- Contents (DO NOT PUBLISH)
- Preface
- IP Communications Required by Cisco Unity Connection 10.x
- Preventing Toll Fraud in Cisco Unity Connection 10.x
- Securing the Connection Between Cisco Unity Connection 10.x, Cisco Unified Communications Manager, and IP Phones
- Securing Administration and Services Accounts in Cisco Unity Connection 10.x
- FIPS Compliance in Cisco Unity Connection 10.x
- Passwords, PINs, and Authentication Rule Management in Cisco Unity Connection 10.x
- Single Sign-on in Cisco Unity Connection
- The Cisco Unity Connection 10.x Security Password
- Using SSL to Secure Client/Server Connections in Cisco Unity Connection 10.x
- Securing User Messages in Cisco Unity Connection 10.x
- Cisco Unity Connection - Restricted and Unrestricted Version (Applicable for 10.5(2) SU6 and later)
- Index
Single Sign-On in Cisco Unity Connection
Cisco Unity Connection 10.x supports the single sign-on or OpenAM SSO feature that allows end users to log in once and gain access to use the following Cisco Unity Connection applications without signing on again:
- Cisco Personal Communications Assistant
- Web Inbox
- Cisco Unity Connection Administration
- Cisco Unity Connection Serviceability
- Cisco Unity Connection Rest APIs
Note With Cisco Unity Connection 10.x, VmRest APIs are supported with Single Sign-on feature.
For more information about the single sign-on feature, see the Cisco white paper, A complete guide for the installation, configuration and integration of Open Access Manager 9.0 with CUCM 8.5, 8.6 /CUC 8.6 and Active Directory for SSO at https://supportforums.cisco.com/docs/DOC-14462.
Configuration Checklist for Single Sign-On
This section provides a checklist for configuring the single sign-on feature in the network.
|
|
|
---|---|---|
Ensure that your environment meets the requirements described in the System Requirements for Single Sign-On |
||
Provision the OpenAM server in Active Directory, and then generate keytab files. Note If your Windows version does not include the ktpass tool for generating keytab files, then you must obtain it separately. |
||
Import the OpenAM server certificate into the Cisco Unified Communications Manager tomcat-trust store. |
||
Configure Windows single sign-on with Active Directory and OpenAM. |
||
Enable single sign-on in Cisco Unified Communications Manager. |
System Requirements for Single Sign-On
The following single sign-on system requirements exist for Cisco Unity Connection:
The feature requires the following third-party applications for configuring the single sign-on feature:
- Microsoft Windows Server 2003 with SP1/SP2 or Microsoft Windows Server 2008 with SP2 for deploying Active Directory
- Microsoft Active Directory server (any version)
- ForgeRock Open Access Manager (OpenAM) version 9.0
- Apache Tomcat 7.0.0
The single sign-on feature uses Active Directory and OpenAM simultaneously to provide single sign-on access to client applications.
The third-party applications required for the single sign-on feature must meet the following configuration requirements:
- Active Directory must be deployed in a Windows domain-based network configuration, not just as an LDAP server.
- The OpenAM server must be accessible by name on the network to Unity Connection server, all client systems, and the Active Directory server.
- The OpenAM server can be installed on Microsoft Windows 2003 server or RedHat Enterprise Linux (RHEL) server.
- The Active Directory (Domain Controller) server, Windows clients, Cisco Unity Connection, and OpenAM must be in the same domain.
- DNS must be enabled in the domain.
- The clocks of all the entities participating in single sign-on must be synchronized.
See the third-party product documentation for more information about those products.
Configuring Single Sign-On
The complete set of instructions to configure Unity Connection and OpenAM server for single sign-on are given in the Cisco white paper, A complete guide for the installation, configuration and integration of Open Access Manager 9.0 with CUCM 8.5, 8.6 /CUC 8.6 and Active Directory for SSO at https://supportforums.cisco.com/docs/DOC-14462.
This section outlines the key steps and/or instructions that must be followed for Unity Connection-specific configuration. However, if you are configuring single sign-on for the first time, it is strongly recommended to follow the detailed instructions given in the Cisco white paper.
Configuring OpenAM Server
To configure OpenAM server, you must perform the following steps:
To configure policies on OpenAM server, you must log in to OpenAM and select the Access Control tab. Click the Top Level Realm option, select the Policies tab, and then create a new policy. Follow the steps as given in the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462, for creating a new policy. While following the instructions given in the white paper, make sure to create policies with the below mentioned Unity Connection-specific information:
– Each rule should be of the URL Policy Agent service type
– Make sure to check the GET and POST checkbox for each rule
– Create a rule for each of the following resources, where 'fqdn' is the fully qualified domain name of your Unity Connection server:
– Make sure that the Subject Type field is Authenticated Users.
– Do not check the Exclusive check box.
– Mention the Condition type as Active Session Time
– Configure active session timeout as 120 minutes and select 'No' for the Terminate Session option.
Step 2: Configure a Windows Desktop SSO login module instance
Follow the instructions for configuring Windows Desktop as given in the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462.
Step 3: Configure a J2EE Agent Profile for Policy Agent 3.0
Follow the instructions to create a new J2EE agent as given in the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462 with the below mentioned Unity Connection-specific settings:
- The name mentioned as agent profile name is the name that you need to enter when enabling SSO on the Unity Connection server, when it prompts as "Enter the name of the profile configured for this policy agent".
- The agent password entered here is the password that is entered on the Unity Connection server when it prompts as "Enter the password of the profile name".
- Make sure to add the following URIs to the Login Form URI section on the Application tab:
– /cuadmin/WEB-INF/pages/logon.jsp
– /cuservice/WEB-INF/pages/logon.jsp
– /ciscopca/WEB-INF/pages/logon.jsp
– /inbox/WEB-INF/pages/logon.jsp
– /ccmservice/WEB-INF/pages/logon.jsp
– /vmrest/WEB-INF/pages/logon.jsp
– /inbox/gadgets/msg/msg-gadget.xml
In addition to above Unity Connection-specific configuration, ensure the following points:
- Import users from LDAP to Unity Connection. Users must be configured with the appropriate roles to log in to Cisco Unity Connection Administration, or Cisco Unity Connection Serviceability.
- Upload the OpenAM certificate into Unity Connection as described in the Configuring SSO on Cisco Unified Communications Manager 8.6 section of the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462.
Running CLI Commands for Single Sign-On
The following sections describe the CLI commands that configure single sign-on:
For more information, see the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462.
This command when executed returns an informational message that SSO cannot be enabled using this command.
enable -Enables SSO-based authentication. This command starts the single sign-on configuration wizard.
This command disables SSO-based authentication. This command lists the web applications for which SSO is enabled. Enter Yes when prompted to disable single sign-on for the specified application. You must run this command on all nodes in a cluster.
This command displays the status and configuration parameters of single sign-on.