-
Cisco Unified Communications Manager Features and Services Guide, Release 9.1(1)
-
Preface
-
Barge and privacy
-
BLF Presence
-
Call Back
-
Call Control Discovery
-
Call Display restrictions
-
Call Park and Directed Call Park
-
Call Pickup
-
Call Queuing
-
Call Throttling and the code yellow state
-
Calling Party Normalization
-
Cisco Unified Communications Manager Assistant with proxy line support
-
Cisco Unified Communications Manager Assistant with shared line support
-
Cisco Unified Communications Manager Auto-Attendant
-
Cisco Unified Mobility
-
Cisco Unified Mobility Advantage and Cisco Unified Mobile Communicator integration
-
Client matter codes and forced authorization codes
-
Custom phone rings
-
Device Mobility
-
Do Not Disturb
-
Enhanced Location Call Admission Control
-
Extend and Connect
-
Extension Mobility
-
Extension Mobility Cross cluster
-
External Call Control
-
External Call Transfer Restrictions
-
Geolocations and Location Conveyance
-
Hold Reversion
-
Hotline
-
IM and Presence
-
Immediate Divert
-
Intercluster Lookup Service
-
Intercom
-
Internet Protocol Version 6 (IPv6)
-
Licensing
-
Local route groups
-
Logical Partitioning
-
Malicious Call Identification
-
Mobile VoiP clients
-
Monitoring and Recording
-
Multilevel Precedence and Preemption
-
Music On Hold
-
Originally called party name in Placed Call History
-
Proxy TFTP server
-
Quality Report Tool
-
Remote worker emergency calling
-
Single Sign On
-
Web Dialer
-
Index
-
Feedback
Contents
- Single Sign On
- Configure Single Sign On
- Single Sign On for CUCM feature
- System requirements for Single Sign On
- Install and activate Single Sign On
- Configure Single Sign On
- Configure OpenAM
- Import the OpenAM certificate into CUCM
- Configure windows Single Sign On with Active Directory and OpenAM
- Configure client browsers for Single Sign On
- Configure Internet Explorer for Single Sign On
- Configure FireFox for Single Sign On
- Configure the SSO application
- CLI Commands for Single Sign On
- utils sso enable
- utils sso disable
- utils sso status
Single Sign On
This chapter provides information about the single sign on feature which allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without signing on again.
For more information about the single sign on feature, refer to the Cisco white paper A complete guide for installation, configuration and integration of CUCM8.5 with Open Access Manager and Active Directory for SSO.
- Configure Single Sign On
- Single Sign On for CUCM feature
- System requirements for Single Sign On
- Install and activate Single Sign On
- Configure Single Sign On
Configure Single Sign On
ProcedureThe single sign on feature allows end users to log into a Windows client machine, then use certain Cisco Unified Communications Manager applications without signing on again.
Perform the following steps to configure single sign on in your network.
For information about configuring single sign on with Cisco Unified Communication interface for Microsoft Office Communicator, refer to the Cisco Unified Communication interface for Microsoft Office Communicator documentation.
Related References
Single Sign On for CUCM feature
System requirements for Single Sign On
The following single sign on system requirements exist for Cisco Unified Communications Manager:
The feature requires the following third-party applications:
- Microsoft Windows Server 2003 or Microsoft Windows Server 2008
- Microsoft Active Directory
- ForgeRock Open Access Manager (OpenAM) version 9.0
The single sign on feature uses Active Directory and OpenAM in combination to provide single sign on access to client applications.
These third party products must meet the following configuration requirements:
- Active Directory must be deployed in a Windows domain-based network configuration, not just as an LDAP server.
- The OpenAM server must be accessible on the network to all client systems and the Active Directory server.
- The Active Directory (Domain Controller) server, Windows clients, Cisco Unified Communications Manager, and OpenAM must be in the same domain.
- DNS must be enabled in the domain.
- No third-party products may be installed on the Cisco Unified Communications Manager server.
- The clocks of all the entities participating in SSO must be synchronized
See the third-party product documentation for more information about those products.
Install and activate Single Sign On
After you install Cisco Unified Communications Manager 8.6(1), your network can support single sign on if you perform the necessary configuration tasks. For information on configuration tasks that you must perform, see the Configure Single Sign On.
Configure Single Sign On
This section provides information to configure single sign on.
Tip
Before you configure single sign on, review the configuration summary task for this feature.
- Configure OpenAM
- Import the OpenAM certificate into CUCM
- Configure windows Single Sign On with Active Directory and OpenAM
- Configure client browsers for Single Sign On
- Configure the SSO application
- CLI Commands for Single Sign On
Related Tasks
Import the OpenAM certificate into CUCM
Because communication between Cisco Unified Communications Manager and OpenAM is secure, you must obtain the OpenAM security certificate and import it into the Cisco Unified Communications Manager tomcat-trust store. Configure the OpenAM certificate to be valid for five years.
For information about importing certificates, see the Cisco Unified Communications Operating System Administration Guide.
Configure windows Single Sign On with Active Directory and OpenAM
ProcedureThis section describes how to configure Windows single sign on with Active Directory and OpenAM. This procedure allows Cisco Unified Communications Manager to authenticate with Active Directory.
Step 1 In Active Directory, create a new user with the OpenAM Enterprise host name (without the domain name) as the User ID (login name). Step 2 Create keytab files on the Active Directory server. Step 3 Export the keytab files to the OpenAM system. Step 4 In OpenAM, create a new authentication module instance with the following configuration:
- The type is Windows Desktop SSO.
- The realm attributes are determined as follows:
- Service Principal: Enter the principal name that you used to create the keytab file.
- Keytab File Name: Enter the path where you imported the keytab file.
- Kerberos Realm: Enter the domain name.
- Kerberos Server Name: Enter the FQDN of the Active Directory server.
- Authentication level: Enter 22.
Configure client browsers for Single Sign On
This section describes how to configure client browsers to use single sign on. To use single sign on for a browser-based client application, you must configure the web browser.
Configure Internet Explorer for Single Sign On
The single sign on feature supports Windows clients running Internet Explorer version 6.0 and higher. Do the following tasks to configure Internet Explorer to use single sign on:
Configure the SSO application
ProcedureThis application is split into three components:
A warning message displays indicating that the change in SSO settings causes Tomcat restart.
The following error messages may display when enabling the SSO application:
- Invalid Open Access Manger (Open AM) server URL - This error message displays when you give and invalid OpenAM server URL.
- Invalid profile credentials - This error message displays when you give a wrong profile name or wrong profile password or both.
- Security trust error - This error message displays when the OpenAM certificate has not been imported.
If you get any of the above error messages while enabling SSO, then the status changes to the above errors.
You can select or deselect the application for enabling or disabling SSO for a specific application.
The following applications are available:
- Cisco Unified CM Administration - Enables SSO for Cisco Unified CM Administration, Cisco Unified Serviceability, and Cisco Unified Reporting
- Cisco Unified CM User Options - Enables SSO for Cisco Unified CM User Options
- Cisco Unified Operating System Administration - Enables SSO for Cisco Unified Operating System Administration and Disaster Recovery System
- Cisco Unified Data Service - Enables SSO for Cisco UC Integration for Microsoft Office Communicator
- RTMT - Enables the web application for Real-Time Monitoring Tool
The server settings are editable only when SSO is disabled for all applications.
Step 1 Enter the following URL of the Open Access Manager (OpenAM) server: http://opensso.sample.com:443/opensso
Step 2 Enter the relative path where the policy agent should be deployed. The relative path must be alphanumeric. Step 3 Enter the name of the profile that is configured for this policy agent. Step 4 Enter the password of the profile name. Step 5 Enter the login Module instance name that is configured for Windows Desktop SSO. Step 6 Click Save. Step 7 Click OK on the confirmation dialog box to restart Tomcat.
CLI Commands for Single Sign On
utils sso enable
The utils sso enable command allows you to enable and configure SSO-based authentication, disable SSO, or display the status and configuration parameters of SSO-based authentication.
Caution
When you enable or disable single sign on the Cisco Unified Communications Manager web server (Tomcat) restarts.
Parameters
- enable —Enables SSO-based authentication. This command starts a single sign on configuration wizard. The table below provides the information on the prompts that you get when you enable SSO.
Parameter
Description
Enables Unified CM Administration web applications such as Cisco Unified Administration, Cisco Unified Serviceability, Cisco Unified Reporting.
Enables Cisco Unified Communications Manager User Options pages.
Enables Cisco Unified Operating System Administration for Cisco Unified CM OS Administration, Disaster Recovery System.
Enables Cisco Unified Data Service web applications for Cisco UC Integration for Microsoft Office Communicator.
Enables Cisco Unified Real-Time Monitoring Tool.
The CLI prompts your response to enable SSO for each of the web applications mentioned. For each web application enter the value yes or no to enable or disable SSO.
Server URL
The URL that you configured for the Open SSO server. You must include the following deployment URI as shown: http://opensso.sample.com:443/opensso
Agent URL
The relative path on the Cisco Unified Communications Manager where the policy agent gets deployed. For example: http://agent1.sample.com:1234/agentapp
Profile Name
The name of the profile that you created for this policy agent in Open SSO.
Password
The password of the profile.
Login Module Name
The name of the login module instance for Windows Desktop SSO that you configured in Open SSO.
Example
admin:utils sso enable ***** W A R N I N G ***** This command will restart Tomcat for successful completion. This command needs to be executed on all the nodes in the cluster. Do you want to continue (yes/no) yes List of apps for which SSO can be enabled 1) Cisco Unified Administration (Cisco Unified Administration, Cisco Unified Serviceability, Cisco Unified Reporting) 2) Cisco Unified User Options 3) Cisco Unified Operating System Administration (Cisco Unified OS Administration, Disaster Recovery System) 4) Cisco Unified Data Service (CUCiMOC) 5) RTMT Do you want to enable SSO for Cisco Unified Administration (Cisco Unified Administration, Cisco Unified Serviceability, Cisco Unified Reporting) (yes/no): n Do you want to enable SSO for Cisco Unified User Options (yes/no): y Do you want to enable SSO for Cisco Unified Operating System Administration (Cisco Unified OS Administration, Disaster Recovery System) (yes/no): n Do you want to enable SSO for Cisco Unified Data Service (CUCiMOC) (yes/no): y Do you want to enable SSO for RTMT (yes/no): n Enter URL of the Open Access Manager (OpenAM) server: https://blr-opensso.vrajoli.com:8443/opensso Enter the relative path where the policy agent should be deployed: agentapp Enter the name of the profile configured for this policy agent: CUCMPA220 Enter the password of the profile name: ******* Enter the login module instance name configured for Windows Desktop SSO: Universal_SSO Validating connectivity and profile with Open Access Manager (OpenAM) Server: https://blr-opensso.vrajoli.com:8443/opensso Valid profile Enabling SSO ... This will take up to 5 minutes SSO Enable Success Please make sure to execute this command on all the nodes in the cluster.utils sso disable
This command disables SSO based authentication. This command lists the web applications for which SSO is enabled. Enter Yes when prompted to disable single sign on for the specified application.
Usage Guidelines
Caution
Disabling single sign on restarts the Cisco Unified Communications Manager web server (Tomcat).
Noteif OpenAM is not accessible, then Tomcat takes more time to appear. This is due to a Servm limitation. In this scenario, the approximate time for Tomcat to appear is 10 minutes.
