This document describes the configuration on the F5 BIG-IP Identity Provider (IdP) to enable Single Sign On (SSO).
Cisco IdS Deployment Models
||Co-resident with CUIC (Cisco Unified Intelligence Center) and LD (Live Data)
Co-resident with CUIC and LD for 2k deployments.
Standalone for 4k and 12k deployments.
Cisco recommends that you have knowledge of these topics:
- Cisco Unified Contact Center Express (UCCX) Release 11.6 or Cisco Unified Contact Center Enterprise Release 11.6 or Packaged Contact Center Enterprise (PCCE) Release 11.6 as applicable.
Note: This document references the configuration with respect to the Cisco Identitify Service (IdS) and the Identity Provider (IdP). The document references UCCX in the screenshots and examples, however the configuration is similar with respect to the Cisco Identitify Service (UCCX/UCCE/PCCE) and the IdP.
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Big-IP is a packaged solution that has multiple features. Access Policy Manager (APM) which co-relates to the Identity Provider service.
Big-IP as APM:
Two IPs in different subnets. One for the management IP
and one for the IdP virtual server
Download the virtual edition image from Big-IP website and deploy the OVA to create a Virtual Machine (VM) that is pre-installed. Obtain the license and install with the basic requirements.
Note: For installation information, refer to Big-IP Installation guide.
- Navigate to resource provisioning and enable Access Policy, set provisioning to Nominal
- Create a new VLAN under Network -> VLANs
- Create a new entry for the IP which is used for the IdP under Network -> Self IPs
- Create a profile under Access -> Profile/Policies -> Access profiles
- Add Active Directory (AD) details under Access -> Authentication -> Active Directory
- Create a new IdP service under Access -> Federation -> SAML Identity Provider -> Local IdP Services
Note: If a Common Access Card (CAC) is used for authentication, these attributes need to be added in the SAML Attributes configuration section:
Step 1. Create the uid attribute.
Step 2. Create the user_principal attribute.
Note: Once the IdP service is created, there is an option to download the metadata with a button Export Metadata under Access -> Federation -> SAML Identity Provider -> Local IdP Services
Security Assertion Markup Language (SAML) creation
- Navigate to Access -> Federation -> SAML Resources and create a saml resource to associate with the IdP service that was created earlier
- Create a webtop under Access -> Webtops
Virtual Policy Editor
- Navigate to the policy created earlier and click on edit link
- The virtual policy editor opens
- Click on the icon and add elements as described
Step 1. Logon page element - Leave all elements to default.
Step 2. AD Auth -> Choose the ADFS configuration created earlier.
Step 3. AD Query element - Assign the necessary details.
Step 4. Advance Resource Assign - Associate the saml resource and the webtop created earlier.
Service Provider (SP) Metadata Exchange
- Manually import the certificate of the IdS to Big-IP through System -> Certificate Management -> Traffic Management
Note: Ensure that the certificate consists of BEGIN CERTIFICATE and END CERTIFICATE tags.
- Create a new entry from sp.xml under Access -> Federation -> SAML Identity Provider -> External SP Connectors
- Bind the SP connector to the IdP service under Access -> Federation -> SAML Identity Provider -> Local IdP Services
There is currently no verification procedure available for this configuration.
Common Access Card (CAC) Authentication Failure
If SSO authentication fails for CAC users, check the UCCX ids.log to verify the SAML Attributes were set properly.
If there is a configuration issue, a SAML failure occurs. For example, in this log snippet, the user_principal SAML attribute is not configured on the IdP.
YYYY-MM-DD hh:mm:SS.sss GMT(-0000) [IdSEndPoints-SAML-59] ERROR com.cisco.ccbu.ids IdSSAMLAsyncServlet.java:465 - Could not retrieve from attributes map: user_principal
YYYY-MM-DD hh:mm:SS.sss GMT(-0000) [IdSEndPoints-SAML-59] ERROR com.cisco.ccbu.ids IdSSAMLAsyncServlet.java:298 - SAML response processing failed with exception com.sun.identity.saml.common.SAMLException: Could not retrieve user_principal from saml response