McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 32

↗ View in doc context
page
32
source
cucm/v15/saml-sso/saml-sso.md
chunk_id
cucm::v15::saml-sso::saml-sso::28

server and receive IP addresses for other devices in the network, thereby facilitating communication between network devices. Unified Communications applications can use DNS to resolve fully qualified domain names to IP addresses. The service providers and the IdP must be resolvable by the browser. For example, when the administrator enters the service provider hostname (http://www.cucm.com/ccmadmin) in the browser, the browser must resolve the hostname. When the service provider redirects the browser to IdP (http://www.idp.com/saml) for SAML SSO, the browser must also resolve the IdP hostname. Moreover, when the IdP redirects back to the service provider ACS URL, the browser must resolve that as well. Directory Setup LDAP directory synchronization is a prerequisite and a mandatory step to enable SAML SSO across various Unified Communications applications. Synchronization of Unified Communications applications with an LDAP directory allows the administrator to provision users easily by mapping Unified Communications applications data fields to directory attributes. To enable SAML SSO, the LDAP server must be trusted by the IdP server and supported by Unified Communications applications. Note For more information, see the "Directory Integration and Identity Management" chapter of the Cisco Collaboration System Solution Reference Network Designs at: https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-system/ products-implementation-design-guides-list.html Certificate Management and Validation Cisco strongly recommends that server certificates are signed for SAML SSO and that multiserver certificates are used where product support is available. Important • Common Names (CN) and Subject Alternative Names (SAN) are references to the IP address or Fully Qualified Domain Name (FQDN) of the address that is requested. For instance, if you enter https://www.cisco.com, then the CN or SAN must have “www.cisco.com” in the header. • If the Unified Communications Manager is already in Mixed/Secure Mode and there are changes made to the certificates, then the CTL certificate must be updated using the secure USB token. Otherwise the Cisco Jabber client will not be able to acquire telephony capability. The CTL token update requires a Unified Communications Manager restart. Note In SAML SSO, each entity participating in the SAML message exchange, including the user's web browser, must establish a seamless secure HTTPS connections to the required entities. Cisco strongly recommends that signed certificates issued by a trusted Certificate Authority be configured on each UC product participating in the SAML SSO deployment. SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 15 and SUs 22 SAML SSO Configuration Directory Setup