The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
SAML is an XML-based open standard data format that enables administrators to access a defined set of Cisco collaboration applications seamlessly after signing into one of those applications. SAML describes the exchange of security related information between trusted business partners. It is an authentication protocol used by service providers (for example, Cisco Unified Communications Manager) to authenticate a user. SAML enables exchange of security authentication information between an Identity Provider (IdP) and a service provider.
SAML SSO uses the SAML 2.0 protocol to offer cross-domain and cross-product single sign-on for Cisco collaboration solutions. SAML 2.0 enables SSO across Cisco applications and enables federation between Cisco applications and an IdP. SAML 2.0 allows Cisco administrative users to access secure web domains to exchange user authentication and authorization data, between an IdP and a Service Provider while maintaining high security levels. The feature provides secure mechanisms to use common credentials and relevant information across various applications.
The authorization for SAML SSO Admin access is based on Role-Based Access Control (RBAC) configured locally on Cisco collaboration applications.
SAML SSO establishes a Circle of Trust (CoT) by exchanging metadata and certificates as part of the provisioning process between the IdP and the Service Provider. The Service Provider trusts the IdP's user information to provide access to the various services or applications.
The client authenticates against the IdP, and the IdP grants an Assertion to the client. The client presents the Assertion to the Service Provider. Since there is a CoT established, the Service Provider trusts the Assertion and grants access to the client.
For information on how the administrative users access the various Cisco collaboration applications by enabling SAML SSO, see the SAML SSO Call Flow.
Enabling SAML SSO results in several advantages:
Assertion Consumer Service (ACS) URL: This URL instructs the IdPs where to post assertions. The ACS URL tells the IdP to post the final SAML response to a particular URL.
Note | All in-scope services requiring authentication use SAML 2.0 as the SSO mechanism. |
See the following figure.
The following operation system browsers support SAML SSO solution:
Note | See the "SAML Single Sign-On" chapter in the Features and Services Guide for Cisco Unified Communications Manager, Release 10.0(1) for detailed information on configuring SAML SSO. |
Note | See the "Managing SAML SSO in Cisco Unity Connection" chapter in the System Administration Guide for Cisco Unity Connection Release 10.x for additional information on configuring the SAML SSO feature on the Cisco Unity Connection server. |
Note | See the "Single Sign-On for Prime Collaboration" section under "Managing Users" chapter in the Cisco Prime Collaboration 10.0 Assurance Guide - Advanced guide to get detailed information on the SAML SSO configuration steps on the Cisco Prime Collaboration server. |
The SAML SSO feature requires the following software components:
Identity Provider (IdP) is an authentication module that creates, maintains, and manages identity information for users, systems, or services and also provides authentication to other applications and service providers within a distributed network.
Note | You must be familiar with your IdP service, and ensure that it is currently installed and operational. |
Note | For detailed information regarding the individual IdP setup and configuration settings, refer to the IdP documentation. |
This section describes how the SAML SSO feature enables single sign-on for Unified Communications applications. This section also explains the relationship between the IdP and the service provider and helps identify the importance of the various configuration settings to enable single sign-on.
The following figure illustrates the SAML SSO call flow.
1 | A browser-based client attempts to
access a protected resource on a service provider.
|
||||
2 | Upon receipt of the request from the
browser, the service provider generates a SAML authentication request.
|
||||
3 | The service provider redirects the request
to the browser.
|
||||
4 | The browser follows the redirect and issues an HTTPS GET request to the IdP. The SAML request is maintained as a query parameter in the GET request. | ||||
5 | The IdP checks for a valid session with the browser. | ||||
6 | In the absence of any existing session with
the browser, the IdP generates a login request to the browser and authenticates
the browser using whatever authentication mechanism is configured and enforced
by the IdP.
|
||||
7 | The user enters the required credentials in
the login form and posts them back to the IdP.
|
||||
8 | The IdP in turn submits the credentials to the LDAP server. | ||||
9 | The LDAP server checks the directory for credentials and sends the validation status back to the IdP. | ||||
10 | The IdP validates the credentials and
generates a SAML response which includes a SAML Assertion.
|
||||
11 | The IdP redirects the SAML response to the browser. | ||||
12 | The browser follows the hidden form POST instruction and posts the Assertion to the ACS URL on the service provider. | ||||
13 | The service provider extracts the Assertion
and validates the digital signature.
|
||||
14 | The service provider then grants access to
the protected resource and provides the resource content by replying 200 OK to
the browser.
|