable local user profiles.

Importing the OpenAM Certificate into Cisco Unified Communications Manager

Because communication between Cisco Unified Communications Manager and OpenAM is secure, you must obtain the OpenAM security certificate and import it into the Cisco Unified Communications Manager tomcat-trust store. Configure the OpenAM certificate to be valid for 5 years.

For information about importing certificates, see the Cisco Unified Communications Operating System Administration Guide.

Configuring Windows Single Sign On with Active Directory and OpenAM

This section describes how to configure Windows single sign on with Active Directory and OpenAM. This procedure allows Cisco Unified Communications Manager to authenticate with Active Directory.

Procedure

Step 1 In Active Directory, create a new user with the OpenAM Enterprise host name (without the domain name) as the User ID (login name).

Step 2 Create keytab files on the Active Directory server.

Step 3 Export the keytab files to the OpenAM system.

Step 4 In OpenAM, create a new authentication module instance with the following configuration:

The type is Windows Desktop SSO.

The realm attributes are determined as follows:

Service Principal: Enter the principal name that you used to create the keytab file.

Keytab File Name: Enter the path where you imported the keytab file.

Kerberos Realm: Enter the domain name.

Kerberos Server Name: Enter the FQDN of the Active Directory server.

Authentication level: Enter 22.

Configuring Client Browsers for Single Sign On

To use single sign on for a browser-based client application, you must configure the web browser.

The following sections describe how to configure client browsers to use single sign on:

Configuring Internet Explorer for Single Sign On

Configuring FireFox for Single Sign On

Configuring Internet Explorer for Single Sign On

The single sign on feature supports Windows clients running Internet Explorer version 6.0 and higher. Do the following tasks to configure Internet Explorer to use single sign on:

Select the Integrated Windows Authentication option.

Create a custom security level configured as follows:

Select the Automatic Logon Only in Intranet Zone option

Select all of the options for sites.

Add OpenAM to the local zone, if it not already added.

Do the following tasks for Internet Explorer 8.0 running on Windows 7:

Disable Protected Mode.

Under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\, add DWORD value SuppressExtendedProtection - 0x02.

Configuring FireFox for Single Sign On

The single sign on feature supports Windows clients running FireFox version 3.0 and higher.

To configure Firefox to use single sign on, enter the trusted domains and URLs that are permitted to engage in SPNEGO Authentication with the browser into the network.negotiate-auth.trusted-uris preference.

Running CLI Commands for Single Sign On

The following sections describe the CLI commands that configure single sign on:

utils sso enable

utils sso disable

utils sso status

utils sso enable

This command enables and configures single sign on.

Command Syntax

utils sso enable

Usage Guidelines

This command starts a single sign on configuration wizard. You get prompted for the information described in Table 39-2. Answer each prompt, then press Enter to continue.

Caution Enabling single sign on restarts the Cisco Unified Communications Manager web server (Tomcat).

You must run this command on all nodes in a cluster.

Table 39-2 Single Sign On Configuration Wizard Prompts 

Information That the Prompt Requests
Description

URL of the Open Access Manager (OpenAM) server

The URL that you configured for the OpenAM server.

Relative path where the policy agent should be deployed

Enter the path on the Cisco Unified Communications Manager where the policy agent will get deployed. This path is relative to the "agentapp" directory.

This path must match the path that you configured for the J2EE Agent Profile for Policy Agent 3.0.

Name of the profile configured for this policy agent

The name of the profile that you created for this policy agent in OpenAM.

Password of the profile.

Login module instance name configured for Windows Desktop SSO

The name of the login module instance for Windows Desktop SSO that you configured in OpenAM.


Example 

admin:utils sso enable

         ***** W A R N I N G *****

This command will restart Tomcat for successful completion.

This command needs to be executed on all the nodes in the cluster.

Do you want to continue (yes/no): yes

Enter URL of the Open Access Manager (OpenAM) server: 
https://ssoserver.cisco.com:8443/opensso

Enter the relative path where the policy agent should be deployed: agentapp

Enter the name of the profile configured for this policy agent: CUCMUser

Enter the password of the profile name: ********

Enter the login module instance name configured for Windows Desktop SSO: CUCMUser

Validating connectivity and profile with AM Server: 
https://ssoserver.cisco.com:8443/opensso

Valid profile

Enabling SSO ... This will take upto 5 minutes

SSO Enable Success


Please make sure to execute this command on all the nodes in the cluster.

utils sso disable

This command disables single sign on.

Command Syntax

utils sso disable

Usage Guidelines

Caution Disabling single sign on restarts the Cisco Unified Communications Manager web server (Tomcat).

You must run this command on all nodes in a cluster.

utils sso status

This command displays the status and configuration parameters of single sign on.

Command Syntax

utils sso status

Related Topics

Configuration Checklist for Single Sign On

Introducing Single Sign On for Cisco Unified Communications Manager

System Requirements for Single Sign On

Installing and Activating Single Sign On

Configuring Single Sign On