Single Sign-On
Single Sign-On (SSO) is a mechanism to authenticate users across software systems using a common LDAP identity and this common authentication service provides a JSON Web Token (JWT). Multiple applications can use the JWT token to authenticate the users across preconfigured applications.
Single Sign-On Components
The following are the SSO components:
-
IdP is an application that creates, maintains, and manages identity information for users.
-
IdP offers the user authentication as a service. Third-party applications (for example, web applications) outsource the user authentication mechanism to a trusted IdP which is configured within the Organization. For example, Active Directory Windows Server.
-
Cisco IdS is the common API endpoint for relaying requests to the IdP by generating the authentication token and validating it.
-
Cisco IdS implements an authorization endpoint and token endpoint as part of its OAuth (Open Authorization) server implementation.
Token Types
The following are the token types:
-
Access Token—It accesses protected resources. Clients are issued an access token that contains identity information for the user that is encrypted by default.
NoteFor an SSO enabled user, use the access token in the authorization header of the Finesse REST APIs.
Authorization: Bearer <access token>
-
Refresh Token—It obtains a new access token before the current access token expires. The IdS generates the refresh token.
The refresh and access token are generated as a pair of tokens. When refreshing the access token, the pair of tokens provide an extra layer of security.
You can configure the expiry time of the refresh token and access token in the IdS administration. When the refresh token expires, you cannot refresh the access token.
Cisco Contact Center Components
The following are the Cisco Contact Center components that support SSO:
-
Cisco Finesse
-
Cisco Unified Intelligence Center