Introduction

Cisco Unified Communication (UC) Single Sign-On (SSO) integration allows application users to login to an enterprise SSO solution for access to Cisco Unified Communication products and related APIs.

Utilizing the UC SSO API generally involves two main steps:

  • Obtaining an ‘access token’ from the SSO system via user interaction with a web browser window.
  • Using the access token with a specific UC API to make a request.

This document focuses on obtaining a SSO access token from the UC/SSO system, and provides a walk-through via a simple browser-based application example.

For details on accessing specific UC APIs once an SSO token is obtained, see API-specific SSO Calls .

The following Cisco UC products/APIs support SSO:

  • Cisco Unified Communications Manager v10.5+

    • User Data Services (UDS)

  • Cisco Unity Connection v10.5+

    • Cisco Unity Connection Messaging Interface (CUMI)

SSO Overview

  • Single Sign On (SSO) simplifies the login process for Users and Administrators in Cisco Unified Communications products (Unified Communications Manager and Unity Connection releases 10).
  • SSO offers an easier, more consistent way for users and administrators to authenticate access to secured resources.
  • Instead of each interface requiring a separate user name and password login, a single credential allows access to all enabled product interfaces.
  • Think of SSO as supplying the "skeleton key" to every enabled, authorized service and API in the UC environment.

What Are the Advantages of Using SSO?

There are a number of advantages to using SSO:

  • Only one password to remember
  • Simplifies access for Users & Administrators by acting as a central clearing house for all credential validation
  • Centralizes Credential Management - less likely for logins to fall out-of-sync
  • Eliminates password resets - credentials are tied to an abstracted identity, not hard-coded to ‘username/password’ combinations
  • Secure - supports X509 certificates, HTTPS, and layered security mechanisms

Which SSO Identity Providers are Supported?

Cisco currently supports the following Identity Provider products for use with Cisco Unified Communications Manager and Cisco Unity Connection releases v10.5(1) and higher:

  • OpenAM
  • Microsoft Active Directory Federation Services
  • Ping Identity
  • Oracle Identity Manager

Additional SAMLv2 providers may be supported in future releases.

How Does Cisco UC SSO Support Different Account Types?

Applications can authenticate with UC APIs by providing a username/password, or, if SSO is enabled, they may be able to provide a valid SSO token in place of a username/password combination after successfully logging in to the Identity Provider (IdP).

The possible credential types that can be used with a particular API depend on the type of user account ( Application User or End User on UC Manager, User/Service on Unity Connection), and the system SSO status ( enabled or disabled .)

UCM Application User

API SSO Enabled SSO Disabled
UDS User/Pass User/Pass


UCM End User

API SSO Enabled SSO Disabled
UDS User/Pass or Token User/Pass


Unity Connection User/Service

API SSO Enabled SSO Disabled
CUMI User/Pass or Token User/Pass

Learning More About SSO

This document only covers how to use SSO with Cisco Unified Communication; it does not cover SSO fundamentals or concepts. The Cisco implementation of SSO is straightforward and easy to quickly setup and use without you having to understand the fundamentals of SSO. However, if you would like to learn more about the fundamentals of SSO, we recommend that you research the following topics:

  • Security Assertion Markup Language (SAML)
  • Identity Provider (IdP)
  • Assertion Consumer Service (ACS)
  • Open Authentication (OAuth)
  • Lightweight Directory Address Protocol (LDAP)

An Example SSO Application

To run a real SSO example application, you will do the following:

  • Prepare your environment
  • Understand redirects and same-origin issues
  • Run the example application

Preparing Your Environment

Successfully accessing UC SSO APIs from an application assumes that some general system services and configurations are in place:

  • HTTPS - All connections involved with SSO are secured with HTTPS. Applications and browsers must be configured with the correct certificates in order to connect securely. (For lab/testing, you may be able to temporarily accept certificates in the browser).
  • DNS - HTTPS certificates and the URLs involved in the SSO sequence use hostnames (vs. IP addresses). The UC, IdP and application hosts must be configured in DNS. (For lab/testing, you may be able to use your PC’s ‘hosts’ file to map hostnames to IPs locally)
  • UC SSO - SSO should be fully configured and working with UC, e.g. end users can access UC web apps like the ‘Self Care Portal’ using their SSO credentials.

Understanding Redirects and Same-Origin Issues

For security reasons, web browsers prevent Javascript served by one ‘origin’ from accessing data served by another origin (an origin is a combination of scheme - such as, ‘HTTPS’ - hostname, and port.) For example Javascript on a page served from https://app.example.com cannot access the DOM of a popup window served from https://ucmanager.example.com (for example, to retrieve a token.)

The complete UC service SAML/OAuth SSO request sequence normally involves several HTTP interactions (302/Found redirects, Basic Auth challenge/response, scripted POST of a hidden HTLM form, etc.) which involve requests served from different ‘origins’ (for example, the UC server and the Identity Provider.) By default, the final HTTP location (and token info) is served from the UC service host (this normally prevents Javascript access to the token from other browser windows).

In order to facilitate this process, UCM and CUC allow the administrator to configure one or more 3rd party ‘redirect URLs’ to which the SSO sequence can be redirected after successful login. The application provides this redirect URL as a parameter when it initiates the SSO login sequence. The redirect URL should point to a web page hosted on the application web server, which will typically include some Javascript which extracts the SSO ‘access_token’ data and provides it back to a parent browser window.

The application redirect URL is configured in either UCM or CUC in the Enterprise Parameters area, via the Redirect URIs for Third Party SSO Client parameter (multiple comma-separated URLs are allowed).

SSO Configuration

Note: the CUCM /singleSignOn resource - which provides the SSO enablement status and SSO request URL - supports CORS requests only in CUCM v11.0(1)+ (see CSCuq68311)

Example - Get Ready, Go!

Let's prepare and then run the example app.

Get Ready...

1) Confirm that SSO is available and running in your environment. Take note of the SSO service URL (we refer to this instance of Unified Communications Manager as "UCMserver").

2) Make sure the UC service host, SSO Identity Provider host, and application server host can be resolved via DNS (manual entries in the ‘hosts’ file can help during testing).

3) Get a valid SSO login that will work with your Identity Provider (IdP). This will be referred to as your "Username/password".

4) Confirm that you have a web server capable of serving HTTPS requests for files you supply. We refer to this webserver as "Myappserver".

5) Copy ssocb.html (this is your default "child web page" file name, referred to here as "childWebPage") to the correct directory under your "Myappserver" instance. We refer to the full URL of your ssocb.html location as the "redirectURL" because this is the file that will be served by your webserver when the SSO redirection call is made during successful execution of the login procedure (more on this later).

6) The SSO redirect URL pointing to "childWebPage" (default is ssocb.html) must be configured in UC Manager (or Unity Connection) via Enterprise Parameters->Redirect URIs for Third Party SSO Client.

7) Copy ssopu.html (this is your default "parent web page" file name, referred to here as "parentWebPage") to the correct directory under your "Myappserver" instance.

8) Turn off pop-up blocking in your browser.

Go!

You are now ready to run the SSO example application in your browser, and retrieve a valid SSO access token in 3 simple steps!

  1. Load the example app page

Navigate to https://<Myappserver>/<parentWebPage> , for example:

https://myappserver.mydomain.com/ssopu.html

  1. Fill in parameters

Now you will enter the name of your UCM server and the URL of your redirection target:

Fill in Parameters

After you have correctly filled in these fields, click Submit .

  1. Log in

Log In

Provide the User Name and Password when prompted.

  1. Access the SSO token

Access the SSO Token

The popup window should close, and the access token value will be displayed in the parent page.

Example Application Details

The example project demonstrates the basic concepts that can used in retrieving a UC SSO token using a HTML/Javascript browser-based application. The four main steps involved are:

  1. Check the CUCM SSO enablement status and retrieve the base SSO request URL
  2. Build the the complete SSO request URL with the required parameters.
  3. Launch a new browser window and set the location to the SSO request URL (the user interacts with this window to login).
  4. When the SSO sequence is complete, pass the SSO token from the child window back to the parent browser window.

Step 1: Check SSO Status and Retrieve the SSO Request URL 

// Read variable values from the HTML fields
ucHost=document.getElementsByName("ucHost")[0].value;
redirectUrl=document.getElementsByName("redirectUrl")[0].value;
// Check if SSO is enabled
var xmlhttp=new XMLHttpRequest();  //Create XML request object
xmlhttp.open("GET","https://"+ucHost+"/ssosp/ws/public/singleSignOn");  // Prepare a GET request to the SSO status URL

The application retrieves the current enablement status of SSO, by retrieving the well-known URL: /ssosp/ws/public/singleSignOn 

if (xmlhttp.status==200){  // HTTP status code is 200 (OK)
  var xml=xmlhttp.responseXML; //Extract the XML from the response
  var ssoStatus=xml.getElementsByTagName("Status")[0].getAttribute("enabled"); // Get the value of the 'enabled' attribute from the <Status> element
  document.getElementsByName("ssoEnabled")[0].value=ssoStatus; // Display the SSO enabled status
  if (ssoStatus == "true"){
    ssoUri=xml.getElementsByTagName("Uri")[0].textContent; // Get the value of the Oauth launch base URL
    launchOauth(); // If SSO enabled, call the popup window oauth launch function
  }
}

This request returns some XML, which includes a Status element, with an enabled attribute ( true or false ). Assuming SSO is enabled and Status = true , then the Uri element will contain the URL to which SSO requests should be sent (this could be on another CUCM node, though the URL itself should always be at: :8443/ssosp/oauth/authorize )

The app stores the SSO URL in a variable and launches Step #2 via: launchOauth()

Step 2: Build the SSO Request URL 

//Build the request URL
var requestUrl = ssoUri + "?" + //Base URL
  "scope=UnifiedCommunications:readwrite&" +
  "response_type=token&" +
  "redirect_uri=" + encodeURIComponent(redirectUrl)+"&" + //App's redirect URL
  "client_id=C69908c4f345729af0a23cdfff1d255272de942193e7d39171ddd307bc488d7a1"; //3rd party app client_id

The SSO request URL is used to initiate the SSO login sequence. In this example, the URL is launched in a popup window, where the user interactively logs in to the SSO system.

The base SSO URL is retrieved in the previous step, but there are several additional URL parameters that need to be appended to complete the request URL. The first four parameters are always the same for all applications:

Static Parameters:

  • response_type=token
  • token_type=Bearer
  • scope=“UnifiedCommunications:readwrite”
  • client_id= C69908c4f345729af0a23cdfff1d255272de942193e7d39171ddd307bc488d7a1 (third party SSO client ID)

The final parameter is the application's Redirect URL. See the section Understanding Redirects and Same-Origin Issues for details.

Final request URL 

https://<returnedSSOserver>:8443/ssosp/oauth/authorize?response_type=token&client_id=C69908c4f345729af0a23cdfff1d255272de942193e7d39171ddd307bc488d7a1&token_type=Bearer

Your final request URL will look like something like the final request URL sample in the right hand panel.

Step 3: Obtain the Token via WebView/Browser 

//Open a child window for user interaction
      var popup = (window.open('','','height=500,width=500,scrollbars=1'));
      popup.document.write('Authorizing...');
      //Start the SSO login sequence using the request URL
      popup.location = requestUrl;
  • Submit the request
  • Any necessary redirection to the IdP happens automatically through the ssosp/OAuth/authorize API.
  • The IdP prompts the user for a valid username/password
  • Correct username/password are entered, and an access token is returned.

Obtain the Token via WebView/Browser

Step 4: Retrieve the Token via callback

Retrieve the Token via callback 

<html>
      <head>
      <title>Authorization Complete</title>
      </head>
      <body></body>
      <script type="text/javascript">
      //As soon as the page loads, make the callback to the parent window
              window.onload = function(e) {
        //The SSO token information is available in a URL fragment of the location
                  window.opener.parentCallback(location.hash);
        window.close() };
      </script>
      </html>

Once the child window has completed the SSO sequence it will have loaded the HTML page from the Redirect URL. The Javascript on this page extracts the SSO token (and other SSO details, see below) from the page’s browser URL fragment ( location.hash ) and calls a Javascript function inside the parent window, which displays the token in a textbox.

SSO Token Parameters:

  • access_token - Returned token used when issuing API requests that utilize SSO credentials.
  • token_type - Always "Bearer".
  • expires_in - Number of seconds the returned token is valid.

Retrieve the access_token 

//Called from the child window by a script in the final redirect URL page
      function parentCallback(hash) {
      //Parse the access_token value from the URL fragment string
          var start,end;
      start = hash.indexOf('#access_token')+14;
      end = hash.indexOf('&');
      //Update the input box with the token value
          document.getElementsByName('Token')[0].value=hash.substring(start,end);
      }

This code fragment gets the access_token from the returned URL.

API-specific SSO Calls

Now that you know how to get a valid access token from your IdP, you can allow your users to use SSO on any of the following APIs:

Follow the instructions in the API specific documents to learn how to apply the token.