Microsoft Azure based SAML SSO configuration for Cisco Unified Communications Manager(CUCM)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so the first step in this configuration is exporting the uc metadata from the cisco unified communications manager that means we will be activating the saml sso on cisco unified communications manager and then we'll be going ahead and probably first we'll be exporting the uc metadata and then going further with the next three steps that's involved to activate the saml sso on the cisco unified communications manager so i'm now logged in to the cisco unified communications manager administration page i'll go to system and then i will click on saml single sign on that's the feature that we want to activate on our cisco unified communications manager and then there are two options for the sso as you see here so one is the cluster wide which needs just one metadata file per cluster per cucm cluster and the other one is per node one metadata file per node so the azure integration supports per node metadata file that means for each cisco unified communications manager node we need to generate the metadata so in our case we have two sub one subscriber and one publisher so we'll be generating two metadata file you know and then here it says use system generated self-signed certificate or use the uh to tomcat certificate so we'll be using the system generated self-signed certificate because we have a single tomcat certificate on each subscriber and publisher for now so that's why we'll be using the ideal recovery certificate and then we'll go ahead and say hey export all metadata and then we'll go ahead and save this file the sp metadata file that's a zip file because we have two files inside it one for the publisher and one for the subscriber we'll go ahead and check and there should be two files inside this indeed three yeah so we have it for cucm publishers usm subscriber and i'm in presence so we'll forget for now the i'm in presence we will concentrate on cucm publisher and cucm subscriber now as we have our metadata files available what we have to do is we have to do some configurations on the azure side of the things so that we can upload this metadata file uc metadata file onto the azure server and then export the metadata from the azure and then import it onto the unified communications manager okay so the next step would be to go on to azure and complete the azure side of the things so on azure a.d side of the things what we would need is basically first of all we need a certificate for the azure and why would we need this certificate on the azure is because azure will include these certificates in its idp metadata export file so once we are exporting the metadata from the azure it will include this certificate and it will use this certificate to sign these saml search since um assurances um that it sends to the cisco unified communications manager or i'm in presence or expressway or a unity connection or or i will say in short the unity uh sorry the uc applications you know and then what azure needs is that it needs the same certificate to be used for all the nodes in the cluster cell so what i have done is i'm using the enterprise ca and i have generated a certificate and saved it as i have generated basically the dot pfx dot pfx file and this pfx file is i would say saved with a password this is what the azure will need the azure will need a pfx file and then azure will need the password for this pfx file so in this bfx file there is a certificate for azure yeah so i'll show you basically um if you see here um yeah so basically here you will see that i have exported this pfx file and then this pfx file will be uploaded in the azure and then it is a password protected file so once we put that password into that then we will be able to export a metadata file and this metadata file on the azure will have this um certificate as well and then this certificate will probably be used to sign the saml assertions okay so let's go ahead quickly and create so basically what i have done in my enterprise ca is um i went in here and i said um yeah so to generate this pfx file what i did was i clicked on all tasks i went to backup ca and then i just click on next and then i set private key and ca certificate and then i just clicked on next next next and then just saved it if you need the complete information you can visit to my blog website and there i have provided all the steps how i did it and i how how i see if this pfx file that's needed for the azure active directory okay to generate the metadata all right so let's go quickly and start with the azure setup so the first thing that we would need is basically um create the enterprise application so i'll go ahead here and i'll say i have logged into the azure id portal and that's why you guys are able to see some things here okay and i'll say create a new application and i don't want to use the gallery application that's why i will say create your own application and i will say the name of my application is hq cucm publisher application so for each node you need to create an application in the azure active directory okay so that's the requirement for saml that you create the each application for each node in your uc cluster okay and i'll just click on create okay the application is now created i close this and i'll try to find out my application so i'll go to hqcm pub ccm publisher and then i'll say single sign on [Music] here okay and then you will see here saml so you need to select this option saml because we are gonna do the saml based single sign-on and then i will click on upload the metadata file so that's the meta data that you obtained for from the cucm you know you exported the metadata from the cucm and then these are the three xml files so what we are gonna do is we are gonna do one by one so i'm just first gonna upload the metadata for the cucm publisher i'll click on add so i'm creating the agreement first of all for this ucm publisher and then i'll see some basic details about it the default identifier and then entity id and then the reply url that's the assertion consumer service url which is hucucmp01.traincolab.com call in 858443 slash ssosp saml slash sso and further on okay so these are the default things that are created you just click on save don't need to change here anything okay it's saved successfully then i'll go on um the basic no i'll test later i don't want to test it now and i'll go on the point two which is user attributes and claims and then click on edit and in the claim name instead of the uniq user id under the required claim you will see this and i'll select the name identifier format as default and then for the source attribute i will choose the user [Music] sam account name so that should be user dot on premise says sam account name okay that's the one that i will select and then i'll click on save so it's not trying to save my sso saml user claims and these are the additional claims that it has generated we don't need this additional claims so we can easily delete them one by one so i'm just gonna delete them very easily one by one we don't need that we have uh one claim and then we are gonna add another claim and for this additional claim i will name this claim as uid it's the exactly same thing that we did for that we do for adfs based single sign-on and in the namespace i will leave it blank in the source i will keep attribute and in the source attribute i will use user dot on premises sam account name okay that's it and then you can click on save and then it's complete if you see here on the right so what i'll do is click on saml based single sign on and i will go to the third step which is the saml signing certificate and then i'll say edit and then i will click on import certificate and that's the certificate that's the pfx file that we created you know so we'll go ahead and um i think it should accept it dot p12 i don't know let's try it and um let's see that's the ca certificate that was generated you know so we'll go ahead and add the password that i use to save this file uh i'll click on add and now it's trying to upload the certificate and it says that the certificate has successfully been uploaded to your application okay and you see that it's for signing option um single saml assertion and the signing algorithm is sha-256 okay as i as you see now the new certificate that i have uploaded is in the inactive status so what i have to do is i will click on this three menu options and three three dots and i'll say make certificate active okay and then i'll just remove the inactive certificate that i don't need it perfect i have it and then that's it now as we have completed our basic saml configurations we have edited our user attributes and claims and we have added the saml signing certificate that would be used for signing the saml assertions what we'll go ahead and do is export the metadata file from the azure and then upload it on the cisco unified communications manager publisher so in the step three there is this federation metadata xml file that's what you are gonna download it and i'll save this hqc vcm publisher.xml i'm gonna save it and i'm gonna do the same steps again for the cucm subscriber now so once again we go to enterprise applications click on new application and then say create your own application this time i will say hq hq cucm subscriber zero one so that's the now i'm going to create the application for the csm subscriber click on create and it's adding the application and the application should be created shortly okay the application is now added so what's the next step the next step is go to the single sign on option so i'll go to enterprise application i'll try to find out the second application that i created hq cucm subscriber here maybe i'll refresh it again and now i am able to see hqc ucm subscriber on the left plane of this inside this ucm subscriber i'll click on single sign on and inside the single sign on i'm gonna click on saml okay and inside this saml there are four steps the first step is to configure the basic saml configuration second is to set up the user attributes and the claims the third is to do the saml signing certificate and the fourth one is the setup of hqc usm subscriber zero one okay so let's go ahead with the step one basic saml configuration and in the there has to be an identifier that needs to be set up here yeah so we'll go ahead first of all and upload the metadata file and i'll click on upload metadata and then i'll select a file now i would select the cucm subscriber and then i will click on add here saml file upload was successfully uploaded and then here you will see the basic um saml configuration information for example the reply reply url which is the assertion consumer service url and then the um yeah the fqdn of the csm subscriber i'll click on save okay so the single sign on configuration is saved i'll click on close i'll test later and i'll go on the next step which is user attributes and claims and then i will say that the claim name unique user identifier and for that claim name i will choose default for the name identifier format and the source is attribute and the source attribute name would be user dot [Music] on premises sam account name as the source attribute okay and the rest of the things is same i'll click on save and i'll just delete the rest of the claim names because we don't need those claims we don't have those claims they won't work for us so i just remove those claims claim names and the values and then we'll add a new claim click on add a new claim and named it as uid exactly the same way that we do it in the legacy adfs on-prem integration and then we'll leave the namespace as blank source as attribute and so a source as uh sorry sources attribute of course a radio button checked and then source attribute would be user dot on premises sam account name again okay once this is checked click on save and there you go the sso saml user claims have been saved now and i'll go back to the page saml based single sign on so that i go to the next step now so the first two steps have been completed and then i'll go to the next step which is the saml signing certificate i'll click on edit and then i'll click on import certificate and i'll click on the same certificate that i um download it okay that i used for uh publisher and that i got it from my windows enterprise ca okay that's the pfx file or dot p p 12 format file that's also accepted and then i'll add the password for this pfx file i'll click on add and you see that the certificate has successfully been added to the application okay then we activate this certificate i'll say make certificate active and i'll delete the other certificates because i don't need them okay so i just have one certificate now and then that certificate is deleted as well now all my steps have been completed here i don't need to download this um federation metadata but i'll i'll still download it and i'll say hq cucm subscriber01.xml but it would be same you just need one saml file and you can use it so it's just for my backup i used it but i'll use the same publish or xml file for for it to be imported into this ucm steps okay so once you have it done we'll go to the next so the next step here is to assign the users for this application usually you will do it all the users you know or you can do it one by one assigning users one by one for single sign-on but if you have a lot of users and your company doesn't make that it doesn't make sense that you do the user assignment one by one it would be that you assign all the users um to the applications at one go you know to enable the users what you have to do is click on all services enterprise applications and then click on properties so after you are into your application for example my application is hqc ucm publisher i'll click on the properties so basically enabled for users to sign in i have said yes and then visible to users i would say no and then i would just yeah it's already saved so it's default configuration i didn't change anything here i'll click on save all right my application properties have been updated i'll go back i'll go back on to my other application which is hqc ucm subscriber01 i'll click on properties and then i'll click on visible to users no i don't know why i can't do it directly but i have to go in again [Music] and then click on properties and then click on no and then i'm able to save it all right i have to do it twice i don't know maybe it's some bug or something but my application properties are updated that's it so if you have unity connection i'm in presence expressway you have to do the same things for the rest of the applications as well okay and i just have publisher and subscriber for the unified communications manager that's why i did it only for the publisher and subscriber for so let's go ahead and do the cucm side of the things and we enable the sso on the saml sso on the cisco unified communications manager so for this we need to go to system so i am logged in to this is quantified communications manager administration page and i clicked on system saml single sign on we'll do the same things that we did for the on-prem based adfs so we'll click on enable single sign-on and that's the pop-up that we get and i'll click on continue because i have we have already done in the step one we have exported all the metadata imported it into into the azure by creating the application and then now we are doing the third part where we'll be importing okay so okay so i click on next and then i need to import the idp metadata trust file that means the file that we saml file that we downloaded from the azure step three we need to import it here okay click on browse and then that's the xml sample file or saml from the azure idp and i'll say that import i believe you guys are not able to see it just keep okay so you can click on import idp metadata as you see the import of the file was successful for all the servers that's the saml that we downloaded from the azure and the import is successful and then we click on just next and it says that the idp metadata has been imported to the servers in the cluster and then i'll just click on next because i have already downloaded the metadata trust file and then manually install it onto the idp server then i click on next and then now it's gonna bring up with the test sso page where we'll be testing our single sign-on setup whatever we have done and if you see that the valid administrator usernames that it found was hq2 so i'll go and select and i'll say run sso test and it's trying to clear the previous test status and let's see what happens with this test so it is okay so it did fail for the two times and then i'll try again for the third time let's see what happens i'll do run sso test again i'll allow okay it failed again so it says the sso metadata test field let's give it another try i'll say run sso test now it's using the other user i don't want to use this maybe i'll have to clear the cache and do it it's a fifth try now let's see i'll say the user hutu at train collab dot com and click on next and the sign in should be successful this time let's see what happens i'm keeping my fingers closed and there you go the sso test was successful finally i know my problem and i can tell you guys what was my issue and i'll click on finish and then it says these saml sson ml enablement process has been initiated on all servers and maybe there would be a short delay and i'll have to go on each server and check the status of each server on the sso configuration page let's do it quickly so before i do that i'll tell you what my problem was so my issue was for example i was inside this enterprise application and then i was inside hqc ucm publisher and then inside this publisher i was i didn't assign the users to this application so i have to assign either individual users as i said like i did it for now for example if i have to assign the individual users i click on add user group i will say select users and then after clicking on select users i can select for example hq3 you know and then i'll say select and then the role will be user and i'll then say assign you know and now this user is assigned to this application and that's why the ad azure ready will now be able to authenticate this user and say hey everything's fine you are authenticated i am sending the saml assertion to this ucm and then cucm will grant the authorization for this application to you you know that's what was my problem i didn't assign this user if you don't want to assign this user individually then you can go to hqc ucm publisher yes this is my trial account that i'm using right now that's why i used a single user in your case what you could do is probably create a group and then assign a group to this application or you can go to csm publisher and then click on properties and then inside this properties there is an option that says user assignment required yes or no and i was selecting yes that's why i need to assign the user if i said no then i don't want to assign the single user and it will be for the entire domain traincollab.com for example all the users will be able to have access to this application via the sso you know so i said yes and that's why i need to either assign a user or a group so in my case i do not have any group in my on-prem active directory i just have the users and that's why i have to assign the users individually and to assign the users individually i have to click on users and group at the bottom and then i have to click on add user slash group and that's why you see here that it says groups are not available and if i select users and then i will be getting the options to select the users for example hq4 you know and i'll say select assign and then this user hq1 will have access to this application in the same way i'll go ahead and say hey hqcucm subscriber for example the application assign users and group i will say add user group and i'll select the user and i'll say hq 2 and i'll say select and i'll say assign it so hq 2 is now also assigned for the subscriber application in this way you can assign the individual users to each application or for each application you can select the user assignment value to be no for example you can go here and go into your enterprise application go on to your subscriber let's say and then select uh sorry the properties and then here you can say user assignment required no then all the users in your organization can have single sign on saml access to this application and now let's go ahead and see and the document says you also need to um i mean uh restart the tomcat service so we'll go ahead and restart the tomcat on the publisher and the subscriber so for the publisher utils service restart cisco tomcat and the tomcat service will restart let's go ahead and connect to the subscriber all right so the publisher tomcat service is stopping and then we'll go on to the subscriber on to this usm subscriber as well i will say utils syst sorry util service restart cisco tomcat and it will restart the service so once the services are restarted and the web page is available i will start the video again so that's the sso test for the subscriber as you see and that was successful as well let's see the status status now in a while i don't know if that's the cosmetic mistake here because i have done the sso test and that was successful so for example if you run it again run sso test i select this i wanted to check if the subscriber is working also with a single sign on or not and i'll say options allow pop-ups and i'll say skip that's my trial account for hq2 on the azure ad and there you go and then you see that the hqc ucm sub sub01 sso test was successful okay let's see what says now okay so i had to run this test twice i don't know why or maybe accidentally i clicked on the publisher last time and did a run sso test and that's why it ran that test but for now if you see that the sso test for the subscriber is also successful and the azure idp works really great without any problems but you have a lot of tasks to do if you have a lot of clusters you know because for each clusters you need to um yeah import the certificates you need to create the application inside the azure you need to assign the users to each applications and that's gonna be a lot of task so i don't know how much it makes sense in case you want to have an idp and you have azure active directory already then it might be that your organization is looking forward to had such such kind of idp integrations and for further questions do not forget to write us email on info traincolab.com or in case you would like to have some trainings related to cisco collaboration basic intermediate expert level training if you have want to have such kind of configuration hands-on if you want to have lab rentals to practice such scenarios which are the updated actual scenarios that's available on the latest cisco call manager unified communications versions so feel free to get in touch with us and we'll be happy to assist you with the labs wherein you can practice such scenarios such configurations that would be helpful in your organizations and then please do not forget to subscribe to my channel if you think this has helped you with some more understanding and do not forget to like this video share it with your colleagues in your company fit your bosses just to let them know how the idp integration is working with the cucm for the saml single sign-on for any questions mention it in my command box and i'll be glad to help you guys with the answers if i can thank you very much and have a great day stay safe bye

Info

Channel: TrainCollab

Views: 2,443

Rating: undefined out of 5

Keywords: Cisco Collaboration, Train Collab, Training, BAsics, Learning, CUCM, CMS, VOIP, Azure, Microsoft, SSO, SingleSignOn, SAML

Id: 03Fmt9augMU

Channel Id: undefined

Length: 39min 19sec (2359 seconds)

Published: Tue Feb 16 2021