This document describes about Single Sign On (SSO) for Operating System (OS) Admin and Disaster Recovery System (DRS) feature which is introduced in Cisco Unified Communications Manager (CUCM) version 12.0 and later.
CUCM versions prior to 12.0 support SSO for CM Administration, Serviceability, and Reporting pages only. This feature helps the administrator to navigate quickly through different components and have a better user experience. There is an option to use the Recovery URL as well in case SSO breaks for OS Admin and DRS.
Cisco recommends that you have knowledge of CUCM version 12.0 and later.
The information in this document is based on Cisco Call Manager (CCM) version 18.104.22.16800-7.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
In order to enable SSO for OS Admin and DRS, SSO must already be enabled for CM Administration login. In addition to this, it also requires platform level user which can be either a new user or existing user.
Use Existing OS Admin User
The platform user created at the time of installation can be configured for the SSO login of OS Admin and DRS components. The only requirement in this case is that this platform user must also be added in the Active Directory (AD) against which Intrusion Detection & Prevention (IDP) is authenticated.
Use New User
You need to follow these steps in order to enable a new user for SSO OS Admin and DRS login:
Step 1. Create a new user with privilege level 1/0 from the CLI access of Publisher.
In order to create a new user, platform 4 level access is required which is possessed by the platform user created at the time of installation.
Level 0 privilege only gives read Access to the User whereas Level 1 gives both read and write permissions.
admin:set account name ssoadmin
Privilege Levels are:
Ordinary - Level 0
Advanced - Level 1
Please enter the privilege level :1
Allow this User to login to SAML SSO-enabled system through Recovery URL ? (Yes / No) :yes
To authenticate a platform login for SSO, a Unique Identifier (UID) must be provided that identifies this user to LDAP (such as sAMAccountName or UPN).
Please enter the appropriate LDAP Unique Identifier (UID) for this user:[ssoadmin]
Storing the default SSO UID value as username
Please enter the password :********
re-enter to confirm :********
Account successfully created
The Unique Identifier (UID) used here can be given any value which IDP provides in its assertion response or leaves it blank. If it is left blank, then CUCM uses userid as UID.
Step 2. Add a user with the same userid as earlier in the AD server through which IDP is authenticated, as shown in the image.
Step 3. Sync of the Lightweight Directory Access Protocol (LDAP) server is also required so that newly created user gets populated in CUCM as shown in the image.
Step 4. Password Reset (through CLI again) is required for the user created after its addition to the AD.
login as: ssoadmin
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ssoadmin.
Changing password for ssoadmin.
(current) UNIX password:
Use this section in order to confirm that your configuration works properly.
Once the SSO is successfully enabled for OS Admin and DRS, the login must work with the credentials of the AD for the user created earlier and as shown in the image.
There is currently no specific troubleshooting information available for this configuration.