McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 33

↗ View in doc context
page
33
source
cucm/v15/saml-sso/saml-sso.md
chunk_id
cucm::v15::saml-sso::saml-sso::30

Unified Communications applications use certificate validation to establish secure connections with servers. Certificates are used between end points to build a trust/authentication and encryption of data. This confirms that the endpoints communicate with the intended device and have the option to encrypt the data between the two endpoints. When attempting to establish secure connections, servers present Unified Communications clients with certificates. If the client cannot validate a certificate, it prompts the user to confirm if they want to accept the certificate. Certificates Signed by a Certificate Authority Cisco recommends using server certificates that are signed by one of the following types of Certificate Authority (CA): • Public CA - A third-party company verifies the server identity and issues a trusted certificate. • Private CA - You create and manage a local CA and issue trusted certificates. The signing process varies for each product and can vary between server versions. It is beyond the scope of this document to provide detailed steps for every version of each server. Refer the appropriate server documentation for detailed instructions on how to get certificates signed by a CA. However, the following steps provide a high-level overview of the procedure: Procedure Step 1 Generate a Certificate Signing Request (CSR) on each product that can present a certificate to the client. Step 2 Submit each CSR to the CA. Step 3 Upload the certificates that the CA issues to each server. Every server certificate should have an associated root certificate present in the trust store on client computers. Cisco UC applications validate the certificates that servers present against the root certificates in the trust store. If you get server certificates signed by a public CA, the public CA should already have a root certificate present in the trust store on the client computer. In this case, you do not need to import root certificates on the client computers. You should import root certificates if the certificates are signed by a CA that does not already exist in the trust store, such as a private CA. In SAML SSO, the IdP and service providers must have CA signed certificates with the correct domains in the CN or SAN. If the correct CA certificates are not validated, the browser issues a pop up warning. For example, when the administrator points the browser to https://www.cucm.com/ccmadmin; the Unified Communications Manager portal presents a CA certificate to the browser. When the browser is redirected to https://www.idp.com/saml , the IdP presents a CA certificate. The browser will check that the certificate presented by the servers contains CN or SAN fields for that domain, and that the certificate is signed by a trusted CA. Alternatively, if the customer has their own private CA, then that CA must be installed as a root trust anchor on the computers that the administrator is launching their browser from. SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 15 and SUs 23 SAML SSO Configuration Certificates Signed by a Certificate Authority