Single Sign On - SSO

• https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/12_5_1/cucm_b_saml-sso-deployment-guide-12_5/cucm_m_saml-sso-configuration-1251.html
• https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/Azure/cucm_b_saml-sso-microsoft-azure-idp.html
• https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
• https://help.webex.com/en-us/mfu88u/Control-Hub-Single-Sign-On-Integration-with-Microsoft-Azure

• Download ADFS2.0
• Install on dedicated W2008R2 Server e.g. adfs.mydomain.com
• Create an additional A name to point to the same server, e.g. sso.mydomain.com (do NOT use a CNAME)

• Create a Certificate on the ADFS server (use the certificate manager and not IIS), so you can create a Web Server Certificate (right Click Personal and select All Tasks - Request New Certificate (you need an enterprise CA)
• Configure ADFS with Wizard and select the ADFS name to be the name of alternative name in your cert (e.g. sso.mydomain.com) i.e. NOT the actual server name
• Test connection between AD and ADFS, just run URL (change hostname) and login using a domain account

https://sso.ucce9.lab.orourke.tv/adfs/ls/IdpInitiatedSignon.aspx

• Only if this works then go set up and test Cisco CUCM SSO…
• After configuring CUCM for SSO, make sure users PCs have the sso ADFS URL in their trusted sites and also that they are set to auto login as per below:
• 

If ADFS install Wizard passed 100% and the basic SSO test works to adfs test sso login works (example url below). THEN….

https://sso.ucce9.lab.orourke.tv/adfs/ls/IdpInitiatedSignon.aspx

• Right Click Relying Party Trust and select 'Add Relying Party Trust…'
• Select 'import data about the relying party from a file and select the CUCM file that was contained with the SPMetadata zip file downloaded from the SAML Single Sign On config page, click next add CUCM as name and click Finish
• Add Two Claims Rules.
  • Rule 1 - Send LDAP Attributes as Claims
    • Enter a rule Name & Set Attribute Store & map the LDAP Attribute to whatever you have mapped your CUCM userid to (SAM-Account-Name, Email Address, Telephony-Number) and set Outgoing Claim Type to uid' (you have to type 'uid' - its not in the dropdown)
  • Rule 2 - Send Claims using a Custom Rule
    • Enter a Rule name and the below code (change relevant entity IDs) - See below example
  • Repeat for IM&P with IM&P but with the IM&P SPMetadata file and teh IM&P attributes.
  • Add Relying Party Trusts for Unity Connection & Prime Collab

Custom Rule for ADFS Relying Party Trust
Note: The ADFS entity ID should match the “entityID” attribute given in the AD FS FederationMetadata.xml file which you have uploaded to the Unified Communications application. Open the XML file with a text editor and search for “entityID” to locate the attribute,

The Cisco Unified Communications application entity ID should match the “entityID” attribute given in the SP metadata XML file for the particular Unified Communications application node. Open the XML file with a text editor and search for “entityID” to locate the attribute.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http:///sso.ucce9.lab.orourke.tv/com/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "CUCM10-5A.UCCE9.LAB.OROURKE.TV");

http://docwiki.cisco.com/wiki/SAML_SSO_Configure_Microsoft_Active_Directory_Federation_Services_Identity_Provider_on_Windows_Platform

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-version-105/118770-configure-cucm-00.html

https://supportforums.cisco.com/document/12159076/adfs-setup-saml-sso-uc-10x

http://blogs.msdn.com/b/mapo/archive/2015/07/07/adfs-and-quot-the-spn-required-for-this-federation-service-is-already-set-on-another-active-directory-account-quot-error.aspx

https://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/ee649249(v=ws.10).aspx

Example XML File URL located on the Federation Server (I set up a CNAME of sso for adfs server)
https://sso.ucce9.lab.orourke.tv/FederationMetadata/2007-06/FederationMetadata.xml

Using Federation Metadata to establish a Relying Party Trust in AD FS 2.0
http://blogs.msdn.com/b/card/archive/2010/06/25/using-federation-metadata-to-establish-a-relying-party-trust-in-ad-fs-2-0.aspx

http://192.168.1.170/ssosp/pages/TestSSO.jsp

https://support.microsoft.com/en-us/kb/3044976