McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 241

↗ View in doc context
page
241
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::240

Table 39: Credential Management Password Types If you are not using SAML SSO or LDAP authentication, end user passwords are managed locally in the End User Configuration window for individual end users. All passwords can be updated via the End User Configuration. End users can edit their own passwords via the Self-Care Portal. End User Passwords Irrespective of whether you have SAML SSO or LDAP Authentication deployed, end user PINs are always managed in End User Configuration window of Cisco Unified CM Administration. As administrator, you can edit existing end user PINs via the End User Configuration window. End User PINs Irrespective of whether you have SAML SSO or LDAP Authentication deployed, application user passwords are stored in the local database and are managed in the Application User Configuration window of Cisco Unified CM Administration. Application User Passwords All local passwords and PINs are stored in the database in an encrypted format. Note OAuth Framework The OAuth Authorization Framework is defined by IETF under RFC 6749. The OAuth 2.0 authorization protocol lets a resource owner (for example, Cisco Unified Communications Manager) authorize a third-party application to obtain limited access to an HTTP service. With Cisco Unified Communications Manager, the OAuth framework uses access tokens to provide access and refresh tokens to provide access to resources over the life of the token. OAuth eliminates the need for web sites to ask for passwords when you are attempting to access information. With OAuth, the resource owner authorizes a client to access resources on a server. Cisco Jabber clients use OAuth Refresh Logins to obtain access to resources from Cisco Unified Communications Manager. After an initial login, OAuth access tokens and refresh tokens provide seamless access to resources over the life of the tokens. OAuth Refresh Logins With OAuth Refresh Logins, short-lived access tokens let Jabber authenticate, providing access while the token is valid the life of the token (the default lifespan for an access token is 60 minutes). The longer-lived refresh tokens provide Jabber with new access tokens as the old access tokens expire. So long as the refresh token is valid (the default life is 60 days) the Jabber client can obtain new access tokens dynamically, thereby providing seamless acess, without the user having to reauthenticate. Every time when the OAuth token reaches 75% of its lifespan, the enduser application requests for new access token and CUCM will provide new access token to authorize the end user. If the refresh token reaches 100% of its lifespan, they will need to reauthenticate before they can generate new access tokens. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 223 User Security OAuth Framework