Security Assertion Markup Language (SAML) is an XML based open standard
data format for exchanging data. It is an authentication protocol used by
Service Providers to authenticate a user. The security authentication
information is passed between an Identity Provider and Service Provider.
SAML is an open standard that enables clients to authenticate against
any SAML enabled Collaboration (or Unified Communication) service regardless of
the client platform.
All Cisco Unified Communication web interfaces (e.g. CUCM or Unity
Connection) use SAML 2.0 protocol in SAML SSO feature. To authenticate the LDAP
user, Unity Connection delegates an authentication request to the Identity
Provider. This authentication request generated by the Unity Connection is SAML
The Identity Provider authenticates and returns a SAML Assertion. SAML
Assertion shows either Yes (authenticated) or No (authentication failed).
Single SAML SSO mechanism:
SAML 2.0 protocol is a building block that helps to enable single
sign-on access across collaboration services and also helps to enable
federation between collaboration services and customer's Identity Provider.
Once SSO has been enabled on Unity Connection server, a .xml file named,
SPMetadata<hostname of Unity Connection>.xml is generated by Unity
Connection that acts as a Service Provider metadata. The SAML SP metadata must
be exported from SAML Service Provider (on Unity Connection) and then import it
to Identity Provider (ADFS).
The administrator must export SAML metadata from Cisco Unity Connection
Administration and import that metadata on Identity Provider. The administrator
must also export SAML metadata from Identity Provider and import that metadata
on Cisco Unity Connection Administration. This is a two way handshake process
between the Service Provider (that resides on Unity Connection) and Identity
Provider that is essential for SAML Authentication.
The SAML metadata contains the following information:
- URL information for Identity Provider
and Service Provider.
- Service Provider Assertion
Consumer Service (ACS) URLs that instructs Identity Provider where to POST
- Certificate information for
Identity Provider and Service Provider.
The exchange of SAML metadata builds a trust relationship between
Identity Provider and Service Provider. Identity Provider issues SAML assertion
and Identity Provider digitally signs it. On receiving the SAML assertion,
Service Provider validates the assertion, using Identity Provider certificate
information that guarantees that assertion was issued by Identity Provider.
When single sign-on login fails (e.g. If Identity Provider or Active
Directory is inactive), Recovery URL provides alternate access to
administrative and serviceability web applications via username and password.