SAML SSO Configuration



Similar documents
Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

How To Use Saml 2.0 Single Sign On With Qualysguard

Getting Started with AD/LDAP SSO

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

NCSU SSO. Case Study

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

SAML-Based SSO Solution

This section includes troubleshooting topics about single sign-on (SSO) issues.

Security Services. Benefits. The CA Advantage. Overview

The Florida Department of Education s Single Sign-On Solution. July - August 2012

Flexible Identity Federation

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Extend and Enhance AD FS

Authentication Integration

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

New Single Sign-on Options for IBM Lotus Notes & Domino IBM Corporation

Perceptive Experience Single Sign-On Solutions

The increasing popularity of mobile devices is rapidly changing how and where we

HP Software as a Service. Federated SSO Guide

The Top 5 Federated Single Sign-On Scenarios

OVERVIEW. DIGIPASS Authentication for Office 365

managing SSO with shared credentials

WHITEPAPER SAML ALONE IS NOT SECURE - HERE S HOW TO FIX IT

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Security Assertion Markup Language (SAML) Site Manager Setup

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Agenda. How to configure

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Egnyte Single Sign-On (SSO) Installation for OneLogin

Interoperate in Cloud with Federation

HP Software as a Service

SECUREAUTH IDP AND OFFICE 365

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Identity. Provide. ...to Office 365 & Beyond

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

CA SiteMinder SSO Agents for ERP Systems

USING FEDERATED AUTHENTICATION WITH M-FILES

Connected Data. Connected Data requirements for SSO

Microsoft Office 365 Using SAML Integration Guide

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Integrating Active Directory Federation Services (ADFS) with Office 365 through IaaS

INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

WebNow Single Sign-On Solutions

SINGLE & SAME SIGN-ON ASPECTS

Google Apps Deployment Guide

Improving Security and Productivity through Federation and Single Sign-on

Leveraging SAML for Federated Single Sign-on:

SAML Authentication Quick Start Guide

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

OPENIAM ACCESS MANAGER. Web Access Management made Easy

TRANSITIONING ENTERPRISE CUSTOMERS TO THE CLOUD WITH PULSE SECURE

SAML-Based SSO Solution

The Primer: Nuts and Bolts of Federated Identity Management

Introduction to SAML

Swivel Secure and the Cloud

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

The Primer: Nuts and Bolts of Federated Identity Management

Copyright: WhosOnLocation Limited

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Configuring EPM System for SAML2-based Federation Services SSO

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Vyom SSO-Edge: Single Sign-On Solution for BMC Remedy

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Increase the Security of Your Box Account With Single Sign-On

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

SAML 101. Executive Overview WHITE PAPER

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

An Oracle White Paper August Oracle OpenSSO Fedlet

Evaluation of different Open Source Identity management Systems

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

PingFederate. IWA Integration Kit. User Guide. Version 3.0

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Okta Identity Management for Portals Built on Salesforce.com. An Architecture Review. Okta Inc. 301 Brannan Street San Francisco, CA 94107

Enabling Federation and Web-Single Sign-On in Heterogeneous Landscapes with the Identity Provider and Security Token Service Supplied by SAP NetWeaver

Bill Fiddes Learning and Development Specialist Rob Latino Program Manager in Office 365 Support

User Management Tool 1.5

T his feature is add-on service available to Enterprise accounts.

EXECUTIVE VIEW. SecureAuth IdP. KuppingerCole Report

ShareFile Security Overview

ABOUT TOOLS4EVER ABOUT DELOITTE RISK SERVICES

Transcription:

SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server, page 3 Overview of Single Sign- Federated single sign-on (SSO) standards such as SAML 2.0 provide secure mechanisms for passing credentials and related information between different web sites that have their own authorization and authentication systems. SAML 2.0 is an open standard developed by the OASIS Security Services Technical Committee. The SAML 2.0 protocol has seen significant success, gaining momentum in financial services, higher education, government, and other industry segments. SAML 2.0 support has been implemented by all major web-access management vendors. The U.S. Government General Services (GSA) requires all vendors participating in the U.S. E- Identity Federation program to be SAML 2.0-compliant. SAML 2.0-compliant web sites exchange user credential information using SAML assertions. A SAML assertion is an XML document that contains trusted statements about a subject including, for example, a username and privileges. SAML assertions are usually digitally signed to ensure their authenticity. Many large enterprises have deployed federated Identity and Access Management (IAM) and Identity Provider (IdP) systems, such as Ping Identity Ping Federate, CA SiteMinder, Open AM, and Windows ADFS 2.0 on their corporate intranets. These IAM and IdP systems handle the user authentication and SSO requirements for employees and partners. IAM and IdP systems use the SAML protocols to interoperate with partner websites outside their firewalls. s can utilize their IAM and IdP systems to automatically authenticate their users to Cisco meeting services. This increases efficiency because users do not have to remember their usernames and passwords to start or join meetings on their Cisco sites. 1

Benefits of Single Sign- SAML SSO Configuration Note Meetings Server supports SAML 2.0 IdPs only. It does not support IdPs based on the older SAML 1.1 and WS-Federate standards. This restriction stands in contrast to the cloud-based Cisco meeting services which continue to support SAML 1.1 and WS-Federate. The following is a list of SAML 2.0 IdPs that have been validated to work with Cisco Meetings Server: Microsoft ADFS 2.0 (a free add-on to Microsoft Active Directory 2010) Ping Identity Ping Federate 6.6.0.17 Forgerock Open AM 10.0.0 CA SiteMinder 6.0 SP5 Because SAML 2.0 is an open standard, other SAML 2.0 IdPs might also operate with Cisco Meetings Server. However, other SAML 2.0 IdPs have not been tested by Cisco. It is therefore the user's responsibility to make any such integration operational. Benefits of Single Sign- Single sign-on (SSO) can benefit you in the following ways: Simplified user authentication Out of the box, Cisco Meetings Server requires users to sign in using email addresses and passwords specific to the Meetings Server system. s select their passwords upon activating their Meetings Server accounts. While this approach works well for most small- and mid-sized organizations, larger organizations prefer user authentication using corporate credentials that is, Active Directory for enhanced security. You can accomplish this goal by using SAML 2.0 SSO. Note e added security benefit of SSO is that the corporate password is never actually sent to or stored in Cisco Meetings Server after the user authenticates successfully. Simplified user management Large organizations with changing workforces due to normal attrition prefer to automate the process of user management when integrating with Meetings Server. This means automating the following: account creation when employees join the organization account updates when employees take on different roles within the organization account deactivation when employees leave the organization You can achieve automation for these events by configuring Creation and Update in the SSO section of the Cisco Meetings Server We recommend that you turn on these features if they are also supported by your SAML IdPs. accounts are automatically created and updated "on demand" when users authenticate successfully, thereby eliminating the need to create users manually using Cisco. Similarly, users can no longer sign into their accounts after they leave the organization because the SAML 2.0 IdP blocks those users from signing in after they are removed from the SAML 2.0 IdP user database, which is usually a proxy for the underlying corporate directory. 2

SAML SSO Configuration Overview of Setting Up SAML 2.0 Single Sign- Overview of Setting Up SAML 2.0 Single Sign- Important Unless you or someone in your organization has experience with SAML 2.0 single sign-on (SSO), we recommend that you engage the services of a qualified Cisco AUC partner or Cisco Advanced Services. We make this recommendation because SAML SSO configuration can be fairly complicated. Review these general steps for setting up SAML 2.0 SSO: 1 Ensure that your SAML 2.0 SSO infrastructure is in place and is integrated with your corporate directory. This implies setting up SAML 2.0 IdP software and the SSO authentication web The authentication website is a portal where users enter their corporate credentials. 2 Ensure that users can access the SSO authentication web This step is important because, as part of the sign-in process, Cisco Meetings Server redirects users to this authentication web Note If your Cisco Meetings Server system is enabled for public access allowing users to sign in and join meetings from the Internet then it is critical to ensure that the SSO authentication website is also accessible from the Internet. This usually implies deploying the SAML 2.0 IdP in your DMZ. Without this extra step, users will see "404 site not found" errors when signing in to Cisco Meetings Server from the Internet. 3 Connect Meetings Server to the SAML 2.0 IdP using both of these methods: Select Settings > Security > Federated SSO on your Cisco Meetings Server Follow the instructions in your SAML 2.0 IdP documentation. Note that these instructions vary from vendor to vendor and might even change from version to version of the SAML 2.0 IdP. This is another reason to ensure that you contact a qualified Cisco AUC partner or Cisco Advanced Services to help you implement the solution. Note Do not use the instructions found on the Cisco Developer Network to set up SAML 2.0 IdPs because those instructions are intended for cloud-based Cisco meeting services and therefore do not work optimally with Cisco Meetings Server. SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server While the cloud-based Cisco meeting services employ unique user IDs when creating users accounts, Cisco Meetings Server uses email addresses as the basis for creating user accounts. This has the following important implications for SAML 2.0 single sign-on (SSO): 3

SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server SAML SSO Configuration It is mandatory for the SAML Assertion to carry the email address in the NameID field. Without this step, user authentication and account creation fail because Cisco Meetings Server does not permit the creation of user accounts without an associated email address. The cloud-based Cisco meeting services permit removal of the email domain, such as "@cisco.com," from the UPN ( Principal Name) when auto account creation is turned on. This results in the creation of a user account that resembles a user ID. Because Meetings Server uses a complete email address to create user accounts, you cannot remove the email domain from the UPN. In practice, you can initially deploy Cisco Meetings Server without SAML 2.0 SSO and turn on SSO later. Doing so has the following important effects on the user authentication, auto account creation, and auto account update features: You have not turned on SSO. accounts were created in the system. s sign in using their email addresses and passwords. 4

SAML SSO Configuration SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server Next you turn on SSO. s with existing accounts sign in to their site, Productivity Tools, or the Cisco Meetings app on their mobile devices. s are redirected to the SAML 2.0 IdP authentication website and asked to sign in using their corporate credentials, instead of email addresses and passwords. The users sign in successfully because they are recognized by the SAML 2.0 IdP as valid users. If they are not valid users, they will be informed by the SAML 2.0 IdP that they cannot use Meetings Server or that they are invalid users. 5

SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server SAML SSO Configuration SSO is turned on. s do not have existing accounts in the system. Same as the previous scenario. accounts in Cisco Meetings Server are created "on-demand" after users sign in. Prerequisite: The SAML Assertion contains a valid email address in the NameID field. s do not have existing accounts in the system. They can sign in but will not be able to use Cisco Meetings Server. The easiest way to remedy this situation is to do one of the following: Leave AAC on. Before users sign in, manually create user accounts using "CSV File Import" or "Create user" from the Cisco 6

SAML SSO Configuration SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server SSO is turned on. s previously signed in using SSO and are now signing in again. Subsequently you turn off SSO. This is an uncommon scenario because customers tend to leave SSO on after turning it on. s previously signed in using SSO and are now signing in again. Same as the second scenario. If users enter their corporate credentials, they cannot sign in because Meetings Server expects them to enter their email addresses and passwords. In this situation, educate the users about resetting the passwords in their accounts and allow them enough time to act before you turn off SSO. After resetting their passwords, users can sign in using their email addresses and passwords. Existing user accounts are automatically updated with any changes to the user credentials (usually first name or last name) as long as the NameID remains unchanged. 7

SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server SAML SSO Configuration Special case: A user is also a system administrator. A: The user signs in to the Site. A: Same results as the previous scenario. B:. A: Same results as the previous scenario. B:. A: Same results as the previous scenario. B:. A: Same results as the previous scenario. B:. B: The user signs in to the Cisco 8

SAML SSO Configuration SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server A: Same results as the previous scenario B: In contrast to the behavior on a site, when the user signs in to the Cisco site, he or she is always prompted to enter the email address and password. In other words, SSO has no effect when you sign in to the Cisco This is a security measure built into the product because of the need to ensure that systems administrators can always sign in to the Cisco If the Cisco site also supports SSO, then malfunctions in 9

SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting Services and Meetings Server SAML SSO Configuration the SAML 2.0 IdP or a loss of network connectivity between Cisco Meetings Server and the SAML 2.0 IdP might result in a situation in which systems administrators can no longer sign in and manage the product. This is the reason why SSO is not supported for the Cisco 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information