Single Sign-On (SSO) Considerations
The Single Sign-on (SSO) feature authenticates and authorizes agent and supervisor access to the contact center solution applications and services. The authentication process validates the identity of a user: "you are who you say you are." The authorization process confirms that an authenticated user is permitted to perform the requested action: "you can do what you are asking to do." When you enable SSO in the contact center solution, users only sign in once to gain access to all their Cisco browser-based applications and services. Access to Cisco administrator applications is not available through SSO.
SSO requires the following:
-
A third-party Identity Provider (IdP)
-
A Cisco Identity Service (Cisco IdS) cluster
The SSO feature requires an IdP that complies with the Security Assertion Markup Language 2.0 (SAML v2) Oasis standard. The IdP stores user profiles and provides authentication services to support SSO sign-ins. For a current list of supported Identity Provider products and versions, see the Compatibility Matrix for your solution at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-device-support-tables-list.html.
The Cisco IdS cluster manages authentication for the contact center solution. The individual SSO-enabled applications and services manage authorization. The Cisco IdS cluster is a redundant pair with a publisher and subscriber. You can only perform most administration tasks on the publisher, but either node can issue or refresh access tokens. The cluster replicates configuration and authorization codes between all nodes.
When an SSO-enabled user signs in, the Cisco IdS interacts first with your IdP to authenticate the user. When the user is authenticated, the Cisco IdS confirms with the accessed Cisco services to confirm that the user is authorized for the requested role. When the user is both authenticated and authorized, the Cisco IdS issues an access token that allows the user to access the application. The access token enables the user to switch between the authorized contact center applications for that session without presenting credentials again.
Note |
The user credentials are only presented to the IdP. The contact center solution applications and services only exchange tokens; they do not see the users' information. |
SSO Message Flow
An SSO user's access token is issued by Cisco IdS to validate the users accessing the corresponding applications. When the user is found valid each application performs the authorization locally. Cisco IdS supports authorization Code Grant Flow as defined in OAuth 2.0 and in turn uses SAML v2.0 to authenticate users before issuing auth code.
When a user browses to a web page for an SSO-enabled service, the authentication request is redirected to the Cisco Identity Service. Cisco Identity Service generates a SAML authentication request and directs it to the Identity Provider. The IdP presents a sign-in page to the user at the browser to collect the user's credentials. After the IdP authenticates the user, the IdP issues a SAML assertion to the Cisco IdS. The assertion contains trusted statements about the user, for example, username and privileges.
The assertions must have attributes. The Cisco IdS extracts uid and user principal and generates and delivers authorization code to the SSO enabled application. The application on receiving the authorization code will request IDs For Access and Refresh Tokens.
Access Tokens are used by applications to validate user information and Refresh Token are used to request new Access Tokens. These token have a validity period associated with each one of them.
Note |
A new Access token and Refresh token pair can be obtained only before the Auth code expires. Access Tokens can be refreshed only when both the current access token and the refresh token are valid and not expired. If the refresh tokens expire you can not refresh an access token. Thus you need to be authenticated again and the auth code need to ne requested again. |
Together SAML and OAuth make it possible for a user to authenticate while only exposing user credentials to the authentication provider. The username and password are only presented to the IdP. The contact center solution applications and services do not see the user information. Only the SAML assertion and the OAuth token are exchanged.
Single Sign-On High Availability Considerations
You deploy the Cisco Identity Service (Cisco IdS) as a cluster. The cluster contains a publisher and a subscriber. The cluster nodes automatically replicate configuration data and authorization codes across the cluster. When a node reconnects, the cluster determines the most recent configuration and authorization code data and replicates that across the cluster.
A contact center application can authenticate and authorize an agent or supervisor if it can reach any node. The contact center applications query their local Cisco IdS node by default. If that node is unavailable, the applications query any configured remote node. When the local node reconnects to the cluster, the applications return to querying the local node.
If the packet loss on your network exceeds 5 percent, a node might not obtain an access token using an authorization code that the other node issued. In this case, the user has to sign in again. If the packet loss becomes too great or the connection is lost, the Cisco IdS functions as a solo node. The cluster automatically reforms when network connectivity improves.
Single Sign-On Design Impacts
This section details few of the design impacts of the Single Sign-On (SSO) feature. The implementation requires you to use only HTTPS protocol to access all the web applications. The HTTP access to web applications is not supported when the SSO is enabled.
Authentication Modes in Unified CCX
-
SSO - Enable all agents, supervisors, and administrators (administrators of the Cisco Unified CCX Administration or Cisco Unified CCX Serviceability application) in the deployment for SSO.
-
Non-SSO - Use existing Unified CM-based or local authentication.
Applications in SSO Mode
-
Cisco Unified Intelligence Center (CUIC)
-
Cisco Finesse
-
Cisco Finesse-hosted gadgets
-
Cisco Unified CCX Administration
-
Cisco Unified CCX Serviceability.
Note |
The Cisco Finesse IP Phone Agent is not supported in SSO enabled mode. Single Sign-On can independently function on Unified CM and Unified CCX. It is not inter dependant on each other. |
Applications not SSO Enabled
-
Cisco Finesse Administration
-
Cisco Identity Service Administration
-
Disaster Recovery System
-
Cisco Unified OS Administration
-
Cisco Unified Serviceability
-
Standalone Cisco Unified Intelligence Center
-
Cisco Unified CCX Editor
-
Real Time Monitoring Tool
-
Cisco SocialMiner
-
Cisco Media Sense
-
Cisco Workforce Optimization
-
Any Third Party Application.