McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 21

↗ View in doc context
page
21
source
cucm/v15/saml-sso/saml-sso.md
chunk_id
cucm::v15::saml-sso::saml-sso::17

Upon receipt of the request from the browser, the service provider generates a SAML authentication request. Note The SAML request includes information indicating which service provider generated the request. Later, this allows the IdP to know which particular service provider initiated the request. The IdP must have the Assertion Consumer Service (ACS) URL to complete SAML authentication successfully. The ACS URL tells the IdP to post the final SAML response to a particular URL. Note Unified Communications Manager and VOS products use the Assertion Consumer Service Index URL, which is compliant with SAML 2.0 standards. Note The authentication request can be sent to the IdP, and the Assertion sent to the service provider through either Redirect or POST binding. For example, Unified Communications Manager supports POST binding in either direction. 2 The service provider redirects the request to the browser. Note The IdP URL is preconfigured on the service provider as part of the SAML metadata exchange. 3 The browser follows the redirect and issues an HTTPS GET request to the IdP. The SAML request is maintained as a query parameter in the GET request. 4 Check for valid session. If not available, authenticate the user based on the corresponding IDP preferred authentication methods such as, password-based, MFA-based, or certificate-based, and so on. 5 In the absence of any existing cookie within the browser, the IdP generates a login request to the browser and authenticates the browser using whatever authentication mechanism is configured and enforced by the IdP. Note The authentication mechanism is determined by the security and authentication requirements of the customer. This could be form-based authentication using username and password, Kerberos, PKI, and so on. This example assumes form-based authentication. 6 The user enters the required credentials in the login form and posts them back to the IdP. Note The authentication challenge for logging is between the browser and the IdP. The service provider is not involved in user authentication. 7 The IdP in turn submits the credentials to the LDAP server. 8 The LDAP server checks the directory for credentials and sends the validation status back to the IdP. 9 The IdP validates the credentials and generates a SAML response which includes a SAML Assertion. Note The Assertion is digitally signed by the IdP and the user is allowed access to the service provider-protected resources. The IdP also sets its cookie here. 10 The IdP redirects the SAML response to the browser. 11 SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 15 and SUs 11 SAML-Based SSO Solution SAML SSO Call Flow