McDewey

C H A P T E R 4 SAML SSO Configuration • SAML-Based SSO Prerequisites, on page 21 • SAML SSO Configuration Task Flow, on page 25 • SAML SSO Additional Tasks, on page 30 • SAML SSO Deployment Interactions and Restrictions, on page 35 SAML-Based SSO Prerequisites The following system setup is required for SAML-Based SSO configuration: • NTP Setup • DNS Setup • Directory Setup NTP Setup In SAML SSO, Network Time Protocol (NTP) enables clock synchronization between the Unified Communications applications and IdP. SAML is a time sensitive protocol and the IdP determines the time-based validity of a SAML assertion. If the IdP and the Unified Communications applications clocks are not synchronized, the assertion becomes invalid and stops the SAML SSO feature. The maximum allowed time difference between the IdP and the Unified Communications applications is 3 seconds. For SAML SSO to work, you must install the correct NTP setup and make sure that the time difference between the IdP and the Unified Communications applications does not exceed 3 seconds. Note For information on adding an NTP server in order to synchronize clocks, see the "Core Settings for Device Pools" chapter of the System Configuration Guide for Cisco Unified Communications Manager. DNS Setup Domain Name System (DNS) enables the mapping of host names and network services to IP addresses within a network or networks. DNS server(s) deployed within a network provide a database that maps network services to hostnames and, in turn, hostnames to IP addresses. Devices on the network can query the DNS SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 15 and SUs 21