McDewey

Metadata Exchange As a part of the process for setting up SAML SSO, you must exchange metadata files between your UC deployment and the Identity Provider. Figure 4: SAML Metadata Exchange Following is an example of a UC metadata file that was generated from the Service Provider (Cisco Unified Communications Manager). Metadata File from Service Provider (Cisco Unified Communications Manager) <?xml version="1.0" encoding="UTF-8"?> <!--With Single Cluster agreement the entityID is always the publisher FQDN--> <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="cucm0a.identitylab20.ciscolabs.com" entity ID="cucm0a.identitylab20.ciscolabs.com"> <!--We don't require AuthN or signed Assertions but comply to what the IdP requests--> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:KeyDescriptor use="signing"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ds:X509Data ds:X509CertificateMIIDzzCCA........</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <!--Certificate for Signing and/or Encryption--> <md:KeyDescriptor use="encryption"> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ds:X509Data ds:X509CertificateMIIDzzCCA........</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </md:KeyDescriptor> <!--We only support name-id format transient--> md:NameIDFormaturn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat> <!--ACS URL for the Client to POST the answer from the IdP, two per node in the cluster--> SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 15 and SUs 15 SAML SSO Requirements for Identity Providers Metadata Exchange