Cisco Unity Connection SAML SSO
Introduction
Cisco Unity Connection supports the single sign-on feature that allows users to log in once and gain access to Unity Connection web applications, such as Cisco Unity Connection Administration and Cisco Personal Communications Assistant.
Starting with release 12.0(1), Unity Connection supports the single sign-on feature on the platform applications such as Cisco Unified Communications OS Administration and Disaster Recovery System. Unity Connection provides a user to have single sign-on access with Unity Connection subscriber web interfaces and across the administrative web applications on the following Unified Communication Applications:
- Unity Connection
- Cisco Unified Communications Manager
- Cisco Unified IM/Presence
- Cisco Unified Communications OS Administration
- Disaster Recovery System
The SAML SSO feature is based on open industry standard protocol SAML (Security Assertion Markup Language). For more information on SAML protocol, see the Understanding SAML Protocol, section.
Note |
Single Sign-On using SAML can now be enabled using only graphical user interface (GUI) as enabling the features through command line interface (CLI) is no longer supported. |
SAML SSO supports both LDAP and non-LDAP users to gain single sign-on access. LDAP users are the users integrated to Active Directory. Non-LDAP users are the users that reside locally on Unity Connection server.
- The LDAP users are allowed to login with a username and password that authenticates on Identity Provider. For more information on Identity Provider, see the Understanding Service Provider and Identity Provider , section.
- The
non-LDAP
users with administrator rights login to Cisco Unity Connection Administration
using Recovery URL. Recovery URL provides alternate access to the
administrative, platform and serviceability web applications via username and
password. A non-LDAP user can access the following web applications on Unity
Connection using Recovery URL:
- Unity Connection Administration
- Cisco Unity Connection Serviceability
- Cisco Unified Serviceability
- Cisco Unified Communications OS Administration
- Disaster Recovery System
Understanding Service Provider and Identity Provider
Service Provider (SP) is a protected entity on Unity Connection that provides the web applications. A Service Provider relies on a trusted Identity Provider (IdP) or Security Token Service (STS) for authentication and authorization.
Identity Provider is an online service or website that authenticates users by means of security tokens. It authenticates the end user and returns a SAML Assertion. SAML Assertion shows either a Yes (authenticated) or No (authentication failed) response.
A user must authenticate his or her user credentials on Identity Provider to gain access to the requested web application. If the authentication gets rejected at any point, the user do not gain access to any of the requested web applications. If the authentication is accepted, then the user is allowed to gain single sign-on access to the requested web application.
For information on the currently supported Identity Providers, see SAML-Based SSO Solution chapter of SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 11.5(1) available at
The definitions of Service Provider and Identity Provider further help to understand the SAML protocol mechanism.
Understanding SAML Protocol
Security Assertion Markup Language (SAML) is an XML based open standard data format for exchanging data. It is an authentication protocol used by Service Providers to authenticate a user. The security authentication information is passed between an Identity Provider and Service Provider.
SAML is an open standard that enables clients to authenticate against any SAML enabled Collaboration (or Unified Communication) service regardless of the client platform.
All Cisco Unified Communication web interfaces (e.g. CUCM or Unity Connection) use SAML 2.0 protocol in SAML SSO feature. To authenticate the LDAP user and local AD-mapped user, Unity Connection delegates an authentication request to the Identity Provider. This authentication request generated by the Unity Connection is SAML Request.
The Identity Provider authenticates and returns a SAML Assertion. SAML Assertion shows either Yes (authenticated) or No (authentication failed).
Single SAML SSO mechanism:
SAML 2.0 protocol is a building block that helps to enable single sign-on access across collaboration services and also helps to enable federation between collaboration services and customer's Identity Provider.
Once SSO has been enabled on Unity Connection server, a .xml file named, SPMetadata<hostname of Unity Connection>.xml is generated by Unity Connection that acts as a Service Provider metadata. The SAML SP metadata must be exported from SAML Service Provider (on Unity Connection) and then import it to Identity Provider (ADFS).
The administrator must export SAML metadata from Cisco Unity Connection Administration and import that metadata on Identity Provider. The administrator must also export SAML metadata from Identity Provider and import that metadata on Cisco Unity Connection Administration. This is a two way handshake process between the Service Provider (that resides on Unity Connection) and Identity Provider that is essential for SAML Authentication.
The SAML metadata contains the following information:
- URL information for Identity Provider and Service Provider.
- Service Provider Assertion Consumer Service (ACS) URLs that instructs Identity Provider where to POST assertions.
- Certificate information for Identity Provider and Service Provider.
The exchange of SAML metadata builds a trust relationship between Identity Provider and Service Provider. Identity Provider issues SAML assertion and Identity Provider digitally signs it. On receiving the SAML assertion, Service Provider validates the assertion, using Identity Provider certificate information that guarantees that assertion was issued by Identity Provider.
When single sign-on login fails (e.g. If Identity Provider or Active Directory is inactive), Recovery URL provides alternate access to administrative and serviceability web applications via username and password.
SSO Mode
SAML SSO can be configured in either of the following modes depending upon the requirements:
-
Cluster wide: The Cluster wide SSO mode allows users to import data using only one SAML SP metadata file of either publisher or subscriber per cluster. This SSO mode is selected by default in following scenarios:
- In case of fresh Unity Connection installation.
-
In case Unity Connection is upgraded from a previously SSO disabled release to 11.5(1) and later release.
-
Per node: The Per node SSO mode allows users to import data using separate SAML SP metadata file for each node in a cluster. This SSO mode is selected by default when Unity Connection is upgraded from a previously SSO enabled release to 11.5(1) and later release.
Note
Toggling the SSO mode is not applicable while SAML SSO is enabled. The SAML SSO must be disabled to toggle from Cluster wide mode to Per node mode and vice-versa.
For more information about micro traces, see "Troubleshooting Cisco Unity Connection" chapter of Troubleshooting Guide for Cisco Unity Connection Release 11.x at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/troubleshooting/guide/b_11xcuctsg/b_11xcuctsg_chapter_0101.html
For more information about SAML SSO Access, see "Troubleshooting SAML SSO Access" chapter of Troubleshooting Guide for Cisco Unity Connection Release 11.x at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/troubleshooting/guide/b_11xcuctsg/b_11xcuctsg_chapter_011011.html
Prerequisites for Enabling SAML SSO
To configure the SAML SSO feature, you must ensure the following requirements to be in place:
- Unity Connection 10.0(1) and later release on both the servers in the cluster.
- Install Identity Provider on Microsoft Windows 2008 with SP2 platform. You must configure Identity Provider on the same domain as Unity Connection server.
- Make sure that the clocks on Unity Connection and Identity Provider (chosen for SAML SSO) synchronize with each other.
- When enabling SSO mode from Cisco Unity Connection Administration, make sure you have at least one LDAP user with administrator rights in Unity Connection to Run SSO Test for SAML SSO.
- Assign the system administrator role to the user accounts to allow them to access Unity Connection administrative and serviceability web applications.
- When enabling Cluster wide SSO mode, make sure that RSA based Multi-server Tomcat certificate are uploaded.
for more information on certificates, see the Security chapter of Cisco Unified Communications Operating System Administration Guide for Cisco Unity Connection Release 11.x at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/os_administration/b_11xcucosagx.html
Once the above requirements are met, the Unity Connection server is ready to be configured for SAML SSO feature.
Configuring SAML SSO
This section outlines the key steps and/or instructions that must be followed for Unity Connection specific configuration. However, if you are configuring SAML SSO feature for the first time, it is strongly recommended to follow the detailed instructions given below:
Configuring Identity Provider
You must configure one of the following Identity Providers before configuring SAML SSO in Unity Connection:
Configuring ADFS Server 3.0,4.0,5.0
If you Select AD FS as the Identity Provider for SAML SSO:
SUMMARY STEPS
- Add role and features in Server Manager and select FINISH when the installation is complete.
- Select Tools in Server Manager and select ADFS management.
- From the let side pane, Select Relaying Party Trusts from Trust relationships Folder.
- From the Actions window in the right side pane:
- From Edit Claim Rules window Click Add Rule. Add Transform Claim Rule Wizard window is displayed.
- From the Claim rule template drop-down field, select Send LDAP Attribute as Claims. Click Next.
- Provide Claim Rule Name.
- From the Attribute store drop-down, select Active Directory.
- Select SAM-Account-Name from the LDAP Attribute drop-down field and type uid in Outgoing Claim Type field. Click Finish.
- Edit Rule Claim window is displayed, Click Add Rule. Add Transform Claim Rule Wizard window is displayed.
- From the Claim rule template drop-down field, select Send Claims Using a Custom Rule. Click Next.
- Provide Claim Rule Name.
- In Custom Rule box. Provide custom rule, the syntax for the custom claim rule is:
- Select Finish and Apply followed by OK.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
Add role and features in Server Manager and select FINISH when the installation is complete. |
|
Step 2 |
Select Tools in Server Manager and select ADFS management. |
|
Step 3 |
From the let side pane, Select Relaying Party Trusts from Trust relationships Folder. |
|
Step 4 |
From the Actions window in the right side pane: |
|
Step 5 |
From Edit Claim Rules window Click Add Rule. Add Transform Claim Rule Wizard window is displayed. |
|
Step 6 |
From the Claim rule template drop-down field, select Send LDAP Attribute as Claims. Click Next. |
|
Step 7 |
Provide Claim Rule Name. |
|
Step 8 |
From the Attribute store drop-down, select Active Directory. |
|
Step 9 |
Select SAM-Account-Name from the LDAP Attribute drop-down field and type uid in Outgoing Claim Type field. Click Finish. |
|
Step 10 |
Edit Rule Claim window is displayed, Click Add Rule. Add Transform Claim Rule Wizard window is displayed. |
|
Step 11 |
From the Claim rule template drop-down field, select Send Claims Using a Custom Rule. Click Next. |
|
Step 12 |
Provide Claim Rule Name. |
|
Step 13 |
In Custom Rule box. Provide custom rule, the syntax for the custom claim rule is: |
|
Step 14 |
Select Finish and Apply followed by OK. |
|
Configuring OpenAM
If you select OpenAM Server as the Identity Provider for SAML SSO:
SUMMARY STEPS
- To configure policies on OpenAM server, you must log in to OpenAM and select the Access Control tab. Click the Top Level Realm option, select the Policies tab, and then create a new policy. Follow the steps as given in the Cisco white paper, https://supportforums.cisco.com/document/55391/cucmssowhitepaperedcs-911568pdf, for creating a new policy. While following the instructions given in the white paper, make sure to create policies with the below mentioned Unity Connection-specific information:
- Configure a Windows Desktop SSO login module instance. Follow the instructions for configuring Windows Desktop as given in the Cisco white paper, https://supportforums.cisco.com/document/55391/cucmssowhitepaperedcs-911568pdf
- Configure a J2EE Agent Profile for Policy Agent 3.0. Follow the instructions to create a new J2EE agent as given in the Cisco white paper, https://supportforums.cisco.com/document/55391/cucmssowhitepaperedcs-911568pdf with the below mentioned Unity Connection-specific settings:
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
To configure policies on OpenAM server, you must log in to OpenAM and select the Access Control tab. Click the Top Level Realm option, select the Policies tab, and then create a new policy. Follow the steps as given in the Cisco white paper, https://supportforums.cisco.com/document/55391/cucmssowhitepaperedcs-911568pdf, for creating a new policy. While following the instructions given in the white paper, make sure to create policies with the below mentioned Unity Connection-specific information: |
|
Step 2 |
Configure a Windows Desktop SSO login module instance. Follow the instructions for configuring Windows Desktop as given in the Cisco white paper, https://supportforums.cisco.com/document/55391/cucmssowhitepaperedcs-911568pdf |
|
Step 3 |
Configure a J2EE Agent Profile for Policy Agent 3.0. Follow the instructions to create a new J2EE agent as given in the Cisco white paper, https://supportforums.cisco.com/document/55391/cucmssowhitepaperedcs-911568pdf with the below mentioned Unity Connection-specific settings: |
In addition to above Unity Connection-specific configuration, ensure the following points:
|
Configuring Ping Federate Server
If you select Ping Federate Server as the Identity Provider for SAML SSO:
SUMMARY STEPS
- Install JDK. Download JDK from the given location: http://www.oracle.com/technetwork/java/javase/downloads/index.html.
- Set the JAVA_HOME environment variable to the JDK installation directory path and add the /bin directory to the PATH variable for your platform.
- Download Ping federate.zip file and lic file.
- Unzip the Ping Federate file.
- Save the license key file in the directory:
- sRun the Ping Federate as service.
- Access the PingFederate administrative console:
- Login to Ping Federate.
- Change your password on the Change Password screen and select Save.
- Configure server. Browse to Welcome page and select Next.
- Accept the lic file and select Next.
- Select Single-user Administration and select Next.
- Add System Info details as below and select Next.
- Select Next on Runtime Notifications.
- Select Next on Runtime Reporting.
- Enable Account Management details as below:
- Select Next. Select Save on Summary page.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
Install JDK. Download JDK from the given location: http://www.oracle.com/technetwork/java/javase/downloads/index.html. |
|
Step 2 |
Set the JAVA_HOME environment variable to the JDK installation directory path and add the /bin directory to the PATH variable for your platform. |
MyComputer> Properties> Advanced> Environment variables> Path C:\WINDOWS\java;C:\Program Files\Java\jdk1.7.0_21\bin |
Step 3 |
Download Ping federate.zip file and lic file. |
|
Step 4 |
Unzip the Ping Federate file. |
|
Step 5 |
Save the license key file in the directory: |
<pf_install>/pingfederate/server/default/conf |
Step 6 |
sRun the Ping Federate as service. |
run install-service.bat from the directory: <pf_install>\pingfederate\sbin\win-x86-32 |
Step 7 |
Access the PingFederate administrative console: |
https://<IP >:9999/pingfederate/app |
Step 8 |
Login to Ping Federate. |
Username: Administrator Password: 2Federate |
Step 9 |
Change your password on the Change Password screen and select Save. |
|
Step 10 |
Configure server. Browse to Welcome page and select Next. |
|
Step 11 |
Accept the lic file and select Next. |
|
Step 12 |
Select Single-user Administration and select Next. |
|
Step 13 |
Add System Info details as below and select Next. |
|
Step 14 |
Select Next on Runtime Notifications. |
|
Step 15 |
Select Next on Runtime Reporting. |
|
Step 16 |
Enable Account Management details as below: |
|
Step 17 |
Select Next. Select Save on Summary page. |
Configuring SP Connection
SUMMARY STEPS
- Select Create New under SP Connections and select Next. Select the Browser SSO option and select Next.
- Browse sp.xml file and select Next.
- After importing the sp.xml file successfully, select Next.
- Configure Base URL as https://<server name>:8443. Select Next.
- Select Configure Browser SSO and select Next.
- Select SP-Initiated SSO. Select Next. Specify the Assertion Lifetime and select Next.
- Select Assertion Creation. Select Transient and make sure Include attributes in addition to the transient identifier check box is checked.
- Select snap shot details under Attribute Contract.
- Select Map New Adapter Instance. Select Next.
- Select LDAP under Adapter Instance. Select Next.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
Select Create New under SP Connections and select Next. Select the Browser SSO option and select Next. |
|||
Step 2 |
Browse sp.xml file and select Next. |
|
||
Step 3 |
After importing the sp.xml file successfully, select Next. |
|||
Step 4 |
Configure Base URL as https://<server name>:8443. Select Next. |
|||
Step 5 |
Select Configure Browser SSO and select Next. |
|||
Step 6 |
Select SP-Initiated SSO. Select Next. Specify the Assertion Lifetime and select Next. |
|||
Step 7 |
Select Assertion Creation. Select Transient and make sure Include attributes in addition to the transient identifier check box is checked. |
|||
Step 8 |
Select snap shot details under Attribute Contract. |
|||
Step 9 |
Select Map New Adapter Instance. Select Next. |
|||
Step 10 |
Select LDAP under Adapter Instance. Select Next. |
Configuring Oracle Identity Provider Server
If you select Oracle Identity Provider Server as the Identity Provider for SAML SSO:
SUMMARY STEPS
- Login to Oracle Enterprise Manager where Oracle Identity Federation has been installed as a component.
- Under Identity and Access in the drop down, select Oracle Identity Federation.
- Under Oracle Identity Federation drop down, select Federations.
- Select Federations. In the Federations window, select Add New Federations. In this case the Metadata file is imported from Cisco Unified CM. After the Metadata has been loaded, the Cisco Unified CM hostname is displayed under Federations.
- Select the Cisco Unified CM node and select Edit. From Edit, select Attribute Mappings and Filters. Check the Enable Attributes in Single Sign-On (SSO) check box.
- Check the following check boxes:
- Under Name Mappings, select Add to add new attributes, “User Attribute Name” uid and “Assertion Attribute Name” uid. The Send with SSO Assertion check box should be checked.
- Another attribute to be added as email are “User Attribute Name” mail and “Assertion Attribute Name” email. The “Send with SSO Assertion” check box should be checked.
- Select OK and exit out after saving the configuration.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
Login to Oracle Enterprise Manager where Oracle Identity Federation has been installed as a component. |
|
Step 2 |
Under Identity and Access in the drop down, select Oracle Identity Federation. |
|
Step 3 |
Under Oracle Identity Federation drop down, select Federations. |
|
Step 4 |
Select Federations. In the Federations window, select Add New Federations. In this case the Metadata file is imported from Cisco Unified CM. After the Metadata has been loaded, the Cisco Unified CM hostname is displayed under Federations. |
|
Step 5 |
Select the Cisco Unified CM node and select Edit. From Edit, select Attribute Mappings and Filters. Check the Enable Attributes in Single Sign-On (SSO) check box. |
|
Step 6 |
Check the following check boxes: |
Apply the above changes with the Apply button on the window and then select Attribute Mappings and Filters that opens up a new window. |
Step 7 |
Under Name Mappings, select Add to add new attributes, “User Attribute Name” uid and “Assertion Attribute Name” uid. The Send with SSO Assertion check box should be checked. |
|
Step 8 |
Another attribute to be added as email are “User Attribute Name” mail and “Assertion Attribute Name” email. The “Send with SSO Assertion” check box should be checked. |
|
Step 9 |
Select OK and exit out after saving the configuration. |
Generating and Importing Metadata into Cisco Unified CM
Navigate to Oracle Identity Federation drop down, select Administration and select Security and Trust.
SUMMARY STEPS
- From the Security and Trust Window, generate Metadata xml with the option Provider Type as Identity Provider and Protocol as SAML 2.0.
- Import the Metadata into the CUCM.
DETAILED STEPS
Command or Action | Purpose | |
---|---|---|
Step 1 |
From the Security and Trust Window, generate Metadata xml with the option Provider Type as Identity Provider and Protocol as SAML 2.0. |
|
Step 2 |
Import the Metadata into the CUCM. |
Configuring F5-BIG-IP 11.6.0
If you select F5-BIG-IP 11.6.0 as the Identity Provider for SAML SSO:
SUMMARY STEPS
- Login to F5-BIG-IP server with admin credentials.
- Do the following steps for LDAP configuration:
- Navigate to Access Policy and select Access Profiles.
- Navigate to Access Policy> SAML > BIG-IP as IDP and select External SP Connector.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
Login to F5-BIG-IP server with admin credentials. |
|||
Step 2 |
Do the following steps for LDAP configuration: |
|
||
Step 3 |
Navigate to Access Policy and select Access Profiles. |
|
||
Step 4 |
Navigate to Access Policy> SAML > BIG-IP as IDP and select External SP Connector. |
|
Configuring SAML SSO
To configure SAML SSO feature on server, you must perform the following steps:
SUMMARY STEPS
- Sign in to Cisco Unity Connection Administration and select System Settings.
- On the SAML Single Sign-On page, select either of the following in the SSO Mode field:
- Select the Enable SAML SSO option. When you select this option, a wizard opens as Web server connections will be restarted, select Continue.
- To initiate the IdP Metadata import, navigate to Identity Provider (IdP) Metadata Trust File and select the Browse to upload the IdP metadata option from your system. Then select the Import IdP Metadata option. Follow the link below to download IdP metadata trust file for ADFS:
- If the import of metadata is successful, a success message Import succeeded for all servers appears on the screen. Select Next to continue the wizard.
- For SAML metadata exchange, select the Download Trust Metadata Fileset option.
- The wizard continues and a window appears for user login to IdP. Enter the credentials for the LDAP user with administrator role that was automatically populated in the previous window.
DETAILED STEPS
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
Sign in to Cisco Unity Connection Administration and select System Settings. |
|
||
Step 2 |
On the SAML Single Sign-On page, select either of the following in the SSO Mode field: |
|
||
Step 3 |
Select the Enable SAML SSO option. When you select this option, a wizard opens as Web server connections will be restarted, select Continue. |
When enabling SAML SSO from Unity Connection, make sure you have
at least one Unity Connection LDAP user with administrator right.
|
||
Step 4 |
To initiate the IdP Metadata import, navigate to Identity Provider (IdP) Metadata Trust File and select the Browse to upload the IdP metadata option from your system. Then select the Import IdP Metadata option. Follow the link below to download IdP metadata trust file for ADFS: |
|
||
Step 5 |
If the import of metadata is successful, a success message Import succeeded for all servers appears on the screen. Select Next to continue the wizard. |
|||
Step 6 |
For SAML metadata exchange, select the Download Trust Metadata Fileset option. |
Select Next and a window appears for valid administrator IDs that automatically populates the LDAP user with administrator rights into that window. If you find the LDAP user with administrator rights automatically populated in the above window, then select Run Test to continue. |
||
Step 7 |
The wizard continues and a window appears for user login to IdP. Enter the credentials for the LDAP user with administrator role that was automatically populated in the previous window. |
This enables the SAML SSO feature completely. Select Finish to complete the configuration wizard.
|
Access to Web Applications Using SAML SSO
SAML SSO allows a LDAP user and a local AD-mapped user to login to client applications using username and password that authenticates on Identity Provider. A user sign-in to any of the supported web applications on Unified Communication products (after enabling the SAML SSO feature) also gains access to the following web applications on Unity Connection (apart from Cisco Unified Communications Manager and Cisco Unified CM IM/Presence):
Unity Connection users |
Web applications |
---|---|
LDAP users with administrator rights |
|
LDAP users without administrator rights |
|
Note |
To access Web Inbox and Mini Web Inbox, you must have a user with mailbox. Also navigate to Unity Connection Administration> Class of Service> Licensed features and make sure that Allow Users to Use the Web Inbox, Messaging Inbox and RSS Feeds check box is checked. |
The non-LDAP users with administrator role can login to Cisco Unity Connection Administration using Recovery URL. The Recovery URL option is present in Unity Connection product deployment selection window just below the Cisco Unity Connection option. When SSO login fails (if Identity Provider or Active Directory is inactive), Recovery URL provides alternate access to the administrative and serviceability web applications via username and password.
Running CLI Commands in Unity Connection
SAML SSO feature introduced the following commands in addition to the above three commands:
- utils sso enable
- utils sso disable
- utils sso status
- utils sso recovery-url enable
- utils sso recovery-url disable
- set samltrace level <trace level>
- show samltrace level
- set account ssorecoveryurlaccess
- set account ssouidvalue
- utils sso enable
This command when executed returns an informational text message that prompts that the administrator can enable SSO feature only from graphical user interface (GUI). Both OpenAM SSO and SAML SSO cannot be enabled from CLI interface
- utils sso disable
This command disables (both OpenAM based or SAML based) SSO mode. Within a cluster, the command needs to be executed on both the nodes. You may also disable the SSO from graphical user interface (GUI) by selecting the Disable option under the specific SSO mode.
Note
When SSO is disabled from graphical user interface (GUI) of Unity Connection, it disables the SSO mode on both nodes in case of cluster.
- utils sso status
This command shows the SSO status, enabled or disabled, on each node. This command is executed on each node individually.
- utils sso recovery-url enable
This command enables the Recovery URL SSO mode. It also verifies that this URL is working successfully. Within a cluster, the command needs to be executed on both the nodes.
- utils sso recovery-url disable
This command disables the Recovery URL SSO mode on that Connection node.
- set samltrace level <trace-level>
This command enables the specified traces to locate the following information:
- error
- warning
- debug
- fatal
- info
- show samltrace level
This command displays the logs selected for SAML SSO.
- set account
ssorecoveryurlaccess
This command enables or disables the recovery url access for the platform user. If disabled, the platform user will not be able to login through the Recovery URL.
- set account
ssouidvalue
This command updates the UID value of a platform user.
Troubleshooting SAML SSO
SAML SSO allows a user to have single sign-on access to web applications until a web browser is active. Ensure that you have taken care of all the requirements and checklist while enabling the SAML SSO mode. However, for any SAML SSO related issues, see Troubleshooting Guide for Cisco Unity Connection Release 11.x, available at