directories services and single sign-on for the cisco...
TRANSCRIPT
Directories Services and Single Sign-On for the Cisco Collaboration Solution
Paulo Jorge Correia
BRKUCC-2444
• Identity Challenges and Market Analysis
• SSO Technologies and protocol Deep Dive
• SAML Protocol
• SAMLv2 requirements to interwork with Cisco Collaboration Products
• OAuth Protocol
• SSO in the Servers
• SSO in the Clients
• Cisco Cloud Identity
• System Architecture
• Conclusions and Key Takeaways
Agenda
Identity Challenges and Market Analysis
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 5BRKUCC-2444
Identity is a Growing Concern
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs, Botnets, Advanced MalwareToday +
20001990 1995 2005 2010 2015 2020
“2013 – Year of the MegaBreach”2014 Symantec Internet Security Report
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 6BRKUCC-2444
Top 10 breaches
Source
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Username and passwords are no match for today’s sophisticated hackers
Solution is easy to deploy and easy to use… ensuring user adoption
Strong Authentication strengthens identity and access security by combining two
or more identifiable elements
Need For Strong Authentication Additional identification steps significantly increases security
Something you
HAVE Something you
KNOW Something you
ARE
BRKUCC-2444 7
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Authentication for mobile devices
Mobile devices because of their restricted input methods present a
challenge to the user authentication
Mobile devices specially those ones that aren’t fully managed by the
IT organization of a company, require stronger authentication
mechanism
Mobile device run operating systems that have bigger limitation than
the normal laptop/desktops OS’s
BRKUCC-2444 8
SSO Technologies and protocol Deep Dive
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IdP – Identity
ProviderRP – Relying
Party
Users
Explicit Initial Trust
Agreement
Identity Framework
BRKUCC-2444 10
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single Sign-On DefinitionSingle Sign-On (SSO) is a session/user authentication process that permits a user to provide credentials only once in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.
With SSO the barriers for deploying stronger authentication is much lower.
BRKUCC-2444 11
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Role of Identity Providers (IdP)
Validate who you are?
• Review personally identifying information to prove you are who you say you are (identity proofing), such as drivers license, passport, or biometric data
• Assign attributes [(name, role, email address] in the identity management system.
Validate and transact authentication requests?
• Verifying that the person seeking access toa resource is the one previously identified and approved by utilizing some form of authentication system, often a username and password.
BRKUCC-2444 12
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Which IdP Does Cisco Supports ?
Cisco supports any IdP vendor that is compliant with the SAMLv2 Oasis Standard.
Internally in our development test cycles, we test our products against selected authentication methods of the follow IdP’s : Microsoft Active Directory Federation Services (ADFS) 2.0
Open Access Manager (OpenAM) 11.0
PingFederate 6.10.0.4
BRKUCC-2444 13
SAMLv2 Protocol
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Firefox is your friend!Firefox allow you to have an add-on that can decode SAML called SAML tracer
It allow you to get the flow of your SSO interaction and also decodes SAML
BRKUCC-2444 15
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML 2.0 FlowTrust Agreement
RP Relying Party
Ex: WebEx
IdP Identity
Provider
Metadata Exchange
BRKUCC-2444 16
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML 2.0 FlowResource Request
RP Relying Party
Ex: CUCM
IdP Identity
Provider
1. Resource Request
1
BRKUCC-2444 17
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML 2.0 FlowRedirect with Authentication Request
RP Relying Party
Ex: CUCM
IdP Identity
Provider
2. Redirect with SAML
authentication request
3.GET with SAML
authentication request
3
2
BRKUCC-2444 18
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML 2.0 FlowRedirect with Authentication Request
3
BRKUCC-2444 19
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML 2.0 FlowIdentify the User
RP Relying Party
Ex: CUCM
IdP Identity
Provider5. Provide credentials
4. Challenge the client for
credentials
• The mechanism for challenge the users is something broader than just collaboration, it should comply to the security policy for the application in the organisation
• Any authentication mechanism, single or multi factor, supported by the IdP will be supported by the collaboration applications
4 5
BRKUCC-2444 20
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML 2.0 FlowPost a Signed Response
RP Relying Party
Ex: CUCM
IdP Identity
Provider
7. POST signed response
6. Signed response in hiden HTML form
( this includes any attributes that are contracted )
7
BRKUCC-2444 21
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML Cookies to Prevent Re-authentication
RP Relying Party
Ex: CUCM
IdP Identity
Provider
BRKUCC-2444 22
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKUCC-2444
SAML Cookies to Prevent Re-authentication
IdP Cookie -> our recommendation for the Session Timer is 48 hours
But most of the IdP’s issue session base cookies
Service Cookie -> Our recommendation for the Session Timer is 30 minutes
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML 2.0 Cookies to Prevent Re-authentication
RP Relying Party
Ex: CUCM
IdP Identity
Provider
2. Redirect with SAML
authentication request
7. POST signed response
3.GET with SAML
authentication request
with IdP Cookie
24
6. Signed response in hiden HTML form
( this includes any attributes that are contracted )
8. Supply resource
with new cookie
1. Resource Request with
Service Cookie
Cookie checked but
timer already expired
Cookie checked and
timer still valid
BRKUCC-2444 24
SAMLv2 Requirements to Interwork with Cisco Collaboration Products
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements SAML SP Initiated flow
We only support SP initiated flow in our products on premises and new generation cloud product behind Common Identity ( CI )
WebEx Messenger and MC also support IdP initiated but we always recommend SP Initiated.
BRKUCC-2444 26
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirementsNameId-format
All the on premises products use transient, the IdP need to be able to deliver it,
which means that the attribute provided in the NameID will be ignored
WebEx Messenger and MC supports multiple NameID-format, but we recommend the usage of
unspecified, who will need to provide the WebEx UserID in the nameID
Common Identity for Spark uses both NameID-format unspecified or transient, customers can
pick which one they want
BRKUCC-2444 27
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements Binding mechanism
For all our products we need HTTP-POST and HTTP-redirect configured in the IdP for the SSO exchange to work.
Most of the IdP don’t give options to specify which binding mechanisms are allowed, they allow all.
Some IdP’s, like PingFederate, the administrator has an option to configure which ones to pick, and both need to be selected.
BRKUCC-2444 28
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements Certificates for the SAML assertion
We need that the IdP provides the certificates used for the SAML exchange in the metadata
• Signing
• Encryption ( if requested by the IdP )
BRKUCC-2444 29
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements Certificate requirements for CI
There are two possible ways of validating the metadata from the Customer IdP
• Customer IdP provides a signature in the metadata that is sign by a Public Certificate ( we support 45 public IdP’s )
• Customer IdP doesn’t provide signature for their metadata ( less secure )
BRKUCC-2444 30
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements Audience restriction for CI
For Cisco Cloud Common Identity, we need to make sure that the POST back message to CI has the correct Audience Restriction, where you should have the Org ID after the URL of CI
BRKUCC-2444 31
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirementsAttributes for CI
For Cisco Cloud Common Identity, we need to receive two attributes ( uid and mail ) in the assertion
BRKUCC-2444 32
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements Attributes for on premises products
For on premises products, we need to receive uid attribute in the assertion, and that attribute needs to match the user UserID in the on premises products.
Since the IdP should get the user attributes from the same source as the on premises products we mandate that the users are LDAP Synchronized
BRKUCC-2444 33
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements Attributes for JIT for WebEx Messenger and MC
SAML protocol allows for provision if the users don’t exist yet in the SP user database.
To achieve that extra attributes needs to be provided in the assertion ( email, firstname, lastname, uid, updateTimeStamp )
BRKUCC-2444 34
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML requirements Multiple ACS URL’s
For Single cluster agreement in the on premises products after version 11.5.
To allow a single agreement in the IdP for each CUCM and IM&P cluster we improve our SAML support and provide multiple Assertion Consumer URL to point to each node of a cluster.
This requires that the IdP support multiple ACS URL’s
BRKUCC-2444 35
OAuth Protocol
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
OAuth 2.0
• The OAuth 2.0 authorization protocol enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
• It is an Authorization protocol
• Valet key concept
• Eliminate the need for web sites to ask for passwords when you are accessing to your information.
• The resource owner authorise a client to access to resources in a server
• Client can be web app, desktop/phone app, JS in browser
BRKUCC-2444 37
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Why we need OAuth in Cisco collaboration products?
Jabber clients need to access to non-HTML services and Avoid overloading the IdP with SAML requests
• CUCM UDS
• CUCM CTI
• CUCM SIP
• IM&P SOAP
• IM&P XMPP
• UCxN VMRest
BRKUCC-2444 38
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
OAuth Tokens
OAuth Access Token: A token that authorizes a bearer to access a protected resource. An Access Token is issued by the Authorization service to an OAuth Client.
Access Tokens are typically issued to a particular user with a particular scope and with a specific expiry time.
OAuth Refresh Token: A token that an OAuth Client can use to request a new Access Token on expiry of an existing Access Token.
BRKUCC-2444 39
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
What an OAuth token might look like
{“clientType”:”Confidential”,
"redirectionURIs":["http://yourserver/oauth2client/authorizationcodeflow.do","http://yourserver/oauth2client/implicitflow.do","http://yourserver/oauth2client/token.do"],"name":“Jabark","description":“Jabark Client 20.0","scopes":[“IMP:readwrite",“CTI:read",“UDS:list"]"token_type":"Bearer","expires_in":5559,"access_token":"fd723a8e-c89f-4f6d-b8cf-e36dd6c87094““refresh_token":“d3456cda-4e2a-12b5-3356-23aefd36798a"}
BRKUCC-2444 40
SSO in the Servers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Download SP Metadata
Go to IdP : Upload SP Metadata .
Configure IdP
Enable SSOBrowse and Upload IdPMetadata
Download cluster metadata
files
(if needed)
Test
What Needs to be Configured to enable SSO in our collaboration products
BRKUCC-2444 42
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 43BRKUCC-2444
Single Cluster Agreement
Before 11.5 11.5 and after
CUCM & IM&P cluster
CUCM & IM&P cluster
CUCM & IM&P cluster
IdP
IdP
IdP
Cluster Wide
Mode
Per Node
ModePer Node
Mode
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single cluster agreement
To be able to choose the cluster wide mode, tomcat certificate need to be Multi-Server SAN
We need to have a single cert to be share with all the nodes for the SAML assertion
BRKUCC-2444 44
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Single cluster agreement
Depending on which option you choose you will get different files to retrieves the Cisco SAML metadata information.
BRKUCC-2444 45
Single Cluster Agreement
Per Node Agreement
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 46BRKUCC-2444
Single cluster agreement
When using Single cluster agreement the metadata will have the entityID of the CUCM publisher and will have multiple ACS URL’s.
Two index ACS per each node in the cluster, including each IM&P nodes.
SSO in the Clients
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML & OAuth flow for achievingSSOwhen inside the corporate network
AuthzSSO
IdP
GET /sso/singleSignOn
Unified CMCisco Jabber
JabberHeadEmbedded
Browser
200 OK enable=“true” uri=‘<cucm fqdn>/authorise’
GET /sso/oauthcb
GET /authorise?.........
AuthZ needs to SAML Authenticate the User
302 Location <idp fqdn>/sso?samlrequest=…..
SAML GET
Authentication request
Authentication Provided
SAML POST with uid and IdP cookie
POST SAML Assertion
AuthZ Redirects with the access_token
302 Location <cucm fqdn>/sso/oauthcb#access_token and authz_cookie
UDS
200 OK with Javascript for token access
Access_token
GET /cucm-uds/api Provides OAuth Token
Validate Token
200 OK
200 OK UDS content
Client must pass OAuth ‘client_id’ and ‘response_type’
Authorise URL
BRKUCC-2444 48
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Jabber Mobile
In the Mobile device we use the WebKit to do the Authentication for Jabber when SSO is enabled
Android http://developer.android.com/reference/android/webkit/WebView.html
iOS https://developer.apple.com/library/ios/documentation/Cocoa/Reference/WebKit/ObjC_classic/
BRKUCC-2444 49
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Jabber Mobile in iOSChallenge
• When the user is not actively using your Jabber, the system moves it to the background state.
• When the application is in the background, iOS may kill the application, to optimize the OS.
• Jabber use the keepalive timer from iOS to make sure that the app is restarted and doesn’t stop working.
Restart the Jabber, means that the IdP SAML cookie is lost ( session is lost ), and re-authentication needs to happen again.
BRKUCC-2444 50
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Jabber Mobile in iOSSolution
To provide secure authN without user interaction with Jabber 11.5 we cache the IdP cookie.
Cached cookies are encrypted by a special key which generated each time jabber is installed.
After initial SSO authentication the user will not be prompt again for authentication, while the IdP cookie is valid.
BRKUCC-2444 51
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Jabber Mobile in iOSChallenge
Customer would like to have some kind of device base authentication, this could be achieve by certificates or other authN mechanism that doesn’t involve user interaction.
• Apple does not allow WebKit to access the OS certificate store, so certificate base authentication will not work.
• Some MDM’s vendors allow to bundle a certificate with a specific apps, creating a wrapper around the app and the certificate, this is something that Cisco didn’t test and needs to be validated by the MDM vendor.
• There are some IdP that provide strong authentication that validates devices
BRKUCC-2444 52
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Jabber Mobile in iOSSolution
Safari is an Apple application and has access to the has access certificate store.
iOS 9 introduced the SFSafariViewController, which greatly improved the user experience by allowing applications to embed Safari functions (instead of having to launch the full browser).
In Jabber 11.7 we allow the Safari cross launch, instead of using iOS webKit, but required Administrator “opt-in”
NOTE : Communications from Safari can be hijacked by rogue applications, posing a security risk (e.g., a rogue application can “steal” the Jabber protocol handler).
BRKUCC-2444 53
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Jabber Mobile in AndroidSolution
In Android after version 5.0 ( Lollipop ), WebKit can access to the certificate store.
Any application in the mobile device that uses the WebKit has access to the certificate private key of the user, which means that any rogue app can impersonate the user to the servers.
There needs to be a protection in the device where only few enterprise applications has access to the user certificate ( usually deliver with an MDM )
BRKUCC-2444 54
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Jabber Mobile in AndroidSolution
With version 11.5 of Jabber for android we cache the IdP cookie.
Jabber in Android application isn’t killed by the OS.
This means that after initial login ( installation time ) the user will not be prompt again for credentials.
BRKUCC-2444 55
SSO for Contact Center
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 57BRKUCC-2444
SSO support for CCIncluded in 11.5
• CCE
• PCCE (Supervisor re-skill gadget)
• CCX (Agent and supervisor interfaces)
• Finesse(Agent and supervisor interfaces).
• Cisco Unified Intelligence Center – CUIC (Agent and
supervisor interfaces)
• SM(UQ interface)
• MediaSense (Search and Play gadget)
• OEMs (EIM/WIM, CCMP supervisor re-skill gadget)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
IdS
A
P
I
Config
CIS
Proxy
SAML
SP
Oauth ServerDatastore
58BRKUCC-2444
Functional View
Server Libs
SSO
Valve/
Realm
IdS
A
P
I
Config
SAML SP
Oauth ServerDatastore
IdS
CC Servers
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 59BRKUCC-2444
Server Hybrid Authentication
SSO
Valve/Realm
Local
authentication
CC Servers
User DB
Application
Authorization
Process
IdS
SSO process initiated or Local Authentication
Verifies credentials
In the same CC application server we
can have users that are SSO
enable and users that are
local authenticated withthe exception of CCX
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 60BRKUCC-2444
How to deploy
CCX
IdS will be embedded in the server
HA for CCX
or PCCE
SSO valve in CCX/PCCE will know the location of the two IdS collocated with in CCX or CUIC/LD
UCCE
SSO valve will only know the address 2 IdS nodes
CCX
CCX
CUIC/LD or
Standalone
CUIC/LD or
StandalonePCCE
IdS
IdS
IdS
IdS
IdS
IdS
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Contact Center Identity solution in 11.5Identity Server acts as the SP application
Directory
IdP
Corporate
Network
Finesse
LDAP
Oauth
SAML
Contact Center
Applications
IdS
SAML +
Oauth
BRKUCC-2444 61
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML & OAuth flow for achievingSSO inFinesse with IdS
IdS Customer IdP
Access Service
Finesse
ServerFinesse User
Interface
Browser
Redirect to ids/oauth/v1/authorize?....
Get Finesse Service with OAuth Token
GET ids/oauth/v1/authorize?...
Redirect to ids/saml/login?...
SAML GET
Authentication request
Authentication Provided
SAML POST with uid and IdP cookie
POST SAML Assertion
Redirect Finess Service
OK with token Info
Give access to Resource
GET ids/saml/login?...
Redirect to idp/sso?SAMLRequest=XXXX..
Validates Assertion and create the SAML SP cookie, and OAuth token
Validates Token
BRKUCC-2444 62
Cisco Cloud Identity
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
WebEx SSO authentication for attendees
With WBS31 we can have SSO authentication even if the participant is not a WebEx host user, this will allow the conference attendees to know if the participants are you they say they are
If the SAML assertion provides
the attribute isattendeerole, and
depending if it is yes or no, the
user will be an host or an
attendee.
Attendees that successfully
provide SSO will showed as
validated
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Common Identity Overview
Externalize authentication, authorization and identity access from individual applications and services
• RESTful APIs for Identities : User, Group, Machine, Organization
• Role based access control
• Service management and entitlement
• Centralized authentication for all sort of clients
• Standard based authorization using OAuth 2
• Standard based authentication using SAMLv2 or local credentials
Tight, simple & standardized integration with customer IdP
Single identity definition + service extensions
Directory synchronization from AD
BRKUCC-2444 65
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Identity Stack
Identity Provisioning
Access
Management
Identity Store
SCIM : user, group, organization, machine
Directory Synchronization
JIT (*)
CSV import
Authentication
SSO
SAMLv2
Access Control
Service Entitlements
OAUTH 2.0
Storage
Identity Partition
Replication
* Future BRKUCC-2444 66
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Identity Architecture
Cloud Services
HTTPS
Spark Message
WebEx Online
WebEx Train
CCA Portal
Spark Call
Messenger
Cisco
Cloud Services
Authorization (OAuth2)
Identity Store
RESTful API’s
Authentication (Local/SAMLv2)
Connector Service
EnterpriseCisco Cloud Common Identity
Directory
IdP
HTTPS / SCIM
OAuth
HTTPS / SAML *
* Legacy services Like WebExBRKUCC-2444 67
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Directory Synchronization to cloud
Cisco Cloud
Products
Corporate
Network
DMZ Internet
Customer
Directory
IdP ProxyIdP
Directory Sync
Cisco
Collaboration
Applications
ExpressWay
Common
Identity
BRKUCC-2444 68
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
SAML & OAuth flow for achievingSSOwith Cisco Spark
OAuth
Spark
ServiceCustomer IdP
Access Service
Common IdentityCisco Spark
Spark
Thick Client
Embedded
Browser
Redirect to Authorization Service’
Provides SAML cookie and UID to OAuth Service
AuthZ URL
Redirect to the AuthN
SAML GET
Authentication request
Authentication Provided
SAML POST with uid and IdP cookie
POST SAML Assertion
Redirect to the Oauth Service with SAML cookie and UID of the user
Identity Broker
Send back OAuth Token
Access_token
Access to the Spark Service
Authz URL
AuthN Request
Provide IdP URL for SAML Exchange
Validates Assertion and create the SAML SP cookie
Verifies Entitlement and Scope for the user and generate OAuth Token
BRKUCC-2444 69
Conclusions and Key Takeways
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public 71BRKUCC-2444
Conclusions and key takeaways
With so many ways of deploying and consuming applications, your customer should understand that following standards is the only way to deliver identity services, inside and outside the organization and for any kind of device.
The need for security and compliance rules is a must today, and a consolidated identity solution for all the apps in their IT deployment, is the base to achieve that goal.
The easiest way of adopting cloud services is to have a consolidated Identity strategy.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys through the Cisco Live mobile app or from the Session Catalog on CiscoLive.com/us.
72Presentation ID
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
73Presentation ID
Thank you