The Single Sign-on (SSO) feature authenticates and authorizes agent and supervisor access to the contact center solution applications and services. The authentication process validates the identity of a user: "you are who you say you are." The authorization process confirms that an authenticated user is permitted to perform the requested action: "you can do what you are asking to do." When you enable SSO in the contact center solution, users only sign in once to gain access to all of their Cisco browser-based applications and services. Access to Cisco administrator applications is not available through SSO.
cluster manages authentication for the contact center solution. The individual
SSO-enabled applications and services manage authorization. The
cluster is a redundant pair with a publisher and subscriber. You can only
perform most administration tasks on the publisher, but either node can issue
or refresh access tokens. The cluster replicates configuration and
authorization codes between all nodes.
When an SSO-enabled user signs in, the Cisco IdS interacts first with your IdP to authenticate the user. When the user is authenticated, the Cisco IdS confirms with the accessed Cisco services to confirm that the user is authorized for the requested role. When the user is both authenticated and authorized, the Cisco IdS issues an access token that allows the user to access the application. The access token enables the user to switch between the authorized contact center applications for that session without presenting credentials again.
credentials are only presented to the IdP. The contact center solution
applications and services only exchange tokens; they do not see the users'
An SSO user's access token is issued by Cisco IdS to validate the users
accessing the corresponding applications. When the user is found valid each
application performs the authorization locally. Cisco IdS supports
authorization Code Grant Flow as defined in OAuth 2.0 and in turn uses SAML
v2.0 to authenticate users before issuing auth code.
When a user browses to a web page for an SSO-enabled service, the
authentication request is redirected to the Cisco Identity Service. Cisco
Identity Service generates a SAML authentication request and directs it to the
Identity Provider. The IdP presents a sign-in page to the user at the browser
to collect the user's credentials. After the IdP authenticates the user, the
IdP issues a SAML assertion to the Cisco IdS. The assertion contains trusted
statements about the user, for example, username and privileges.
The assertions must have attributes. The Cisco IdS extracts
user principal and generates and delivers
authorization code to the SSO enabled application. The application on receiving
the authorization code will request IDs For Access and Refresh Tokens.
Access Tokens are used by applications to validate user information and
Refresh Token are used to request new Access Tokens. These token have a
validity period associated with each one of them.
A new Access token and Refresh token pair can be obtained only before
the Auth code expires.
Access Tokens can be refreshed only when both the current access token
and the refresh token are valid and not expired.
If the refresh tokens expire you can not refresh an access token. Thus
you need to be authenticated again and the auth code need to ne requested
Together SAML and OAuth make it possible for a user to authenticate
while only exposing user credentials to the authentication provider. The
username and password are only presented to the IdP. The contact center
solution applications and services do not see the user information. Only the
SAML assertion and the OAuth token are exchanged.
Single Sign-On High Availability Considerations
You deploy the Cisco Identity Service (Cisco IdS) as a cluster. The cluster contains a publisher and a subscriber. The cluster nodes automatically replicate configuration data and authorization codes across the cluster. When a node reconnects, the cluster determines the most recent configuration and authorization code data and replicates that across the cluster.
A contact center application can authenticate and authorize an agent or supervisor if it can reach any node. The contact center applications query their local Cisco IdS node by default. If that node is unavailable, the applications query any configured remote node. When the local node reconnects to the cluster, the applications return to querying the local node.
If the packet loss on your network exceeds 5 percent, a node might not obtain an access token using an authorization code that the other node issued. In this case, the user has to sign in again. If the packet loss becomes too great or the connection is lost, the Cisco IdS functions as a solo node. The cluster automatically reforms when network connectivity improves.
This section details
few of the design impacts of the Single Sign-On (SSO) feature. The
implementation requires you to use only HTTPS protocol to access all the web
applications. The HTTP access to web applications is not supported when the SSO
Authentication Modes in Unified CCX
You can choose
from two different authentication modes when deciding about implementing SSO:
SSO - Enable
agents, supervisors, and administrators (administrators of the Cisco Unified
CCX Administration or Cisco Unified CCX Serviceability application) in the
deployment for SSO.
Non-SSO - Use
existing Unified CM-based or local authentication.
in SSO Mode
Unified Intelligence Center (CUIC)
Unified CCX Administration
Unified CCX Serviceability.
Finesse IP Phone Agent is not supported in SSO enabled mode.
Single Sign-On can independently function on Unified CM and Unified
CCX. It is not inter dependant on each other.
Applications not SSO Enabled
applications are not Single Sign-On enabled: