This chapter provides information about the single sign on feature which allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without signing on again.
For more information about the single sign on feature, refer to the Cisco white paper A complete guide for installation, configuration and integration of CUCM8.5 with Open Access Manager and Active Directory for SSO.
single sign on
feature allows end users to log into a Windows client machine, then use certain
Cisco Unified Communications Manager applications without signing on again.
Perform the following steps to configure
single sign on
in your network.
For information about configuring
single sign on
Cisco Unified Communication interface for Microsoft Office Communicator, refer to the
Cisco Unified Communication interface for Microsoft Office Communicator documentation.
Ensure that your environment meets the requirements.
Provision the OpenAM server in Active Directory, then generate
If your Windows version does not include the ktpass tool for
generating keytab files, then you must obtain it separately.
Import the OpenAM server certificate into the
Cisco Unified Communications Manager tomcat-trust store.
You can not access any web applications if you do not import the
OpenAM server certificate while enabling SSO.
single sign on with Active Directory and OpenAM.
(For Cisco Unified Administration only) Verify that the user is
provisioned in the Active Directory.
(For Cisco Unified Administration only) Synchronize the user data
to the Cisco Unified Communications Manager database using the DirSync service.
(For Cisco Unified Administration only) Add the user to the CCM
Super Users group to enable access to Cisco Unified Administration.
Configure client browsers for
single sign on.
single sign on in
Cisco Unified Communications Manager.
Cisco Unified Communication interface for Microsoft Office Communicator
System requirements for Single Sign On
The following single sign on system requirements exist for Cisco Unified Communications Manager:
Cisco Unified Communications Manager release 8.5(1) on each server in the cluster
The feature requires the following third-party applications:
Microsoft Windows Server 2003 or Microsoft Windows Server 2008
Microsoft Active Directory
ForgeRock Open Access Manager (OpenAM) version 9.0
The single sign on feature uses Active Directory and OpenAM in combination to provide single sign on access to client applications.
These third party products must meet the following configuration requirements:
Active Directory must be deployed in a Windows domain-based network configuration, not just as an LDAP server.
The OpenAM server must be accessible on the network to all client systems and the Active Directory server.
The Active Directory (Domain Controller) server, Windows clients, Cisco Unified Communications Manager, and OpenAM must be in the same domain.
DNS must be enabled in the domain.
No third-party products may be installed on the Cisco Unified Communications Manager server.
The clocks of all the entities participating in SSO must be synchronized
See the third-party product documentation for more information about those products.
Install and activate Single Sign On
After you install
Cisco Unified Communications Manager 8.6(1), your network can support
single sign on
if you perform the necessary configuration tasks. For information on
configuration tasks that you must perform, see the
Configure Single Sign On.
Configure Single Sign On
This section provides information to configure single sign on.
Before you configure
single sign on, review the
configuration summary task for this feature.
Configure a J2EE Agent Profile for Policy Agent 3.0.
Configure a Windows Desktop SSO login module instance.
Configure "Login Form URI" and "OpenAM Login URL" for the PA.
Disable local user profiles.
Import the OpenAM certificate into CUCM
Because communication between Cisco Unified Communications Manager and OpenAM is secure, you must obtain the OpenAM security certificate and import it into the Cisco Unified Communications Manager tomcat-trust store. Configure the OpenAM certificate to be valid for five years.
For information about importing certificates, see the Cisco Unified Communications Operating System Administration Guide.
Configure windows Single Sign On with Active Directory and OpenAM
This section describes how to configure Windows
single sign on
with Active Directory and OpenAM. This procedure allows
Cisco Unified Communications Manager to authenticate with Active Directory.
In Active Directory, create a new user with the OpenAM Enterprise
host name (without the domain name) as the User ID (login name).
Create keytab files on the Active Directory server.
Export the keytab files to the OpenAM system.
In OpenAM, create a new authentication module instance with the
The type is Windows Desktop SSO.
The realm attributes are determined as follows:
Service Principal: Enter the principal name that you used to
create the keytab file.
Keytab File Name: Enter the path where you imported the keytab
Kerberos Realm: Enter the domain name.
Kerberos Server Name: Enter the FQDN of the Active Directory
Authentication level: Enter 22.
Configure client browsers for Single Sign On
This section describes how to configure client
browsers to use
single sign on. To use
single sign on
for a browser-based client application, you must configure the web browser.
The single sign on feature supports Windows clients running Internet Explorer version 6.0 and higher. Do the following tasks to configure Internet Explorer to use single sign on:
Select the Integrated Windows Authentication option.
Create a custom security level configured as follows:
Select the Automatic Logon Only in Intranet Zone option
Select all of the options for sites.
Add OpenAM to the local zone, if it not already added.
Do the following tasks for Internet Explorer 8.0 running on Windows 7:
Disable Protected Mode.
Under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\, add DWORD value SuppressExtendedProtection - 0x02.
Configure FireFox for Single Sign On
The single sign on feature supports Windows clients running Firefox version 3.0 and higher.
To configure Firefox to use single sign on, enter the trusted domains and URLs that are permitted to engage in SPNEGO Authentication with the browser into the network.negotiate-auth.trusted-uris preference.
Configure the SSO application
To configure SSO, click
Cisco Unified OS
Administration > Security > Single Sign
This application is split into three components:
A warning message displays indicating that the change in SSO
settings causes Tomcat restart.
The following error messages may display when enabling the
Invalid Open Access Manger
(Open AM) server URL - This error message displays when you give and invalid
OpenAM server URL.
credentials - This error message displays when you give a wrong profile name or
wrong profile password or both.
Security trust error -
This error message displays when the OpenAM certificate has not been imported.
If you get any of the above error messages while enabling
SSO, then the status changes to the above errors.
You can select or deselect the application for enabling or
disabling SSO for a specific application.
The following applications are available:
Cisco Unified CM
Administration - Enables SSO for Cisco Unified CM Administration, Cisco Unified
Serviceability, and Cisco Unified Reporting
Cisco Unified CM User
Options - Enables SSO for Cisco Unified CM User Options
Cisco Unified Operating
System Administration - Enables SSO for Cisco Unified Operating System
Administration and Disaster Recovery System
Cisco Unified Data Service
- Enables SSO for Cisco UC Integration for Microsoft Office Communicator
RTMT - Enables the web
application for Real-Time Monitoring Tool
The server settings are editable only when SSO is disabled
for all applications.
Use the following procedure:
Enter the following URL of the Open Access Manager (OpenAM)
Enter the relative path where the policy agent should be deployed.
The relative path must be alphanumeric.
Enter the name of the profile that is configured for this policy
Enter the password of the profile name.
Enter the login Module instance name that is configured for
Windows Desktop SSO.
OK on the confirmation dialog box to restart
CLI Commands for Single Sign On
This section describes the CLI commands for
single sign on.
Cisco Unified Operating System Administration (Cisco
Unified OS Administration, Disaster Recovery System)
Cisco Unified Data Service (CUCiMOC)
Enables Unified CM Administration web applications such as
Cisco Unified Administration, Cisco Unified Serviceability, Cisco Unified
Enables Cisco Unified Communications Manager User Options
Enables Cisco Unified Operating System Administration for
Cisco Unified CM OS Administration, Disaster Recovery System.
Enables Cisco Unified Data Service web applications for
Cisco UC Integration for Microsoft Office Communicator.
Enables Cisco Unified Real-Time Monitoring Tool.
The CLI prompts your response to enable SSO for each of the
web applications mentioned. For each web application enter the value yes or no
to enable or disable SSO.
The URL that you configured for the Open SSO server. You
must include the following deployment URI as shown:
The relative path on the Cisco Unified Communications
Manager where the policy agent gets deployed. For example:
The name of the profile that you created for this policy
agent in Open SSO.
The password of the profile.
Login Module Name
The name of the login module instance for Windows Desktop
SSO that you configured in Open SSO.
admin:utils sso enable
***** W A R N I N G *****
This command will restart Tomcat for successful completion.
This command needs to be executed on all the nodes in the cluster.
Do you want to continue (yes/no)
List of apps for which SSO can be enabled
1) Cisco Unified Administration (Cisco Unified Administration, Cisco Unified Serviceability, Cisco Unified Reporting)
2) Cisco Unified User Options
3) Cisco Unified Operating System Administration (Cisco Unified OS Administration, Disaster Recovery System)
4) Cisco Unified Data Service (CUCiMOC)
Do you want to enable SSO for Cisco Unified Administration (Cisco Unified Administration, Cisco Unified Serviceability, Cisco Unified Reporting) (yes/no):
Do you want to enable SSO for Cisco Unified User Options (yes/no):
Do you want to enable SSO for Cisco Unified Operating System Administration (Cisco Unified OS Administration, Disaster Recovery System) (yes/no):
Do you want to enable SSO for Cisco Unified Data Service (CUCiMOC) (yes/no):
Do you want to enable SSO for RTMT (yes/no):
Enter URL of the Open Access Manager (OpenAM) server:
Enter the relative path where the policy agent should be deployed:
Enter the name of the profile configured for this policy agent:
Enter the password of the profile name:
Enter the login module instance name configured for Windows Desktop SSO:
Validating connectivity and profile with Open Access Manager (OpenAM) Server: https://blr-opensso.vrajoli.com:8443/opensso
Enabling SSO ... This will take up to 5 minutes
SSO Enable Success
Please make sure to execute this command on all the nodes in the cluster.
utils sso disable
This command disables SSO based authentication. This command
lists the web applications for which SSO is enabled. Enter Yes when prompted to
disable single sign on for the specified application.
utils sso disable
single sign on restarts the
Cisco Unified Communications Manager web server (Tomcat).
if OpenAM is not accessible, then Tomcat takes more time to appear. This is due to a Servm limitation. In this scenario, the approximate time for Tomcat to appear is 10 minutes.
You must run this command on all nodes in a cluster.
utils sso status
This command displays the status and configuration
single sign on.