directories services and single sign-on for the cisco...

Directories Services and Single Sign-On for the Cisco Collaboration Solution

Paulo Jorge Correia

BRKUCC-2444

• Identity Challenges and Market Analysis

• SSO Technologies and protocol Deep Dive

• SAML Protocol

• SAMLv2 requirements to interwork with Cisco Collaboration Products

• OAuth Protocol

• SSO in the Servers

• SSO in the Clients

• Cisco Cloud Identity

• System Architecture

• Conclusions and Key Takeaways

Agenda

Identity Challenges and Market Analysis

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKUCC-2444

Identity is a Growing Concern

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs, Botnets, Advanced MalwareToday +

20001990 1995 2005 2010 2015 2020

“2013 – Year of the MegaBreach”2014 Symantec Internet Security Report


Top 10 breaches

Source

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public

Username and passwords are no match for today’s sophisticated hackers

Solution is easy to deploy and easy to use… ensuring user adoption

Strong Authentication strengthens identity and access security by combining two

or more identifiable elements

Need For Strong Authentication Additional identification steps significantly increases security

Something you

HAVE Something you

KNOW Something you

ARE

BRKUCC-2444 7

http://www.google.com/url?sa=i&rct=j&q=password&source=images&cd=&cad=rja&docid=pp5_YrBJeL8QCM&tbnid=B7hrcPlfccPlVM:&ved=0CAUQjRw&url=http://www.atg.wa.gov/BlogPost.aspx?id=30725&ei=knylUa6MGInVPJeVgYAO&bvm=bv.47008514,d.ZGU&psig=AFQjCNHXbYS0uyTXkk4Euw81p9qslEEqqQ&ust=1369886212327072

http://www.google.com/url?sa=i&rct=j&q=password&source=images&cd=&cad=rja&docid=pp5_YrBJeL8QCM&tbnid=B7hrcPlfccPlVM:&ved=0CAUQjRw&url=http://www.atg.wa.gov/BlogPost.aspx?id=30725&ei=knylUa6MGInVPJeVgYAO&bvm=bv.47008514,d.ZGU&psig=AFQjCNHXbYS0uyTXkk4Euw81p9qslEEqqQ&ust=1369886212327072

http://www.google.com/url?sa=i&rct=j&q=biometric&source=images&cd=&cad=rja&docid=Su9wO3p0A5FCMM&tbnid=lYbJv5p7xC0DbM:&ved=0CAUQjRw&url=http://emeraldogzz.wordpress.com/tag/biometric/&ei=73ylUfiVM4GnO4jTgNgI&bvm=bv.47008514,d.ZGU&psig=AFQjCNFm_B3jWceeUuz8WKoKXt5R2x6Ndg&ust=1369886307015326

http://www.google.com/url?sa=i&rct=j&q=biometric&source=images&cd=&cad=rja&docid=Su9wO3p0A5FCMM&tbnid=lYbJv5p7xC0DbM:&ved=0CAUQjRw&url=http://emeraldogzz.wordpress.com/tag/biometric/&ei=73ylUfiVM4GnO4jTgNgI&bvm=bv.47008514,d.ZGU&psig=AFQjCNFm_B3jWceeUuz8WKoKXt5R2x6Ndg&ust=1369886307015326


Authentication for mobile devices

Mobile devices because of their restricted input methods present a

challenge to the user authentication

Mobile devices specially those ones that aren’t fully managed by the

IT organization of a company, require stronger authentication

mechanism

Mobile device run operating systems that have bigger limitation than

the normal laptop/desktops OS’s

BRKUCC-2444 8

SSO Technologies and protocol Deep Dive


IdP – Identity

ProviderRP – Relying

Party

Users

Explicit Initial Trust

Agreement

Identity Framework

BRKUCC-2444 10


Single Sign-On DefinitionSingle Sign-On (SSO) is a session/user authentication process that permits a user to provide credentials only once in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.

With SSO the barriers for deploying stronger authentication is much lower.

BRKUCC-2444 11


Role of Identity Providers (IdP)

Validate who you are?

• Review personally identifying information to prove you are who you say you are (identity proofing), such as drivers license, passport, or biometric data

• Assign attributes [(name, role, email address] in the identity management system.

Validate and transact authentication requests?

• Verifying that the person seeking access toa resource is the one previously identified and approved by utilizing some form of authentication system, often a username and password.

BRKUCC-2444 12


Which IdP Does Cisco Supports ?

Cisco supports any IdP vendor that is compliant with the SAMLv2 Oasis Standard.

Internally in our development test cycles, we test our products against selected authentication methods of the follow IdP’s : Microsoft Active Directory Federation Services (ADFS) 2.0

Open Access Manager (OpenAM) 11.0

PingFederate 6.10.0.4

BRKUCC-2444 13

SAMLv2 Protocol


Firefox is your friend!Firefox allow you to have an add-on that can decode SAML called SAML tracer

It allow you to get the flow of your SSO interaction and also decodes SAML

BRKUCC-2444 15


SAML 2.0 FlowTrust Agreement

RP Relying Party

Ex: WebEx

IdP Identity

Provider

Metadata Exchange

BRKUCC-2444 16


SAML 2.0 FlowResource Request

RP Relying Party

Ex: CUCM

IdP Identity

Provider

1. Resource Request

1

BRKUCC-2444 17


SAML 2.0 FlowRedirect with Authentication Request

RP Relying Party

Ex: CUCM

IdP Identity

Provider

2. Redirect with SAML

authentication request

3.GET with SAML


3

2

BRKUCC-2444 18


SAML 2.0 FlowRedirect with Authentication Request

3

BRKUCC-2444 19


SAML 2.0 FlowIdentify the User

RP Relying Party

Ex: CUCM

IdP Identity

Provider5. Provide credentials

4. Challenge the client for

credentials

• The mechanism for challenge the users is something broader than just collaboration, it should comply to the security policy for the application in the organisation

• Any authentication mechanism, single or multi factor, supported by the IdP will be supported by the collaboration applications

4 5

BRKUCC-2444 20


SAML 2.0 FlowPost a Signed Response

RP Relying Party

Ex: CUCM

IdP Identity

Provider

7. POST signed response

6. Signed response in hiden HTML form

( this includes any attributes that are contracted )

7

BRKUCC-2444 21


SAML Cookies to Prevent Re-authentication

RP Relying Party

Ex: CUCM

IdP Identity

Provider

BRKUCC-2444 22


SAML Cookies to Prevent Re-authentication

IdP Cookie -> our recommendation for the Session Timer is 48 hours

But most of the IdP’s issue session base cookies

Service Cookie -> Our recommendation for the Session Timer is 30 minutes


SAML 2.0 Cookies to Prevent Re-authentication

RP Relying Party

Ex: CUCM

IdP Identity

Provider

2. Redirect with SAML


7. POST signed response

3.GET with SAML


with IdP Cookie

24

6. Signed response in hiden HTML form

( this includes any attributes that are contracted )

8. Supply resource

with new cookie

1. Resource Request with

Service Cookie

Cookie checked but

timer already expired

Cookie checked and

timer still valid

BRKUCC-2444 24

SAMLv2 Requirements to Interwork with Cisco Collaboration Products


SAML requirements SAML SP Initiated flow

We only support SP initiated flow in our products on premises and new generation cloud product behind Common Identity ( CI )

WebEx Messenger and MC also support IdP initiated but we always recommend SP Initiated.

BRKUCC-2444 26


SAML requirementsNameId-format

All the on premises products use transient, the IdP need to be able to deliver it,

which means that the attribute provided in the NameID will be ignored

WebEx Messenger and MC supports multiple NameID-format, but we recommend the usage of

unspecified, who will need to provide the WebEx UserID in the nameID

Common Identity for Spark uses both NameID-format unspecified or transient, customers can

pick which one they want

BRKUCC-2444 27


SAML requirements Binding mechanism

For all our products we need HTTP-POST and HTTP-redirect configured in the IdP for the SSO exchange to work.

Most of the IdP don’t give options to specify which binding mechanisms are allowed, they allow all.

Some IdP’s, like PingFederate, the administrator has an option to configure which ones to pick, and both need to be selected.

BRKUCC-2444 28


SAML requirements Certificates for the SAML assertion

We need that the IdP provides the certificates used for the SAML exchange in the metadata

• Signing

• Encryption ( if requested by the IdP )

BRKUCC-2444 29


SAML requirements Certificate requirements for CI

There are two possible ways of validating the metadata from the Customer IdP

• Customer IdP provides a signature in the metadata that is sign by a Public Certificate ( we support 45 public IdP’s )

• Customer IdP doesn’t provide signature for their metadata ( less secure )

BRKUCC-2444 30


SAML requirements Audience restriction for CI

For Cisco Cloud Common Identity, we need to make sure that the POST back message to CI has the correct Audience Restriction, where you should have the Org ID after the URL of CI

BRKUCC-2444 31


SAML requirementsAttributes for CI

For Cisco Cloud Common Identity, we need to receive two attributes ( uid and mail ) in the assertion

BRKUCC-2444 32


SAML requirements Attributes for on premises products

For on premises products, we need to receive uid attribute in the assertion, and that attribute needs to match the user UserID in the on premises products.

Since the IdP should get the user attributes from the same source as the on premises products we mandate that the users are LDAP Synchronized

BRKUCC-2444 33


SAML requirements Attributes for JIT for WebEx Messenger and MC

SAML protocol allows for provision if the users don’t exist yet in the SP user database.

To achieve that extra attributes needs to be provided in the assertion ( email, firstname, lastname, uid, updateTimeStamp )

BRKUCC-2444 34


SAML requirements Multiple ACS URL’s

For Single cluster agreement in the on premises products after version 11.5.

To allow a single agreement in the IdP for each CUCM and IM&P cluster we improve our SAML support and provide multiple Assertion Consumer URL to point to each node of a cluster.

This requires that the IdP support multiple ACS URL’s

BRKUCC-2444 35

OAuth Protocol


OAuth 2.0

• The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

• It is an Authorization protocol

• Valet key concept

• Eliminate the need for web sites to ask for passwords when you are accessing to your information.

• The resource owner authorise a client to access to resources in a server

• Client can be web app, desktop/phone app, JS in browser

BRKUCC-2444 37


Why we need OAuth in Cisco collaboration products?

Jabber clients need to access to non-HTML services and Avoid overloading the IdP with SAML requests

• CUCM UDS

• CUCM CTI

• CUCM SIP

• IM&P SOAP

• IM&P XMPP

• UCxN VMRest

BRKUCC-2444 38


OAuth Tokens

OAuth Access Token: A token that authorizes a bearer to access a protected resource. An Access Token is issued by the Authorization service to an OAuth Client.

Access Tokens are typically issued to a particular user with a particular scope and with a specific expiry time.

OAuth Refresh Token: A token that an OAuth Client can use to request a new Access Token on expiry of an existing Access Token.

BRKUCC-2444 39


What an OAuth token might look like

{“clientType”:”Confidential”,

"redirectionURIs":["http://yourserver/oauth2client/authorizationcodeflow.do","http://yourserver/oauth2client/implicitflow.do","http://yourserver/oauth2client/token.do"],"name":“Jabark","description":“Jabark Client 20.0","scopes":[“IMP:readwrite",“CTI:read",“UDS:list"]"token_type":"Bearer","expires_in":5559,"access_token":"fd723a8e-c89f-4f6d-b8cf-e36dd6c87094““refresh_token":“d3456cda-4e2a-12b5-3356-23aefd36798a"}

BRKUCC-2444 40

http://yourserver/oauth2sampleclient/authorizationcodeflow.do

http://yourserver/oauth2sampleclient/implicitflow.do

http://yourserver/oauth2sampleclient/token.do

SSO in the Servers


Download SP Metadata

Go to IdP : Upload SP Metadata .

Configure IdP

Enable SSOBrowse and Upload IdPMetadata

Download cluster metadata

files

(if needed)

Test

What Needs to be Configured to enable SSO in our collaboration products

BRKUCC-2444 42


Single Cluster Agreement

Before 11.5 11.5 and after

CUCM & IM&P cluster

CUCM & IM&P cluster

CUCM & IM&P cluster

IdP

IdP

IdP

Cluster Wide

Mode

Per Node

ModePer Node

Mode


Single cluster agreement

To be able to choose the cluster wide mode, tomcat certificate need to be Multi-Server SAN

We need to have a single cert to be share with all the nodes for the SAML assertion

BRKUCC-2444 44



Depending on which option you choose you will get different files to retrieves the Cisco SAML metadata information.

BRKUCC-2444 45

Single Cluster Agreement

Per Node Agreement



When using Single cluster agreement the metadata will have the entityID of the CUCM publisher and will have multiple ACS URL’s.

Two index ACS per each node in the cluster, including each IM&P nodes.

SSO in the Clients


SAML & OAuth flow for achievingSSOwhen inside the corporate network

AuthzSSO

IdP

GET /sso/singleSignOn

Unified CMCisco Jabber

JabberHeadEmbedded

Browser

200 OK enable=“true” uri=‘<cucm fqdn>/authorise’

GET /sso/oauthcb

GET /authorise?.........

AuthZ needs to SAML Authenticate the User

302 Location <idp fqdn>/sso?samlrequest=…..

SAML GET

Authentication request

Authentication Provided

SAML POST with uid and IdP cookie

POST SAML Assertion

AuthZ Redirects with the access_token

302 Location <cucm fqdn>/sso/oauthcb#access_token and authz_cookie

UDS

200 OK with Javascript for token access

Access_token

GET /cucm-uds/api Provides OAuth Token

Validate Token

200 OK

200 OK UDS content

Client must pass OAuth ‘client_id’ and ‘response_type’

Authorise URL

BRKUCC-2444 48


Jabber Mobile

In the Mobile device we use the WebKit to do the Authentication for Jabber when SSO is enabled

Android http://developer.android.com/reference/android/webkit/WebView.html

iOS https://developer.apple.com/library/ios/documentation/Cocoa/Reference/WebKit/ObjC_classic/

BRKUCC-2444 49

http://developer.android.com/reference/android/webkit/WebView.html

https://developer.apple.com/library/ios/documentation/Cocoa/Reference/WebKit/ObjC_classic/


Jabber Mobile in iOSChallenge

• When the user is not actively using your Jabber, the system moves it to the background state.

• When the application is in the background, iOS may kill the application, to optimize the OS.

• Jabber use the keepalive timer from iOS to make sure that the app is restarted and doesn’t stop working.

Restart the Jabber, means that the IdP SAML cookie is lost ( session is lost ), and re-authentication needs to happen again.

BRKUCC-2444 50


Jabber Mobile in iOSSolution

To provide secure authN without user interaction with Jabber 11.5 we cache the IdP cookie.

Cached cookies are encrypted by a special key which generated each time jabber is installed.

After initial SSO authentication the user will not be prompt again for authentication, while the IdP cookie is valid.

BRKUCC-2444 51


Jabber Mobile in iOSChallenge

Customer would like to have some kind of device base authentication, this could be achieve by certificates or other authN mechanism that doesn’t involve user interaction.

• Apple does not allow WebKit to access the OS certificate store, so certificate base authentication will not work.

• Some MDM’s vendors allow to bundle a certificate with a specific apps, creating a wrapper around the app and the certificate, this is something that Cisco didn’t test and needs to be validated by the MDM vendor.

• There are some IdP that provide strong authentication that validates devices

BRKUCC-2444 52


Jabber Mobile in iOSSolution

Safari is an Apple application and has access to the has access certificate store.

iOS 9 introduced the SFSafariViewController, which greatly improved the user experience by allowing applications to embed Safari functions (instead of having to launch the full browser).

In Jabber 11.7 we allow the Safari cross launch, instead of using iOS webKit, but required Administrator “opt-in”

NOTE : Communications from Safari can be hijacked by rogue applications, posing a security risk (e.g., a rogue application can “steal” the Jabber protocol handler).

BRKUCC-2444 53


Jabber Mobile in AndroidSolution

In Android after version 5.0 ( Lollipop ), WebKit can access to the certificate store.

Any application in the mobile device that uses the WebKit has access to the certificate private key of the user, which means that any rogue app can impersonate the user to the servers.

There needs to be a protection in the device where only few enterprise applications has access to the user certificate ( usually deliver with an MDM )

BRKUCC-2444 54


Jabber Mobile in AndroidSolution

With version 11.5 of Jabber for android we cache the IdP cookie.

Jabber in Android application isn’t killed by the OS.

This means that after initial login ( installation time ) the user will not be prompt again for credentials.

BRKUCC-2444 55

SSO for Contact Center


SSO support for CCIncluded in 11.5

• CCE

• PCCE (Supervisor re-skill gadget)

• CCX (Agent and supervisor interfaces)

• Finesse(Agent and supervisor interfaces).

• Cisco Unified Intelligence Center – CUIC (Agent and

supervisor interfaces)

• SM(UQ interface)

• MediaSense (Search and Play gadget)

• OEMs (EIM/WIM, CCMP supervisor re-skill gadget)


IdS

A

P

I

Config

CIS

Proxy

SAML

SP

Oauth ServerDatastore

58BRKUCC-2444

Functional View

Server Libs

SSO

Valve/

Realm

IdS

A

P

I

Config

SAML SP

Oauth ServerDatastore

IdS

CC Servers


Server Hybrid Authentication

SSO

Valve/Realm

Local

authentication

CC Servers

User DB

Application

Authorization

Process

IdS

SSO process initiated or Local Authentication

Verifies credentials

In the same CC application server we

can have users that are SSO

enable and users that are

local authenticated withthe exception of CCX


How to deploy

CCX

IdS will be embedded in the server

HA for CCX

or PCCE

SSO valve in CCX/PCCE will know the location of the two IdS collocated with in CCX or CUIC/LD

UCCE

SSO valve will only know the address 2 IdS nodes

CCX

CCX

CUIC/LD or

Standalone

CUIC/LD or

StandalonePCCE

IdS

IdS

IdS

IdS

IdS

IdS


Cisco Contact Center Identity solution in 11.5Identity Server acts as the SP application

Directory

IdP

Corporate

Network

Finesse

LDAP

Oauth

SAML

Contact Center

Applications

IdS

SAML +

Oauth

BRKUCC-2444 61


SAML & OAuth flow for achievingSSO inFinesse with IdS

IdS Customer IdP

Access Service

Finesse

ServerFinesse User

Interface

Browser

Redirect to ids/oauth/v1/authorize?....

Get Finesse Service with OAuth Token

GET ids/oauth/v1/authorize?...

Redirect to ids/saml/login?...

SAML GET




POST SAML Assertion

Redirect Finess Service

OK with token Info

Give access to Resource

GET ids/saml/login?...

Redirect to idp/sso?SAMLRequest=XXXX..

Validates Assertion and create the SAML SP cookie, and OAuth token

Validates Token

BRKUCC-2444 62

Cisco Cloud Identity


WebEx SSO authentication for attendees

With WBS31 we can have SSO authentication even if the participant is not a WebEx host user, this will allow the conference attendees to know if the participants are you they say they are

If the SAML assertion provides

the attribute isattendeerole, and

depending if it is yes or no, the

user will be an host or an

attendee.

Attendees that successfully

provide SSO will showed as

validated


Common Identity Overview

Externalize authentication, authorization and identity access from individual applications and services

• RESTful APIs for Identities : User, Group, Machine, Organization

• Role based access control

• Service management and entitlement

• Centralized authentication for all sort of clients

• Standard based authorization using OAuth 2

• Standard based authentication using SAMLv2 or local credentials

Tight, simple & standardized integration with customer IdP

Single identity definition + service extensions

Directory synchronization from AD

BRKUCC-2444 65


Identity Stack

Identity Provisioning

Access

Management

Identity Store

SCIM : user, group, organization, machine

Directory Synchronization

JIT (*)

CSV import

Authentication

SSO

SAMLv2

Access Control

Service Entitlements

OAUTH 2.0

Storage

Identity Partition

Replication

* Future BRKUCC-2444 66


Cloud Identity Architecture

Cloud Services

HTTPS

Spark Message

WebEx Online

WebEx Train

CCA Portal

Spark Call

Messenger

Cisco

Cloud Services

Authorization (OAuth2)

Identity Store

RESTful API’s

Authentication (Local/SAMLv2)

Connector Service

EnterpriseCisco Cloud Common Identity

Directory

IdP

HTTPS / SCIM

OAuth

HTTPS / SAML *

* Legacy services Like WebExBRKUCC-2444 67


Directory Synchronization to cloud

Cisco Cloud

Products

Corporate

Network

DMZ Internet

Customer

Directory

IdP ProxyIdP

Directory Sync

Cisco

Collaboration

Applications

ExpressWay

Common

Identity

BRKUCC-2444 68


SAML & OAuth flow for achievingSSOwith Cisco Spark

OAuth

Spark

ServiceCustomer IdP

Access Service

Common IdentityCisco Spark

Spark

Thick Client

Embedded

Browser

Redirect to Authorization Service’

Provides SAML cookie and UID to OAuth Service

AuthZ URL

Redirect to the AuthN

SAML GET




POST SAML Assertion

Redirect to the Oauth Service with SAML cookie and UID of the user

Identity Broker

Send back OAuth Token

Access_token

Access to the Spark Service

Authz URL

AuthN Request

Provide IdP URL for SAML Exchange

Validates Assertion and create the SAML SP cookie

Verifies Entitlement and Scope for the user and generate OAuth Token

BRKUCC-2444 69

Conclusions and Key Takeways


Conclusions and key takeaways

With so many ways of deploying and consuming applications, your customer should understand that following standards is the only way to deliver identity services, inside and outside the organization and for any kind of device.

The need for security and compliance rules is a must today, and a consolidated identity solution for all the apps in their IT deployment, is the base to achieve that goal.

The easiest way of adopting cloud services is to have a consolidated Identity strategy.


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.

• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.

72Presentation ID

CiscoLive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/Online

http://ciscolive.com/us

http://ciscolive.com/us


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

73Presentation ID

Thank you

directories services and single sign-on for the cisco...

Documents