Enabling Single Sign- On for Common Identity using F5

Similar documents
Cisco Unified Communications Self Care Portal User Guide, Release 10.5(1)

Cisco Collaboration with Microsoft Interoperability

Cisco UCS Director Payment Gateway Integration Guide, Release 4.1

Sample Configuration: Cisco UCS, LDAP and Active Directory

Ports Reference Guide for Cisco Virtualization Experience Media Engine for SUSE Linux Release 9.0

Cisco TelePresence Authenticating Cisco VCS Accounts Using LDAP

TelePresence Migrating TelePresence Management Suite (TMS) to a New Server

Cisco TelePresence VCR Converter 1.0(1.8)

Cisco Jabber for Windows 10.5 Advanced Features Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

Cisco TelePresence Video Communication Server (Cisco VCS) IP Port Usage for Firewall Traversal. Cisco VCS X8.5 December 2014

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0.1

QoS: CBQoS Management Policy-to- Interface Mapping Support Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)

Cisco TelePresence VCR MSE 8220

FireSIGHT User Agent Configuration Guide

Troubleshooting Procedures for Cisco TelePresence Video Communication Server

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

CA Nimsoft Service Desk

Accessibility Guidelines for Cisco Unified Contact Center Management Portal

Cisco Unified Communications Manager SIP Line Messaging Guide (Standard)

Cisco WebEx Meetings Server Administration Guide

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Replacing MCU Software with TelePresence Server Software on Cisco TelePresence MCU 5300 Series. Last Updated: February 2016

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Active Directory Federation Services

Cisco WebEx Meetings Server System Requirements

Cisco Prime Central Managing Certificates

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Cisco Registered Envelope Recipient Guide

Cisco TelePresence MCU Accessing Conferences

Connected Data. Connected Data requirements for SSO

SAM Context-Based Authentication Using Juniper SA Integration Guide

Cisco Unified Workforce Optimization

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

OneLogin Integration User Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 4.0.3

Security Assertion Markup Language (SAML) Site Manager Setup

Cisco DNS-AS Troubleshooting

CISCO TELEPRESENCE MANAGEMENT SUITE EXTENSION

Cisco TelePresence Management Suite 15.0

Cisco Unified Workforce Optimization

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

CA NetQoS Performance Center

Cisco TelePresence Management Suite Provisioning

Single Sign On for ShareFile with NetScaler. Deployment Guide

VMware Identity Manager Administration

Microsoft Office 365 Using SAML Integration Guide

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Cisco IOS Flexible NetFlow Command Reference

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

Single Sign-on to Salesforce.com with CA Federation Manager

HP Software as a Service

CA Performance Center

Egnyte Single Sign-On (SSO) Installation for OneLogin

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Disaster Recovery Configuration Guide for CiscoWorks Network Compliance Manager 1.8

SAML 2.0 SSO Deployment with Okta

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Google Apps Deployment Guide

DualShield SAML & SSO. Integration Guide. Copyright 2011 Deepnet Security Limited. Copyright 2011, Deepnet Security. All Rights Reserved.

Using SAML for Single Sign-On in the SOA Software Platform

HP Software as a Service. Federated SSO Guide

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Integrating CAD with Thin Client and Virtual Desktop Environments

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

SAP NetWeaver AS Java

VMware Identity Manager Administration

VOIP-500 Series Phone CUCM 8.0.3a Integration Guide

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Single Sign-On between SAP Portal and SuccessFactors

User Guide for the Cisco Unity Connection Phone Interface (Release 8.x)

Azure Multi-Factor Authentication. KEMP LoadMaster and Azure Multi- Factor Authentication. Technical Note

ADFS Integration Guidelines

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

How To Integrate An Ipm With Airwatch With Big Ip On A Server With A Network (F5) On A Network With A Pb (Fiv) On An Ip Server On A Cloud (Fv) On Your Computer Or Ip

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

GTA SSO Auth. Single Sign-On Service. Tel: Fax Web:

Getting Started. Cisco Desktop Product Suite 4.5 (ICD)

PingFederate. IWA Integration Kit. User Guide. Version 2.6

formerly Help Desk Authority HDAccess Administrator Guide

Cisco Unified SIP Phone 3905 User Guide for Cisco Unified Communications Manager 8.6

OpenLDAP Oracle Enterprise Gateway Integration Guide

CA Spectrum and CA Embedded Entitlements Manager

Cisco Process Orchestrator Installation Guide

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Cisco TelePresence MCU 5300 Series

Cisco Registered Envelope Recipient Guide

Cisco Registered Envelope Service 4.4 Recipient Guide

INTEGRATION GUIDE. DIGIPASS Authentication for VMware Horizon Workspace

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Configuring Parature Self-Service Portal

Set Up Certificate Validation

Transcription:

Enabling Single Sign- On for Common Identity using F5

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: http:// www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 2015 Cisco Systems, Inc. All rights reserved.

Table of Contents Introduction... 1 Introduction... 1 Enabling SSO for WebEx Messenger... 3 Configure Federated Web SSO... 3 Create a New Virtual Server... 3 Create New SAML Service Provider... 4 Create New IdP Service... 4 Bind the Service Provider with the Identity Provider... 5 Import SAML Metadata in WebEx Messenger... 10 Troubleshooting... 11 Migration from WebEx Messenger to Common Identity SSO Authentication... 13 Request to Add Domain to Common Identity... 13 Create a Password in CI... 13 Configure SSO in Cloud Collaboration Management... 13 Create New SAML Service Provider in CI... 14 Create New IdP Service in CI... 14 Bind the Service Provider with the Identity Provider in CI... 15 Complete SSO Configuration in Cloud Collaboration Management... 17 i

Redirect Authentication... 18 Verification of Cisco Jabber Authentication in CI... 19 ii

Chapter 1 1 Introduction Introduction This document covers the configuration of the required software components essential for achieving a Single Sign-on (SSO) solution with WebEx Messenger using F5. 1

Chapter 2 2 Enabling SSO for WebEx Messenger Configure Federated Web SSO 1. Log into http://www.webex.com/go/connectadmin with your administration credentials. 2. Select the Configuration tab > System Settings > Security Settings. 3. Select Federated Web SSO Configuration. 4. In the WebEx SAML Issuer (SP ID) field, enter the name for the SAML agreement. Note: You can use the fully qualified domain name (FQDN) of your organization. 5. Complete all the required fields. 6. Select Export to export the metadata to a location on your computer. You will import this file next. Create a New Virtual Server 1. Login to the BIG-IP F5 administration interface. 2. Select Local Traffic > Virtual Servers. 3. Select Create. 3

Chapter 2: Enabling SSO for WebEx Messenger 4. In the Destination address field, enter the IP address. 5. In the Service Port field and drop-down, enter 443 and select HTTPS. 6. For the SSO Profile (Client), select clientssl. 7. For the SSO Profile (Server), select apm-default-serverssl. 8. Select Finish. Create New SAML Service Provider 1. Select Access Policy > SAML > BIG-IP as IdP. 2. Select the External SP Connectors tab. 3. From the Create drop-down, select From Metadata. 4. Browse to and select the metadata file you previously download from Cisco WebEx Messenger. 5. In the Service Provider Name field, enter the same SP name as specified in the WebEx SAML issuer Cisco WebEx Messenger Administration Tool. 6. Select OK. 7. Select Security Settings. 8. Select the Response must be signed and the Assertion must be signed check boxes. 9. Select OK. Create New IdP Service 1. Select Access Policy > SAML > BIG-IP as IdP. 2. Select the Local IdP Service tab. 3. From the Create. 4. In the IdP Service Name field, enter the name. 5. In the IdP Entity ID field, enter the the fully qualified domain name (FQDN) of bigip box. For example, https://bigip0a.uc8sevtlab13.com/messngercas. 6. Select OK. 7. Select Assertion Settings. 4

Chapter 2: Enabling SSO for WebEx Messenger 8. From the Assertion Subject Type drop-down, select Unspecified. 9. From the Assertion Subject Value drop-down, select %{session.ad.last.attr.mail}. 10. Select the SAML Attributes tab to add the following attributes for Just in Time (JIT) provision: email with the value %{session.ad.last.attr.mail} firstname with the value %{session.ad.last.attr.givenname} lastname with the value %{session.ad.last.attr.sn} uid with the value %{session.ad.last.attr.mail} updatedtime with the value %{session.ad.last.attr.whenchanged} 11. Select the Security Settings tab. 12. From the drop-downs, select the correct certificate for signing the assertion. 13. Select OK. Bind the Service Provider with the Identity Provider 1. Select Access Policy > Access Profiles > SAML > BGP-IP as IdP. 2. Select the checkbox adjacent to the local IdP service you created in Cisco Messenger. 3. Select Bind/Unbind SP Connectors. 4. Select the service provider you created earlier as shown below. 5

Chapter 2: Enabling SSO for WebEx Messenger 5. Select Access Policy > Access Profiles > Webtops > Webtops List. 6. Select Create to create a Webtops for the Cisco Collaboration applications with a type Full as shown below. 7. Select Access Policy > Access Profiles > SAML > SAML Resources. 8. Select Create to create a SAML Resource for the IDP created previously as shown below. 6

Chapter 2: Enabling SSO for WebEx Messenger 9. Select Access Policy > Access Profiles to create a new profile for all the Cisco Collaboration applications sharing SAML cookies. For example, CiscoCollab. 10. Select All from the Profile Type drop-down. 11. In the Language Settings section, assign a language. 12. Select Finished. 13. Select Access Policy > Access Profiles > Access Profiles List. 14. Select Edit to edit the access policy. 15. Select Done. 16. In the Logon tab, select Add Item to add a new item called logon page. Leave all the default values as is. 7

Chapter 2: Enabling SSO for WebEx Messenger 17. In the Authentication tab, select Add Item to add a new item called AD Auth. Specify your Active Directory as the server. 18. In the Authentication tab, select Add Item to add a new item called AD Query. Integrate it with your Active Directory and add the attributes whenchanged, sn, givenname and mail. 8

Chapter 2: Enabling SSO for WebEx Messenger 19. In the Branch Rules tab from the Active directory query has drop-down, select Passed. 20. In the Assignment tab, select Add Item to add a new item called Advanced Resource Assign. 21. In the Properties tab, select Add/Delete to add two resources SAML and the Webtop as previously created. 22. In the Select Ending section, select the Allow radio button. 23. Your application should look like this: 9

Chapter 2: Enabling SSO for WebEx Messenger 24. Select Local Traffic > Virtual Servers and associate the access profile with the virtual server you created previously. 25. Select Save. 26. Export the metadata by doing the following: Select Access Policy > Access Profiles > SAML > BGP-IP as IdP. Select the checkbox adjacent to the local IdP service you created in Cisco Messenger. Select Export Metadata to browse to and save the metadata. Import SAML Metadata in WebEx Messenger 1. Log into http://www.webex.com/go/connectadmin with your administration credentials. 2. Select the Configuration tab > System Settings > Security Settings. 3. Select Federated Web SSO Configuration. 4. Select Import SAML Metadata to import the metadata file you downloaded. 5. In the AuthContextClassRef field, enter urn:federation:authentication:windows;urn:oasis:names:tc:saml:2.0:ac:cla sses:passwordprotectedtransport. 10

Chapter 2: Enabling SSO for WebEx Messenger This string ensures that F5 BigIP can deliver Kerberos and Form based authentication. The configuration should look like this: Important: For Cisco Jabber to work with Cisco WebEx Messenger Instant Messenger and Presence and deliver on-premise Cisco Unified Call Manager (CUCM) and Unity connection, you must provide the UC details for CUCM and connections in the Webex Messenger administrator portal. To use SSO in Cisco WebEx Messenger and Cisco WebEx Meeting Center, ensure loose integration is enabled for both. See Cisco Unified Communications Integration with Cisco WebEx and Provision Loosely Coupled Integration in the Cisco WebEx Messenger Administration Guide. Troubleshooting If SSO fails with BigIP 11.6 and you see the error canonization input failed in the BigIP log, you must apply at the least hotfix 4. See https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15157.html 11

Migration from WebEx Messenger to Common Identity SSO Authentication Request to Add Domain to Common Identity Contact your Customer Success Manager (CSM) or Universal Agent (UA) to submit an ops request to add the domain to CI or email: ci-messengersync@cisco.com Create a Password in CI As none of the users migrated from Cisco WebEx Messenger have a password, you must create a password for an existing administrator now. 1. Connect to Https://web.ciscospark.com and enter the email address of the administrator. 2. Select Next. 3. Select Can t access your account?. An email is automatically sent to that user asking them to reset their password. Configure SSO in Cloud Collaboration Management 1. Connect to https://admin.ciscospark.com using the email address and password that you previously reset. 2. Select Users in the left navigation bar to display all the users from the Cisco WebEx Messenger organization. 3. From the top navigation bar, select Service Setup > Enterprise Settings to download the CI metadata. 13

4. In the Enterprise Settings window, select Integrate a 3rd-party identity provider (Advanced). 5. Select Next. 6. Select Download Metadata File to browse to and save the metadata file. Create New SAML Service Provider in CI 1. Select Access Policy > SAML > BIG-IP as IdP. 2. Select the External SP Connectors tab. 3. From the Create drop-down, select From Metadata. 4. Browse to and select the metadata file you previously download from Cisco WebEx Messenger. 5. In the Service Provider Name field, enter the name. For example, uc8sevtlab13.ciscospark.com. 6. Select OK. 7. Select Security Settings. 8. Select the Response must be signed and the Assertion must be signed check boxes. 9. Select OK. Create New IdP Service in CI 1. Select Access Policy > SAML > BIG-IP as IdP. 2. Select the Local IdP Service tab. 3. From the Create. 4. In the IdP Service Name field, enter the name. For example, https://bigip0a.uc8sevtlab13.com/ci. 5. Select OK. 6. Select Assertion Settings. 7. From the Assertion Subject Type drop-down, select Transient Identifier. 8. From the Assertion Subject Value drop-down, select %{session.ad.last.attr.mail}. 14

9. Select the SAML Attributes tab to add the following attributes for Just in Time (JIT) provision: mail with the value %{session.ad.last.attr.mail} uid with the value %{session.ad.last.attr.mail} 10. Select the Security Settings tab. 11. From the drop-downs, select the correct certificate for signing the assertion. 12. Select OK. Bind the Service Provider with the Identity Provider in CI 1. Select Access Policy > Access Profiles > SAML > BGP-IP as IdP. 2. Select the checkbox adjacent to the local IdP service you created in Cisco Messenger. 3. Select Bind/Unbind SP Connectors. 4. Select the service provider you created earlier as shown below. 5. Select OK. 15

6. Select the checkbox adjacent to the local IdP service you created in the CI. 7. Select Export Metadata to browse to and save the metadata. 8. Select Access Policy > Access Profiles > SAML > SAML Resources. 9. Select Create to create a SAML Resource for the IDP created previously as shown below. 10. Select Access Policy > Access Profiles and select Edit adjacent to the access policy for the Cisco WebEx Messenger CAS. 16

11. Select the Advanced Resource Assign link. 12. Select Add/Delete to add the new SAML Resource. 13. Select Save. 14. Close the Access Policy windows and select Apply Access Policy. Complete SSO Configuration in Cloud Collaboration Management 1. Connect to https://admin.ciscospark.com using the email address and password that you previously reset. 2. From the top navigation bar, select Service Setup > Enterprise Settings to download the CI metadata. 3. In the Enterprise Settings window, select Integrate a 3rd-party identity provider (Advanced). 4. Select Next. 5. Select Import to browse to and import the metatadata file. A success message is displayed when the import of the metadata file is complete. 6. If the IdP is not signed by a public CA, select the Allow self-signed certification in Metadata (less secure) to allow CI to support a IdP that has self-signed certificate. 7. Select Next. 8. Select Test SSO Configuration. 9. Sign in with the administrator details. 17

Redirect Authentication Before you can verify the Jabber authentication in CI, authentication must be redirected from the WebEx Messenger platform to the CI platform, To do this contact the CSM to update the existing ops request or submit a new ops request or email: ci-messenger-sync@cisco.com. 18

Chapter 3 Verification of Cisco Jabber Authentication in CI 1. Start Cisco Jabber. 2. Verify that all the on-premise are still using SSO. 3. Verify that WebEx Meeting Center is enabled for loose Integration. 19

20 4. Finally, verify that Cisco Jabber logs contain the string idbroker.webex.com, indicating that it is connecting to CI.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information