Single Sign-on Administration

Cisco Identity Service For Single Sign-on Administration

Set up the System Inventory for Cisco IdS Single Sign-On

Set up the System Inventory before configuring the Cisco Identity Service (Cisco IdS) and the components for single sign-on. By default, the System Inventory displays a list of all AWs, Routers, and Peripheral Gateways in the deployment.

The Principal AW (Admin Workstation) is responsible for managing background tasks that are run periodically to sync configuration with other solution components, such as SSO management, Smart Licensing, etc.

Select the Principal AW to manage to register the components with the Cisco IdS and enabling them for SSO. Add the remaining SSO-capable machines to the System Inventory, and select the default Cisco IdS for each of the SSO-capable machines.

Procedure

Step 1

In Unified CCE Administration, navigate to System > IDS Single Sign-On.

Step 2

Set the Principal AW:

  1. Click the AW that you want to be the Principal AW.

    Note

     

    If the AW is coresident with the Router, you can set the Principal AW on the Router.

    You can only specify one Principal AW for each Unified CCE system.

    The Edit AW popup window opens.

  2. Check the Principal AW check box on the General tab.

  3. Enter the Unified CCE Diagnostic Framework Service domain, username, and password.

    These credentials must be for a domain user who is a member of the Config security group for the instance. These credentials must be valid on all CCE components in your deployment (Routers, PGs, AWs, and so on).

  4. Click Save.

Step 3

Add the SSO-capable machines to the System Inventory:

  1. Click New.

    The Add Machine popup window opens.

  2. From the Type drop-down, select one of the following types of machines:

    • Finesse Primary

    • CUIC, LD, IdS Publisher, for the coresident Unified Intelligence Center, Live Data, and Cisco IdS machine available in the 2000 agent or Progger (Lab only) reference design

    • Unified Intelligence Center Publisher, if you're using a standalone Unified Intelligence Center

    • Identity Service Primary, if you're using a standalone Cisco IdS

  3. In the Hostname field, enter the FQDN, IP address, or hostname of the machine.

    Note

     

    If you don’t enter the FQDN, the system converts the value you enter to FQDN.

  4. Enter the machine's Administration credentials.

  5. Click Save.

    The machine and its related Subscriber or Secondary machine are added to the System Inventory.

  6. Repeat this procedure to add all of the SSO-capable machines in the deployment.

Step 4

Select the default Identity Service for each of the following machines:

  • All Unified CCE AW servers

  • Finesse Primary and Secondary

  • Unified Intelligence Center Publisher and Subscriber

Note

 

If you're using a coresident CUIC, LD, Ids Publisher and Subscriber, you don't need to set the default Cisco IdS for those machines.

In a standalone deployment, select the Cisco IdS that's deployed on the same Data Center Side (A or B) as the machine that you're configuring. For example, in the Reference Deployment:

  • Select the Identity Service Publisher (IdS A) for AW-HDS-DDS 1, AW-HDS 3, Finesse 1 Pub, Finesse 2 Pub, CUIC Pub, and CUIC Sub 1.

  • Select the Identity Service Subscriber (Ids B) for AW-HDS-DDS 2, AW-HDS 4, Finesse 1 Sub, Finesse 2 Sub, CUIC Sub 2, and CUIC Sub 3.

For details on the Reference Deployment, see Solution Design Guide for Cisco Unified Contact Center Enterprise at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-implementation-design-guides-list.html.

  1. Click a machine to open the Edit Machine popup window.

  2. Click the Search icon next to Default Identity Service to open the Select Identity Service popup window.

  3. Enter the machine name for the Cisco IdS in the Search field and choose the Cisco IdS from the list.

  4. Click Save.

What to do next

Be sure to update the System Inventory if you change your deployment:

  • If you add or remove contact center solution components from your deployment, make the corresponding changes in the System Inventory.

  • If you add or remove Cisco Identity Service machines or coresident CUIC-LD-IdS machines, update the System Inventory appropriately and reconfigure the Cisco IdS. Reassociate the components with a default Cisco IdS.

Configure the Cisco Identity Service

The Cisco Identity Service (Cisco IdS) provides authorization between the Identity Provider (IdP) and applications.

When you configure the Cisco IdS, you set up a metadata exchange between the Cisco IdS and the IdP. This exchange establishes a trust relationship that then allows applications to use the Cisco IdS for single sign-on. You establish the trust relationship by downloading a metadata file from the Cisco IdS and uploading it to the IdP. You can then select settings related to security, identify clients of the Cisco IdS service, and set log levels and, if desired, enable Syslog format.


Note

  • If you are working with a Cisco IdS cluster, perform these steps on the Cisco IdS primary publisher node.

  • Be sure that the Principal AW is configured and functional before using the System > IDS Single Sign-On tool in Unified CCE Administration.

Procedure

Step 1

Log in to the Cisco IdS primary publisher node using the URL: https://<ids-fqdn>:8553/idsadmin.

Step 2

Enter your user name, and then click Next.

Step 3

Enter your password, and then click Sign In.

The Cisco Identity Service Management page opens, showing the Nodes, Settings, and Clients icons in the left pane.

Step 4

Click Nodes.

The Nodes page opens to the overall Node level view and identifies which nodes are in service. The page also provides the SAML Certificate Expiry details for each node, indicating when the certificate is due to expire. The node Status options are Not Configured, In Service, Partial Service, and Out of Service. Click a status to see more information. The star to the right of one of the Node names identifies the node that is the primary publisher.

Step 5

Click Settings.

Step 6

Click IdS Trust.

Step 7

To begin the Cisco IdS trust relationship setup between the Cisco IdS and the IdP, click Download Metadata File to download the file from the Cisco IdS Server.

Step 8

Click Next.

Step 9

To upload the trusted metadata file from your IdP, browse to locate the file.

The Upload IdP Metadata page opens and includes the path to the IdP. When the file upload finishes, you receive a notification message. The metadata exchange is now complete, and the trust relationship is in place.

Step 10

Clear the browser cache.

Step 11

Enter the valid credentials, when page is redirected to IdP.

Step 12

Click Next.

The Test SSO Setup page opens.

Step 13

Click Test SSO Setup.

A message appears telling you that the Cisco IdS configuration has succeeded.

Step 14

Click Settings.

Step 15

Click Security.

Step 16

Click Tokens.

Enter the duration for the following settings:

  • Refresh Token Expiry -- The default value is 10 hours. The minimum value is 2 hours. The maximum is 24 hours.

  • Authorization Code Expiry -- The default value is 1 minute, which is also the minimum. The maximum is 10 minutes.

  • Access Token Expiry -- The default value is 60 minutes. The minimum value is 5 minutes. The maximum is 120 minutes.

Step 17

Set the Encrypt Token (optional); the default setting is On.

Step 18

Click Save.

Step 19

Click Keys and Certificates.

The Generate Keys and SAML Certificate page opens and allows you to:

  • Regenerate the Encryption/Signature key by clicking Regenerate. A message appears to say that the Token Registration is successful and advises you to restart the system to complete the configuration.

  • Regenerate the SAML Certificate by clicking Regenerate. A message appears to say that the SAML certificate regeneration is successful.

Step 20

Click Save.

Step 21

Click Clients.

The Clients page identifies the existing Cisco IdS clients, providing the client name, the client ID, and a redirect URL. To search for a particular client, click the Search icon above the list of names and type the client's name.

Step 22

To add a client:

  1. Click Add Client.

  2. Enter the client's name.

  3. Enter the Redirect URL. To add more than one URL, click the plus icon.

  4. Click Add (or click Clear and then click the X to close the page without adding the client).

Step 23

To edit or delete a client, highlight the client row and click the ellipses under Actions. Then:

  • Click Edit to edit the client's name, ID, or redirect URL. On the Edit Client page, make changes and click Save (or click Clear and then click the X to close the page without saving edits).

  • Click Delete to delete the client.

Step 24

Click Settings.

Step 25

From the Settings page, click Troubleshooting to perform some optional troubleshooting.

Step 26

Set the local log level by choosing from Error, Warning, Info (the default), Debug, or Trace.

Step 27

To receive errors in Syslog format, enter the name of the Remote Syslog Server in the Host (Optional) field.

Step 28

Click Save.

You can now:

  • Register components with the Cisco IdS.

  • Enable (or disable) SSO for the entire deployment.

Register Components and Set Cisco IdS Single Sign-On Mode

If you add any SSO-compatible machines to the System Inventory after you register components with the Cisco IdS, those machines are registered automatically.

Before you begin

  • Configure the Cisco Identity Service (Cisco IdS).

  • Disable popup blockers. It enables viewing all test results correctly.

  • If you are using Internet Explorer, verify that:

    • It is not in the Compatibility Mode.

    • You are using the fully qualified domain name of AW to access the CCE Administration (for example, https://<FQDN>/cceadmin).

Procedure

Step 1

In the Unified CCE Administration, navigate to System > IDS Single Sign-On.

Step 2

Click the Register button to register all SSO-compatible components with the Cisco IdS.

The component status table displays the registration status of each component.

If a component fails to register, correct the error and click Retry.

Step 3

Click the Test button. When the new browser tab opens, you may be prompted to accept a certificate. For the page to load, accept any certificates. Then, when presented with a log-in dialog, log in as a user with SSO credentials.

The test process verifies that each component is configured correctly to reach the Identity Provider, and that the Cisco IdS successfully generates access tokens. Each component that you are setting up for SSO is tested.

The component status table displays the status of testing each component.

If a test is unsuccessful, correct the error, and then click Test again.

Save the test results. If you refresh the page, run the test again before enabling SSO.

Step 4

Select the SSO mode for the system from the Set Mode drop-down menu:

  • Non-SSO: This mode disables SSO for all agents and supervisors. Users log in using existing Active Directory-based local authentication.

  • Non-SSO: This mode disables SSO for all agents and supervisors. Agents log in using local Admin Workstation authentication, and supervisors log in using an existing Active Directory.

  • Hybrid: This mode allows you to enable agents and supervisors selectively for SSO.

  • SSO: This mode enables SSO for all agents and supervisors.

The component status table displays the status of setting the SSO mode on each component.

If the SSO mode fails to be, set on a component, correct the error, and then select the mode again.

Webex Common Identity For Single Sign-On

Overview of Webex Common Identity For Single Sign-On

Webex Common Identity (Webex CI) for SSO enables centralized management of user profiles and access permissions across Unified CCE. It delivers a unified identity framework that consolidates user identities, authentication, and authorization. Webex CI enables and supports many hybrid features for Unified CCE deployments. Webex CI enables simplified access and seamless collaboration for hybrid services.


Note

Webex CI is a Controlled Availability feature. To join Controlled Availability testing or enable this feature, email the Product Management team at cce-pm-team@csico.com.

Prerequisites

Ensure you consider the following requirements:


Note

Webex CI is enabled only for agents and supervisors but not for administrators.

Key features of Webex Common Identity

Some of the key features of Webex CI are as follows:

  • Single Sign-On (SSO)

    Users authenticate once to securely access all CCE applications, enhancing productivity and overall user experience.

  • Flexible Authentication

    • Supports both Cisco Identity Service (IdS) and Webex CI-based SSO.

    • Webex CI enabled agents are redirected to CI-based SSO for authentication using OAuth flows when signing in to the Unified CCE Administration console, Cisco Finesse, or Cisco Unified Intelligence Center.

  • Hybrid services

    Seamless integration with hybrid services-including on-premises deployments simplifies identity management using Webex CI for CCE environments.

  • Automated Agent Synchronization

    • Periodically synchronize agent from Webex Common Identity to CCE.

    • Supports synchronization of agents based on system generated groups, such as UCCE Users.

    • Migrate existing agents to Webex CI using a bulk migration process.

Webex Common Identity Taskflow

Consider the following taskflow of Webex Common Identity (Webex CI) for SSO:

Table 1. Taskflow for Webex Common Identity

Steps

Description

Onboarding Users to Webex Common Identity

  • Place an order for Webex Common Identity on Cisco Commerce Workspace (CCW) to provision new or existing Organization, see the CiscoWebex Contact Center Ordering Guide and the Cisco Collaboration Flex Plan Contact Center Ordering Guide at Cisco Collaboration Ordering Guides.

  • Onboard users from the Customer Active Directory to the Webex CI Control Hub using Cisco Directory Connector.

  • Add users to the system generated group-UCCE Users.

    Note

     

    Ensure you do not rename or delete the UCCE Users group

For more information, see the Onboarding users to Webex Common Identity section in the Webex Common Identity for Single Sign-On chapter of the Cisco Unified Contact Center Enterprise Features Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-feature-guides-list.html

Synchronizing Webex Common Identity Contact Center Users to CCE

You can manually or periodically synchronize users from Webex CI to CCE.

For more information, see the Synchronizing Webex Common Identity Contact Center Users to CCE section in the Webex Common Identity for Single Sign-On chapter of the Cisco Unified Contact Center Enterprise Features Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-feature-guides-list.html

Mapping Webex Common Identity Contact Center Users to CCE

Each Webex CI user is assigned a unique identifier, and its used to identify corresponding users and facilitate periodic synchronization with the CCE.

For more information, see the Mapping Webex Common Identity Contact Center Users to CCE section in the Webex Common Identity for Single Sign-On chapter of the Cisco Unified Contact Center Enterprise Features Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-feature-guides-list.html

Enabling Webex Common Identity for Existing CCE Users

You can enable Webex Common Identity for existing CCE users using the bulk migration process.

For more information, see the Enabling Webex Common Identity for Existing CCE users section in the Webex Common Identity for Single Sign-On chapter of the Cisco Unified Contact Center Enterprise Features Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-feature-guides-list.html
Removing Users from Webex Common Identity

From Control Hub, you can remove Webex CI users assigned to the Contact Center specific group -UCCE Users .

During the next periodic synchronization, the CCE updates the user details for the corresponding group accordingly.

Note

 

It takes 24 hours for the latest changes to reflect in CCE.

For more information, see the Removing Users from Webex Common Identity section in the Webex Common Identity for Single Sign-On chapter of the Cisco Unified Contact Center Enterprise Features Guide at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-feature-guides-list.html

Licensing - Webex Common Identity

Users who belong to system-generated groups, such as UCCE Users within their respective organizations are entitled as Webex CI users. If the Webex CI offer is canceled, suspended, expired, or removed, the user will lose their roles and entitlements, and all the users migrate to non-CI users in CCE. However, they will still be available in Webex CI.

The following process is involved in Webex CI offer:

  • Cancel: If the Webex CI offer is canceled, the user role and entitlement are removed for the Webex CI user and organization.

  • Suspend: If the Webex CI offer is suspended, the user role and entitlement are suspended for the Webex CI user and organization. Whenever possible you can resume the Webex CI license.

  • Renew: If the Webex CI offer is renewed, the Webex CI user role and entitlement gets restored for the Webex CI user and organization.

  • Expire: If the Webex CI offer expires, the Webex CI user role and entitlement gets expired from the Webex CI user and organization.