Cisco SSO Login Experience

Cisco Single Sign-On Integration

IoT Operations Dashboard (OD) is integrated with Cisco Customer Identity (CCI) for an improved and seamless login experience. Cisco Customer Identity (CCI) is an identity provider managed and used by Cisco. Most users are already familiar with CCI and using it for logging into Cisco.com. This integration of IoT OD with CCI provides enhanced secure authentication and enables users to navigate across multiple Cisco applications and websites with one set of login credentials ensuring seamless operation. However, to set up login credentials and access IoT OD, it is essential to follow the process as specified. For details, see Add Users in Add and manage user access.

Note: Currently, CCI supports only authentication and does not support authorization which allows assigning user roles and permissions to the users.

  • If the email used to log in to the IoT Operations Dashboard is associated with the Cisco Customer Identity (CCI) account, users will be redirected to CCI for authentication. Upon successful authentication, users will be taken back to IoT OD.
  • If the email used to log in to the IoT Operations Dashboard is not associated with the Cisco Customer Identity (CCI) account, nothing changes. Users will continue to get authenticated by the IoT Operations Dashboard, as before.

IoT OD User Login Process

The diagram below depicts the authentication process for Cisco SSO Integration with IoT Operations Dashboard users.

Authorization Process

Note: This functionality applies to all the existing users who have the same email credentials on both IoT OD and CCI accounts. If you are logging in for the first time into IoT OD, you will receive emails to activate and log in. See Log in to the IoT Dashboard for more details.

  1. Enter your email Id on the IoT OD Dashboard Login page and click Next. You will be re-directed to the Cisco Customer Identity (CCI) page.

    IoT OD Login Page

  2. In the CCI login page, provide your email Id and click Next. You will be re-directed to the DUO security login page. Follow the instructions as specified on this page.

    CCI Login Page1

    CCI Login Page2

    Note: For details on resetting the password or managing your CCI account, see https://www.cisco.com/c/en/us/about/help/login-account-help.html.

  3. Upon successful verification, you will be automatically directed to the IoT OD login page with a message, as displayed in the figure below.

    You will be notified through an email to link your CCI account with IoT OD account. This is a one-time activity.

    Redirect to IoT OD Login Page

  4. In your email, click Link to confirm account linking within 10-minute time frame to prevent the link from expiring.

    Email Notification

  5. After validating the password, a new browser page will load, displaying the IoT Operations Dashboard.

    Note: For more details on CCI login, see Cisco Customer Identity (CCI) User Login Process.

Using the Feature

With the single sign-on feature, users will be able to sign in to the platform/application using existing login credentials from Cisco CCI (i.e., if you already have an account on id.cisco.com) or your IoT OD login credentials.

Follow these steps:

If you have an IoT Operations Dashboard account and a Cisco SSO account with the same email address:

  1. Go to us.ciscoiot.com or eu.ciscoiot.com (based on the geographic region).

  2. Type in the email address associated with your IoT Operations Dashboard account and click Next.

  3. You will see a pop-up message notifying you that you are being redirected to Cisco CCI for authentication.

  4. Use your existing Cisco CCI credentials.

  5. Upon successful authentication, users will be redirected back to the IoT Operations Dashboard and signed in automatically.

The next time you type in your email address on us.ciscoiot.com or eu.ciscoiot.com and click Next, you will be automatically redirected to Cisco CCI for authentication. Use your Cisco CCI credentials. Upon successful login, you will be redirected back to the IoT Operations Dashboard.

If you have an IoT Operations Dashboard account but do not have a Cisco SSO account with the same email address, you have two options:

Option 1: Keep it as is.

Option 2: If you want CCI authentication, delete and create the user again. For new users, see Add and manage user access for details.

Password Reset / Forgot Password

For IoT OD Local Account Users

These steps apply to local IoT OD account users who do not have a CCI account.

  1. Go to us.ciscoiot.com or eu.ciscoiot.com (based on the geographic region).

  2. Type in the email address associated with your IoT Operations Dashboard account and click Next. IoT OD Login Page

  3. Click I forgot my password.
    IoT OD Login Page

  4. Enter your email and click Submit.
    IoT OD Login Page

  5. You will receive an email with instructions to reset the password. IoT OD Login Page

For IoT OD and CCI Account Users

This section applies to users that have both IoT OD and CCI accounts.

For details on resetting the password or managing your CCI account, see Log in to the IoT Dashboard.

For Vendor IdP Users

This applies to customers using vendor IdP for authentication of users accounts.

For details on resetting the password or managing your IdP account, check your IdP system.

Cisco Customer Identity (CCI) Account Deletion

In order to delete your CCI account, you will need to ensure that your email is removed from id.cisco.com domain.

To do so, send an email to support at web-help@cisco.com and request for CCI account profile deletion.

You will receive an email asking you to confirm your account deletion. Follow the instructions on the email.

Once your account has been deleted successfully, you will receive an email notification to confirm the same.

Note: For local IoT OD users-After deleting the CCI account, ensure to manually remove the user from your organization by deleting them from the IoT OD user account. This action can be performed by the Tenant Admin only.

Customer IDP Integration

Overview

Single sign-on (SSO) allows users to log in using their corporate account credentials. When a user enters their Email ID, they are redirected to your organization's Identity Provider (IdP) authentication page. After authentication, they are redirected back to the IoT Operations Dashboard (IoT OD) and logged in.

Note:

  • Cisco IoT OD is the service provider (SP) and your organization's identity server is the Identity Provider (IdP).
  • Your organization's identity provider must be compliant with the SAML 2.0 protocol.

Options for authentication only, or authentication and authorization

Single sign-on can be configured in IoT OD for 2 use cases:

  • Authentication only: Your organization's IdP authenticates the user, which logs them into IoT OD. But authorization, which provides access privileges to specific functions, is applied by Cisco IoT OD.
  • Authentication and Authorization: Your organization's IdP authenticates and authorizes the user.

Authentication only procedure

For authentication, integrate IDP into CCI. To integrate, contact iotod-account-request@cisco.com or use the email id provided to start the process.

Authentication and authorization procedure

Complete the following procedure if your organization's IDP will authenticate the user's credentials, and authorize their access permissions.

Prerequisites

  1. The customer must export and share the IDP Metadata with Cisco.
  2. The Cisco super admin user must import this and then share the SP metadata.
  3. The customer must import the SP metadata into their identity server.
  4. The Tenant Admin role must do the mapping of a role to an organization before a specified user logs in to IoT Operations Dashboard.
  5. The customer must provide the SAML attribute which will contain the email id of the user e.g NameID/Email ID
  6. Customer must send the Roles in the SAML response which will be used for authorization.
  7. If user has multiple roles assigned in IDP then all those roles needs to be sent in comma (,) separated format in SAML response.

To enable SSO for Cisco IoT Operations Dashboard:

  1. Ask your Cisco representative to integrate the Operations Dashboard with your corporate identity provider.

  2. Update the SAML response to send the Roles to IoT-OD. If there are multiple roles for a user, then all the roles need to be sent in different Key Value pair, but not as comma-separated values under one key.

  3. The Cisco support team will contact you to start the integration process. As part of this:

    • You will need to provide the identity provider's SAML metadata and the email domain(s) that will use SSO.

    • You will need to provide the keys of SAML response which will contain the below values of the user.

      1. Email SAML Attribute (Mandatory)
      2. Role SAML Attribute (Mandatory)
      3. First Name SAML Attribute (Optional)
      4. Last Name SAML Attribute (Optional)
      5. Phone Number SAML Attribute (Optional)

    • Cisco will provide the required metadata for your identity provider.

      1. Wait for Cisco and your identity provider to complete the SSO setup.
      2. After SSO Setup is complete, the Tenant Admin role for your Organization needs to go to the Access Control page and do the mapping with IDPs Role.

      Roles

    • Multiple IDP Roles can be mapped to one IoT OD role, but the IdP Role which has been mapped once, cannot be mapped to any other IoT OD Role.

    • If there are subtenants, the mapping is not inherited to the lower level. The Tenant Admin needs to do the mapping for subtenants.

    • The Tenant Admin needs to enter the role in the same format as the one available in IdP.

    Role Mapping

    • After the mapping is done, a user will be able to login to the application on authentication and authorization by IdP.
    • Roles and Permissions will be assigned to user to access IoT OD application based on the role mapping done by the Tenant Admin.