Introduction

This document describes the configuration of Microsoft Azure as the Identity Provider (IdP) for Single Sign-On (SSO) in Unified Contact Center Enterprise (UCCE) with Security Assertion Markup Language (SAML) and Cisco Identity Service (IDS).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• SAML 2.0 
• Cisco UCCE and Packaged Contact Center Enterprise (PCCE)
• SSO
• IDS
• IdP

Components Used

The information in this document is based on these software and hardware versions:

• Azure IdP
• UCCE 12.0.1, 12.5.1, 12.5.2, ,12.6.1 and 12.6.2
• Cisco IdS 12.0.1, 12.5.1,12.52, ,12.6.1 and 12.6.2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Configure

1. Export UCCE Metadata Files

The Cisco IDS provides authorization between the IdP and applications.

When Cisco IDS is configured, a metadata exchange is set up between the Cisco IDS and the IdP. This exchange establishes a trust relationship that allows applications to use the Cisco IDS for SSO. The trust relationship is established when a metadata file is downloaded from the Cisco IDS and uploaded to the IdP.

1.1.  Procedure

• In Unified CCE Administration, navigate to  Features > Single Sign-On .
• Click  Identity Service Management  and the Cisco Identity Service Management window opens
• Enter the  User Name , and then click  Next.
• Enter the  password , and then click  Sign In.
  • The Cisco Identity Service Management page opens, and it shows the Nodes, Settings, and Clients icons in the left pane.
• Click  Nodes.
  • The Nodes page opens to the overall Node level view and identifies which nodes are in service. The page also provides the SAML Certificate Expiry details for each node, that indicate when the certificate is due to expire. The node Status options are Not Configured, In Service, Partial Service, and Out of Service. Click a status to see more information. The star to the right of one of the Node names identifies the node that is the primary publisher.
• Click  Settings.
• Click  IdS Trust.
• To begin the Cisco IdS trust relationship, set up between the Cisco IdS and the IdP, click Download Metadata File to download the file from the Cisco IdS Server.

2. Generate Certificate Signing for Azure Responses

If you have OpenSSL installed, generate a certificate for Azure and provision it on the Azure application. Azure includes this certificate in its IdP metadata export and uses it to sign the SAML assertions that it sends to UCCE.

If you do not have OpenSSL, use your enterprise CA to generate a certificate.

2.1  Procedure (OpenSSL)

Here is the procedure to create a certificate via OpenSSL

• Create a certificate and a private key:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1095 -out certificate.pem

• Combine the certificate and the key into a password-protected PFX file, which is required by Azure. Ensure to take note of the password.

openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem 

• Generate a single certificate for UCCE.
• Upload the certificate to the Azure IdP.

3. Configure Azure Custom Application

Before you configure Azure, you must export UCCE metadata from UCCE IDS Publisher. You can have both the UCCE metadata XML file and a certificate for the IdP connection before you start these steps on Azure.

3.1. Procedure

• In Microsoft Azure, navigate to  Enterprise Applications  and then select  All Applications.
• To add a new application, select New application .

• In the Add an Application window, proceed with these steps:
  1. Click  Create your own application  (Non-gallery).
  2. Enter the Name of your new application (for example, UCCE) and click  Create.
  3. In the left navigation bar for the new application, click  Single sign-on .
  4. Click  SAML .
  5. The  Set up Single Sign-On with SAML  window appears.
• Click Upload metadata file and then browse to the UCCE metadata XML file.
• After you select and open the file, click  Add .
  • The Basic SAML Configuration populates with Identifier (EntityID) and Reply URL (Assertion consumer service URL) for the UCCE server.
  • Click  Save .
• In the User Attributes & Claims section, click Edit :
  • Under Required Claim, click on Unique User Identifier (Name ID).
  • For the name identifier format, select  Default.
  • For the Source attribute, select  user.onpremisessamaccountname .
  • Click  Save.
  • Under Additional claims, delete all the claims that exist. For each claim, click (…) and select Delete. Click OK to confirm.
  • Click Add new claim to add the  uid claim
  • For Name, enter  uid.
  • Leave the Namespace field blank.
  • For Source, check the Attribute radio button.
  • From the Source attribute drop-down, select user.givenname (or  user.onpremisessamaccountname).           
  • Click  Save.
  • Add a new claim to add the user_principal claim.
  • For Name, enter  user_principal.
  • Leave the Namespace field blank.
  • For Source, check the Attribute radio button.
  • From the Source attribute drop-down, select user.userprincipalname.
  • Click  Save.
    

Snapshot for reference to be configured: 

• 
• Click SAML-based Sign-on to return to the SAML summary.
• In the SAML Signing Certificate section, click  Edit:
  • Set the Signing Option to  Sign SAML Response and Assertion.  
  • Set the Signing Algorithm to the appropriate SHA algorithm. For example, SHA-256.
• Click  Import Certificate.
• In the  Certificate  field, browse to and open the certificate.pfx file that was created earlier.
• Enter the password for the certificate and click  Add .

This must be the only certificate in the list and must be active.

• If this certificate is not active, click the adjacent dots (…), select Make certificate active and then click Yes.
• If there are other certificates in the list, click the adjacent dots (…) for those certificates, select Delete Certificate and click Yes to delete those certificates.

• Click  Save.
• Download the  Federation Metadata XML  file.
• Enable the Application in Azure and Assign Users:

Azure provides you with the ability to assign individual users for SSO with Azure, or all users. Assume that SSO is enabled for all users by DU.

• In the left navigation bar, navigate to  Enterprise Applications > UCCE  (or the application name as given by you).
• Select  Manage > Properties .
• Set Enabled for users to sign in? to  Yes.
• Set Visible to users? to  No.
• Click  Save.

As a final check, check the IdP metadata file and ensure that the certificate that you created previously is present in the <X509Certificate> field as the signing certificate in the IdP metadata file. The format is as follows:

<KeyDescriptor use="signing">
<KeyInfo>
<X509Data>
<X509Certificate>
--actual X.509 certificate--
</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>

4.  Upload Azure Metadata File in UCCE

Before you go to UCCE IDS again, you must have the Federation Metadata XML file downloaded from Azure.

4.1  Procedure

• In Unified CCE Administration, navigate to  Features > Single Sign-On.
• Click  Identity Service Management  and the Cisco Identity Service Management window opens
• Enter the  user name, and then click  Next .
• Enter the  password , and then click  Sign In .
  • The Cisco Identity Service Management page opens and shows the Nodes, Settings, and Clients icons in the left pane.
• Click  Nodes .
  • The Nodes page opens to the overall Node level view and identifies which nodes are in service. The page also provides the SAML Certificate Expiry details for each node, that indicate when the certificate is due to expire. The node Status options are Not Configured, In Service, Partial Service, and Out of Service. Click a status to see more information. The star to the right of one of the Node names identifies the node that is the primary publisher.
• To upload the  Federation Metadata XML  from Azure, browse to locate the file.
• Browse to the Upload IdP Metadata page and upload the Federation Metadata XML file.
  • When the file upload finishes, a notification message is received. The metadata exchange is now complete, and the trust relationship is in place.
• Clear browser cache.
• Enter valid credentials when the page is redirected to IdP.
• Click  Next.
  • The  Test SSO Setup page opens.
• Click  Test SSO Setup .
  • A message appears that tells you that the Cisco IdS configuration has succeeded.
• Click  Settings .
• Click  Security.
• Click  Tokens.
• Enter the duration for these settings:
  • Refresh Token Expiry - The default value is 10 hours. The minimum value is 2 hours. The maximum is 24 hours.
  • Authorization Code Expiry - The default value is 1 minute, which is also the minimum. The maximum is 10 minutes.
  • Access Token Expiry - The default value is 60 minutes. The minimum value is 5 minutes. The maximum is 120 minutes.
• Set the  Encrypt Token  (optional); the default setting is On.
• Click  Save .
• Click  Keys and Certificates .
• The Generate Keys and SAML Certificate page opens. It allows to:
  • Click Regenerate and regenerate the Encryption/Signature key. A message appears to say that the Token Registration is successful and advises you to restart the system to complete the configuration.
  • Click  Regenerate  and regenerate the SAML Certificate. A message appears to say that the SAML certificate regeneration is successful.
• Click  Save .
• Click  Clients.
  • This page identifies the Cisco IdS clients that already exist, and provide the client name, the client ID, and a redirect URL. In order to search for a particular client, click the  Search  icon at the top of the list of names and type the name of the client.
• To add a client:
  • Click  New .
  • Enter the name of the client.
  • Enter the Redirect URL. In order to add more than one URL, click the plus icon.
  • Click  Add  (or click  Clear  and then click  X   to close the page and not add the client).
  • To edit or delete a client, highlight the client row and click the ellipses under Actions.
  • Then:
    • Click  Edit  to edit the name of the client, ID, or redirect URL. On the Edit Client page, make changes and click  Save  (or click Clear and then click the X  to close the page and do not save edits).
    • Click  Delete  to delete the client.

Note: The certificate must be with SHA-256 Secure Hash Algorithm.