Single Sign On. Configuration Checklist for Single Sign On CHAPTER



Similar documents
Single Sign On. Configuration Checklist for Single Sign On CHAPTER

Ensure that your environment meets the requirements. Provision the OpenAM server in Active Directory, then generate keytab files.

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

White paper version: 1.2 Date: 29th April 2011 AUTHORS: Vijeth R. Rajoli Krishna Chalamasandra

A COMPLETE GUIDE FOR THE INSTALLATION, CONFIGURATION, AND INTEGRATION OF

Table 1 shows the LDAP server configuration required for configuring the federated repositories in the Tivoli Integrated Portal server.

Step- by- Step guide to Configure Single sign- on for HTTP requests using SPNEGO web authentication

Single Sign-On Using SPNEGO

Active Directory 2008 Implementation. Version 6.410

Active Directory 2008 Implementation Guide Version 6.3

NETASQ ACTIVE DIRECTORY INTEGRATION

ENABLING SINGLE SIGN-ON: SPNEGO AND KERBEROS Technical Bulletin For Use with DSView 3 Management Software

Kerberos and Windows SSO Guide Jahia EE v6.1

Single Sign-on (SSO) technologies for the Domino Web Server

How To - Implement Clientless Single Sign On Authentication in Single Active Directory Domain Controller Environment

Configuring Sponsor Authentication

Enabling single sign-on for Cognos 8/10 with Active Directory

SAML-Based SSO Solution

BMC Software Webinars 2013 Atrium Single Sign On (Atrium SSO)

Configuring Integrated Windows Authentication for JBoss with SAS 9.3 Web Applications

Pre-Change Tasks and System Health Checks

Application Note. ShoreTel 9: Active Directory Integration. Integration checklist. AN June 2009

Security Provider Integration Kerberos Authentication

Configuring Integrated Windows Authentication for JBoss with SAS 9.2 Web Applications

TopEase Single Sign On Windows AD

PingFederate. IWA Integration Kit. User Guide. Version 3.0

Security certificate management

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

Active Directory integration with CloudByte ElastiStor

IM and Presence Service Network Setup

PUBLIC Secure Login for SAP Single Sign-On Implementation Guide

SchoolBooking SSO Integration Guide

ADFS for. LogMeIn and join.me authentication

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Configure the Application Server User Account on the Domain Server

PingFederate. IWA Integration Kit. User Guide. Version 2.6

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Click Studios. Passwordstate. Installation Instructions

Windows Security and Directory Services for UNIX using Centrify DirectControl

How-to: Single Sign-On

CLI Commands and Disaster Recovery System

White Paper. Fabasoft on Linux - Preparation Guide for Community ENTerprise Operating System. Fabasoft Folio 2015 Update Rollup 2

How To - Implement Single Sign On Authentication with Active Directory

Configuring Integrated Windows Authentication for Oracle WebLogic with SAS 9.2 Web Applications

Application Note: Cisco Integration with Onsight Connect

Setup Guide Revision A. WDS Connector

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

VMware Identity Manager Administration

SETTING UP ACTIVE DIRECTORY (AD) ON WINDOWS 2008 FOR EROOM

How to Configure Active Directory based User Authentication

Click Studios. Passwordstate. Installation Instructions

Configure Single Sign on Between Domino and WPS

Configuring Single Sign-On for Application Launch in OpenManage Essentials

v7.8.2 Release Notes for Websense Content Gateway

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Use Enterprise SSO as the Credential Server for Protected Sites

Field Description Example. IP address of your DNS server. It is used to resolve fully qualified domain names

SecureAware on IIS8 on Windows Server 2008/- 12 R2-64bit

Filtering remote users with Websense remote filtering software v7.6

TIBCO Spotfire Platform IT Brief

Deploying RSA ClearTrust with the FirePass controller

Deploying Remote Desktop Connection Broker with High Availability Step-by-Step Guide

Introductions. Christopher Cognetta Practice Manager Client Field Engineering Microsoft Dynamics CRM MVP

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Q&A Session for Understanding Atrium SSO Date: Thursday, February 14, 2013, 8:00am Pacific

IceWarp Server - SSO (Single Sign-On)

Configuring HP Integrated Lights-Out 3 with Microsoft Active Directory

Using LDAP Authentication in a PowerCenter Domain

Using CertAgent to Obtain Domain Controller and Smart Card Logon Certificates for Active Directory Authentication

Configuration Information

Kerberos authentication between multiple domains may fail on LiveCycle Rights Management ES 8.2.1

TIBCO ActiveMatrix BPM Single Sign-On

Installing Exchange and Extending the Active Directory Schema for Cisco Unity 8.x

Password Manager Windows Desktop Client

Configuration Guide. Websense Web Security Solutions Version 7.8.1

Quick Start Guide. User Manual. 1 March 2012

Desktop Web Access Single Sign-On Configuration Guide

NETASQ SSO Agent Installation and deployment

User Identification (User-ID) Tips and Best Practices

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Integrating WebSphere Portal V8.0 with Business Process Manager V8.0

Active Directory Rights Management Service Integration Guide

V Series Rapid Deployment Version 7.5

Entrust Managed Services PKI

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

SINGLE SIGN-ON FOR MTWEB

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

How to Implement the X.509 Certificate Based Single Sign-On Solution with SAP Netweaver Single Sign-On

DualShield Authentication Platform

Installation and Configuration Guide

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

User-ID Best Practices

Accessing the Media General SSL VPN

Historical Reporting Client (HRC) User Login Fails

IM and Presence Disaster Recovery System

Avatier Identity Management Suite

Tool for Automated Provisioning System (TAPS) Version 1.2 (1027)

IM and Presence Service Network Setup

Transcription:

CHAPTER 39 The single sign on feature allows end users to log into a Windows client machine on a Windows domain, then use certain Cisco Unified Communications Manager applications without signing on again. For more information about the single sign on feature, refer to the Cisco white paper A complete guide for installation, configuration and integration of CUCM8.5 with Open Access Manager and Active Directory for SSO. This chapter, which provides information on the single sign on feature for Cisco Unified Communications Manager, contains the following topics: Configuration Checklist for, page 39-1 Introducing for Cisco Unified Communications Manager, page 39-2 System Requirements for, page 39-2 Installing and Activating, page 39-3 Configuring, page 39-3 Related Topics, page 39-7 Configuration Checklist for The single sign on feature allows end users to log into a Windows client machine, then use certain Cisco Unified Communications Manager applications without signing on again. 39-1

Introducing for Cisco Unified Communications Manager Chapter 39 Table 39-1 provides a checklist for configuring single sign on in your network. Use Table 39-1 in conjunction with the Related Topics section on page 39-7. For information about configuring single sign on with Cisco Unified Communication interface for Microsoft Office Communicator, refer to the Cisco Unified Communication interface for Microsoft Office Communicator documentation. Table 39-1 Configuration Checklist Configuration Steps Step 1 Ensure that your environment meets the requirements described in the System Requirements for section on page 39-2 Step 2 Step 3 Step 4 Provision the OpenAM server in Active Directory, then generate keytab files. Note If your Windows version does not include the ktpass tool for generating keytab files, then you must obtain it separately. Import the OpenAM server certificate into the Cisco Unified Communications Manager tomcat-trust store. Configure Windows single sign on with Active Directory and OpenAM. Related Topics and Documentation Microsoft Active Directory documentation Importing the OpenAM Certificate into Cisco Unified Communications Manager section on page 39-4 Configuring Windows with Active Directory and OpenAM section on page 39-4 Step 5 Configure client browsers for single sign on. Configuring Client Browsers for Single Sign On section on page 39-4 Step 6 Enable single sign on in Cisco Unified Communications Manager. Running CLI Commands for Single Sign On section on page 39-5 Introducing for Cisco Unified Communications Manager The single sign on feature allows end users to log into Windows, then use the following Cisco Unified Communications Manager applications without signing on again: User Options Pages Cisco Unified Communication interface for Microsoft Office Communicator System Requirements for The following single sign on system requirements exist for Cisco Unified Communications Manager: Cisco Unified Communications Manager release 8.5(1) on each server in the cluster The feature requires the following third-party applications: Microsoft Windows Server 2003 or Microsoft Windows Server 2008 Microsoft Active Directory 39-2

Chapter 39 Installing and Activating ForgeRock Open Access Manager (OpenAM) version 9.0 The single sign on feature uses Active Directory and OpenAM in combination to provide single sign on access to client applications. These third party products must meet the following configuration requirements: Active Directory must be deployed in a Windows domain-based network configuration, not just as an LDAP server. The OpenAM server must be accessible on the network to all client systems and the Active Directory server. The Active Directory (Domain Controller) server, Windows clients, Cisco Unified Communications Manager, and OpenAM must be in the same domain. DNS must be enabled in the domain. No third-party products may be installed on the Cisco Unified Communications Manager server. The clocks of all the entities participating in SSO must be synchronized See the third-party product documentation for more information about those products. Installing and Activating After you install Cisco Unified Communications Manager 8.5(1), your network can support single sign on if you perform the necessary configuration tasks. For information on configuration tasks that you must perform, see the Configuration Checklist for section on page 39-1. Configuring This section contains information on the following topics: Configuring OpenAM, page 39-3 Configuring Windows with Active Directory and OpenAM, page 39-4 Configuring Client Browsers for, page 39-4 Running CLI Commands for, page 39-5 Tip Before you configure single sign on, review the Configuration Checklist for section on page 39-1. Configuring OpenAM Perform the following tasks using OpenAM: Configure policies in OpenAM for the following: CUCM User and UDS web application Query Parameters Configure a J2EE Agent Profile for Policy Agent 3.0. Configure a Windows Desktop SSO login module instance. 39-3

Configuring Chapter 39 Configure Login Form URI and OpenAM Login URL for the PA. Disable local user profiles. Importing the OpenAM Certificate into Cisco Unified Communications Manager Because communication between Cisco Unified Communications Manager and OpenAM is secure, you must obtain the OpenAM security certificate and import it into the Cisco Unified Communications Manager tomcat-trust store. Configure the OpenAM certificate to be valid for 5 years. For information about importing certificates, see the Cisco Unified Communications Operating System Administration Guide. Configuring Windows with Active Directory and OpenAM This section describes how to configure Windows single sign on with Active Directory and OpenAM. This procedure allows Cisco Unified Communications Manager to authenticate with Active Directory. Procedure Step 1 Step 2 Step 3 Step 4 In Active Directory, create a new user with the OpenAM Enterprise host name (without the domain name) as the User ID (login name). Create keytab files on the Active Directory server. Export the keytab files to the OpenAM system. In OpenAM, create a new authentication module instance with the following configuration: The type is Windows Desktop SSO. The realm attributes are determined as follows: Service Principal: Enter the principal name that you used to create the keytab file. Keytab File Name: Enter the path where you imported the keytab file. Kerberos Realm: Enter the domain name. Kerberos Server Name: Enter the FQDN of the Active Directory server. Authentication level: Enter 22. Configuring Client Browsers for To use single sign on for a browser-based client application, you must configure the web browser. The following sections describe how to configure client browsers to use single sign on: Configuring Internet Explorer for, page 39-5 Configuring FireFox for, page 39-5 39-4

Chapter 39 Configuring Configuring Internet Explorer for The single sign on feature supports Windows clients running Internet Explorer version 6.0 and higher. Do the following tasks to configure Internet Explorer to use single sign on: Select the Integrated Windows Authentication option. Create a custom security level configured as follows: Select the Automatic Logon Only in Intranet Zone option Select all of the options for sites. Add OpenAM to the local zone, if it not already added. Do the following tasks for Internet Explorer 8.0 running on Windows 7: Disable Protected Mode. Under registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\, add DWORD value SuppressExtendedProtection - 0x02. Configuring FireFox for The single sign on feature supports Windows clients running FireFox version 3.0 and higher. To configure Firefox to use single sign on, enter the trusted domains and URLs that are permitted to engage in SPNEGO Authentication with the browser into the network.negotiate-auth.trusted-uris preference. Running CLI Commands for The following sections describe the CLI commands that configure single sign on: utils sso enable, page 39-5 utils sso disable, page 39-6 utils sso status, page 39-7 utils sso enable This command enables and configures single sign on. Command Syntax utils sso enable Usage Guidelines This command starts a single sign on configuration wizard. You get prompted for the information described in Table 39-2. Answer each prompt, then press Enter to continue. Caution Enabling single sign on restarts the Cisco Unified Communications Manager web server (Tomcat). You must run this command on all nodes in a cluster. 39-5

Configuring Chapter 39 Table 39-2 Configuration Wizard Prompts Information That the Prompt Requests URL of the Open Access Manager (OpenAM) server Relative path where the policy agent should be deployed Name of the profile configured for this policy agent Password of the profile. Login module instance name configured for Windows Desktop SSO Description The URL that you configured for the OpenAM server. Enter the path on the Cisco Unified Communications Manager where the policy agent will get deployed. This path is relative to the agentapp directory. This path must match the path that you configured for the J2EE Agent Profile for Policy Agent 3.0. The name of the profile that you created for this policy agent in OpenAM. The name of the login module instance for Windows Desktop SSO that you configured in OpenAM. Example admin:utils sso enable ***** W A R N I N G ***** This command will restart Tomcat for successful completion. This command needs to be executed on all the nodes in the cluster. Do you want to continue (yes/no): yes Enter URL of the Open Access Manager (OpenAM) server: https://ssoserver.cisco.com:8443/opensso Enter the relative path where the policy agent should be deployed: agentapp Enter the name of the profile configured for this policy agent: CUCMUser Enter the password of the profile name: ******** Enter the login module instance name configured for Windows Desktop SSO: CUCMUser Validating connectivity and profile with AM Server: https://ssoserver.cisco.com:8443/opensso Valid profile Enabling SSO... This will take upto 5 minutes SSO Enable Success Please make sure to execute this command on all the nodes in the cluster. utils sso disable This command disables single sign on. Command Syntax utils sso disable Usage Guidelines Caution Disabling single sign on restarts the Cisco Unified Communications Manager web server (Tomcat). You must run this command on all nodes in a cluster. 39-6

Chapter 39 Related Topics utils sso status This command displays the status and configuration parameters of single sign on. Command Syntax utils sso status Related Topics Configuration Checklist for, page 39-1 Introducing for Cisco Unified Communications Manager, page 39-2 System Requirements for, page 39-2 Installing and Activating, page 39-3 Configuring, page 39-3 39-7

Related Topics Chapter 39 39-8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information