Using Cisco Collaboration Single Sign-On with Cisco Unity Connection Messaging Interface

The ‘Cisco Unity Connection Messaging Interface’ (CUMI) provides a client-side interface allowing end-users to read and update Unity Connection messaging information and settings specific to their mailbox and account. For more information on CUMI, please see the CUMI DevCenter

Starting with version 10.5, several Cisco UC APIs, including CUMI, support authentication via the Cisco UC Single Sign-On mechanism. This has several advantages, allowing users to sign in to CUC once and re-use their session across multiple UC web applications and API interfaces.

This document provides a browser-based example showing how to use a SSO token to access a CUMI API. Note that a pre-requisite to using a SSO API like CUMI, is that the application must first interact with Cisco UC SSO to authenticate the user and obtain a SSO token. For further background on Cisco UC SSO and an example showing how to obtain a SSO token via browser app, please see the Cisco Unified Communications Single Sign-On Tutorial.

Once you have an SSO access token, you are ready to use it with CUMI.

Standard Basic Authorization

//Basic Auth Example
        GET HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Authorization: Basic dXNlcjE6Y2lzY28hMTIz
        Connection: keep-alive

By default, CUMI authenticates users via the HTTP ‘Basic Authorization’ mechanism. This requires that the HTTP request to CUMI include an ‘Authorization’ header, with value of ‘Basic’ plus a base64-encoded username:password, e.g: Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

SSO Bearer Authorization

//Bearer Auth Example
        GET HTTP/1.1
        User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20100101 Firefox/32.0
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
        Accept-Language: en-US,en;q=0.5
        Accept-Encoding: gzip, deflate
        Authorization: Bearer MjpkMTI2NDgyOS1mMDg1LTRhY2UtOGM3Yy1hMmY0ZjQ0ODUxNGQ
        Connection: keep-alive

In order to use SSO, the same ‘Authorization’ header is used, but the auth type becomes ‘Bearer’ plus the SSO token (NOT base64-encoded), e.g.: Authorization: Bearer Mjo1NTU5ZmFkYS02MjYwLTQ0YTktOTRhNS1iY2RmNzcwZWQzZDE

Cross-Origin Resource Sharing

For security reasons, web browsers by default prevent Javascript served by one 'origin' from accessing data served by another origin (an origin is a combination of scheme - e.g. 'HTTPS' - hostname, and port.) For example Javascript on a page served from cannot access data retrieved via XMLHttpRequest from (e.g. to make a CUMI request.)

To allow these types of requests securely, the Cross-Origin Resource Sharing standard was developed (supported in all modern browsers:)

CORS involves the use of special HTTP request headers and ‘pre-flight’ OPTIONS requests, and is generally handled transparently by browsers. However, it is necessary to configure the web server (in this case Cisco UCM) to allow Cross-Origin requests, on an origin-by-origin basis.

CUC supports configuration of CORS applications via the Cross-Origin Resource Sharing (CORS) menu:

CORS config

For each browser-based application that will be using CUC SSO APIs, configure a CORS entry: include the protocol scheme (i.e. ‘https://’) domain and port (if not default :80 or :443), e.g.

Preparing Your Environment

Successfully accessing UC SSO APIs from an application assumes that some general system services and configurations are in place:

  • HTTPS - All connections involved with SSO and CUMI are secured with HTTPS. Applications and browsers must be configured with the correct certificates in order to connect securely. (For lab testing, you may be able to temporarily accept certificates in the browser).
  • DNS - HTTPS certificates and the URLs involved in the SSO API sequence typically use hostnames (vs. IP addresses). The UC and application hosts should be configured in DNS. (For lab/testing, you may be able to use your PC’s ‘hosts’ file to map hostnames to IPs locally)
  • UC SSO - SSO should be fully configured and working with CUC, e.g. end-users can access CUC web apps like ‘Inbox’ using their SSO credentials.

Example Browser-based CUMI REST Request

The example HTML/javascript covered in this document gathers a CUC host name and SSO token (previously obtained, as above) from browser input fields, and makes a CUMI API ‘GET’ request to the Inbox resource, gathering some information about the users voicemail inbox. The CUMI XML response is shown in the browser upon success.

Get Ready...

Note: in order for this sample to work, the following setup steps should be completed:

1) Confirm that SSO is available and running in your environment. Take note of the CUC host name.

2) Make sure the CUC host and your web server host can be resolved via DNS (manual entries in your PC’s ‘hosts’ file can help during testing).

3) Obtain a valid set of SSO login credentials that will work with your SSO Identity Provider (IdP). With this set of credentials, obtain a UC SSO access token, e.g. using the sample application found in the Common SSO Tutorial[link].

4) Confirm that you have a web server capable of serving HTTPS requests for files you supply. Copy ssocumi.html to the correct directory for your web server’s HTTPS site.

6) Verify that CORS has been enabled on CUC for your web server’s origin/domain.

7) Verify that SSL certificates for CUC and your web server have been imported/enabled in your web browser.

Sample Code Walk-Through

Creating the XMLHttpRequest Object

var xmlhttp=new XMLHttpRequest();  //Create XML request object'GET','https://'+cucHost+'/vmrest/mailbox/folders/inbox/messages');  //CUC REST API to retrieve mailbox info

After retrieving the UCM host SSO token from the HTML input fields, the Javascript code creates the XMLHttpRequest object used to make the CUMI request.

Adding the Accept Header


The next step adds the Accept: application/xml header to the HTTP request, to indicate to CUMI that the application expects an XML response.

Adding the Authorization: Bearer Header

xmlhttp.setRequestHeader("Authorization","Bearer "+ssoToken); //Add 'Authorization' header with 'Bearer' and token

Next, the code adds the Authorization header, including the Bearer type and the SSO token to authenticate the CUC user.

Handling the XMLHttpRequest Completion Event

xmlhttp.onreadystatechange=function() {  //Handle completion event of the XML request
            if (xmlhttp.readyState==4) {         //State is complete
                if (xmlhttp.status==200) {       //Status is 200 OK
                    var xml=new XMLSerializer().serializeToString(xmlhttp.responseXML); //Extract the XML string from the response
                document.getElementsByName("response")[0].value=xml; //Display the XML in the text area

This block of code sets an event handler for the XMLHttpRequest objects’s completion event. If the event is called with state=4 (complete) and status=200 (200 OK), then the code extracts the XML response and displays it in the web page text area.

Launching the XMLHttpRequest

xmlhttp.send(); //Launch the XML request

Once the XMLHttpRequest has been prepared, and the event handler is in place, the actual request is launched as the final step.

Sample REST Response

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
        <Messages total="1">


If everything went well, CUMI should respond to the request with a 200 OK status and include some XML info about the user’s inbox. For full details about the contents of the CUMI inbox resource response, see the CUMI API Reference