Installing an SSL in Windows Server 2008 · Web viewInstalling an SSL in Windows Server 2008 Click Start -> All Programs-> Administrative Tools-> Server Manager. In the Server Manager

ADFS Setup for SAML SSO for UC 10.x

Introduction

=============

This document covers the installation and configuration of the required software componentsThat is essential for achieving a Single Sign-On (SSO) solution with Cisco UnifiedCommunications Manager/Unity Connection 10.0 and above.

Author

======

A.M. Mahesh Babu

TAC Engineer –Unified Communications

Cisco Systems

Pre-requisites

=============

Windows 2008 R2 Server is installed, added to the domain and configured for networking and other basic services

References

=========

http://technet.microsoft.com/library/cc772128%28WS.10%29.aspx

http://technet.microsoft.com/library/cc772128(WS.10).aspx


1. Installing an SSL in Windows Server 2008

2. Click Start -> All Programs -> Administrative Tools -> Server Manager.

3. In the Server Manager window, scroll down to Roles Summary, and then click Add Roles. The Add Roles Wizard will start with a Before You Begin page.

4. Select Web Server (IIS) on the Select Server Roles page. An introductory page will open with links for further information.

Note: When you use the Add Roles Wizard to install IIS, you get the default installation, which has a minimum set of role services. If you need additional IIS role services, such as Application Development or Health and Diagnostics, make sure to select the check boxes associated with those features in the Select Role Services page of the wizard.

5. Select the IIS services to be installed on the Select Role Services page. Add only the modules necessary. In this case, ASP.NET is selected, and a description of ASP.NET appears in the right pane. Once desired modules are added, click Next.


6. Add any required role services

7. IIS is now installed with a default configuration for hosting ASP.NET on Windows Server. Click Close to complete the process.


2. Installing an self signed SSL Certificate in Windows Server 2008 R2 (IIS 7.0)

1. Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.

2. Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.

3. In the Actions column on the right, click on Create Self-Signed Certificate...


4. Enter name and then click OK

5. You will now have an IIS Self Signed Certificate under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the Self signed certificate to the IIS site

Binding the Self Signed Certificate

1. In the Connections column on the left, expand the sites folder and click on the website that you want to bind the certificate to. Click on Bindings... in the right column.


2. Click on the Add... button.

3. Change the Type to https and then select the SSL certificate that you just installed. Click OK.

4. You will now see the binding for port 443 listed. Click Close.


ADFS Installation

1. Download the ADFS 2.0 from:

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=118c3588-9070-426a-b655-6cec0a92c10b&displaylang=en

2. When you launch the install program, click Next.

3. Accept the license and click Next.

4. On the Server Role screen, choose Federation Server and click Next.




5. The wizard will automatically install the required prerequisites. Click Next to begin the installation.

1. When the installation is complete, click the Finish button

2. ADFS configuration


1. launch the AD FS configuration wizard, just go into Administrative Tools and click on AD FS 2.0 Management.

2. When the AD FS Management Console opens, click the AD FS 2.0 Federation Server Configuration Wizard Link

3. Select the option to Create a new Federation Service

4. On the next screen select New federation server farm. Choose this option unless you are absolutely sure you’ll never be installing a second AD FS server. It gives you more options down the road if you want to add redundancy.


5. On the Federation Service name, SSL Certificate and Federation Service name info taken whatever created Self Signed Certificate in above [Section need to add here]. Then Click on Next.

6. You must then specify a Service Account in Active Directory that will be used by AD FS.

7. Click on Browse Button


8. Click on Advanced Button, then click on Find Now button

9. Select Administrator, then click on OK button10. In Specify Service Account, Enter the Password then Click on Next button

11. Click on Next button12. On the Summary Screen review the changes that will be made and click next to begin the

configuration


13. When the installation is complete, click Close.


3. SAML SSO configuration and Adding Relying Party Trust

1. Launch ADFS 2.0 from menu Programs

2. Select Add Relying Party Trust

3. Click on Start button

4. Select option “Import data about the relying party from a file” and choose the “sp” metadata file from desktop which you downloaded from Call Manager. Then, click on Next…

Note: SP metadata you need to download from the Call Manager from SystemSingle Sign On Page. Which you can download while enabling SAML SSO.


5. Enter Display name and Click on Next…

6. Choose “Permit All Users to access this relying party” then click on Next….


7. Review the setting and click on Next…

8. Click on Close …. And ensure Check box enabled to add the Claim Rules…

9. Click on Add Rule…


10. Click on Next button with default Claim Rule template “Send LDAP Attributes as Claims”

11. In Configure Rule, enter the Claim Rule name, select Attribute store as “Active Directory” and then configure LDAP Attribute and Outgoing Claim Types. Click on Finish …

Note: “uid” should be small letters.

12. Click on Add Rule create one Custom Rule


13. Click on Next


Copy this Custome Rule and modify the ADFS and CUCM details ( highlighted values)

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http:///adfs.lab.in/com/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "CUCM-PUB-10.lab.in");

14. Click on Finish button

15. Click on Apply followed by OK….

16. Restart the ADFS 2.0 service from Services.

(Steps 1 to 16 has to be followed again if you are adding Unity connection for SAML SSO)

1. To download idp metadata, just run below link on ADFS server browser

https://<localhost IP>/FederationMetadata/2007-06/FederationMetadata.xml

2. To make sure connection between AD and ADFS, just run below link

https://<fqdn>/adfs/ls/IdpInitiatedSignon.aspx

Installing an SSL in Windows Server 2008 · Web viewInstalling an SSL in Windows Server 2008 Click Start -> All Programs-> Administrative Tools-> Server Manager. In the Server Manager

Documents