McDewey

• Certificates—You must exchange metadata files between your Cisco Collaboration deployment and the Identity Provider. The metadata contains the certificates that are required to create a trust relationship between your Collaboration deployment and the Identity Provider. You can use either a tomcat certificate or a system-generated self-signed certificate to establish trust. SAML Agreement Types Cisco Unified Communications Manager supports two types of SAML metadata agreements: • Cluster Wide—With this deployment, a single metadata agreement must be configured, which covers the entire cluster. • Per Node—With this deployment, you must configure multiple metadata agreements, with a separate agreement for each cluster node. Each cluster node has a separate metadata exchange with the Identity Provider. Figure 2: Two types of SAML metadata agreements in Cisco Unified Communications Manger The following image illustrates the contents of a metadata zip file that was generated on Cisco Unified Communications Manager using a per node agreement. In this example, the IM and Presence Service is deployed using a Standard Deployment (non-centralized) so the zip file contains separate metadata xml files for each Unified Communications Manager and IM and Presence Service cluster node. Figure 3: UC Metadata File Downloaded from Cisco Unified Communications Manger If you have a Centralized Deployment for the IM and Presence Service, your IM and Presence deployment is in a separate cluster from your telephony cluster. With Cluster Wide agreements, you must generate metadata separately for your telephony cluster, and for your IM and Presence cluster. Note SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 15 and SUs 14 SAML SSO Requirements for Identity Providers SAML Agreement Types