Having a functional SAML SSO product in place is important before attempting to connect any Cisco collaboration applications to it. I’m focusing on Microsoft ADFS because it seems to be the current go-to product for Microsoft centric organizations.
You need to collect and check your federation metadata file before starting any Unity Connection configuration. This file gives you the value you need to configure the custom claim rule on ADFS. You can download the file from https://adfs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
Open this file and get your entityID and in my configuration this looks like https://adfs.domain.com/adfs/services/trust
Go ahead and collect the file from Unity Connection on the SAML SSO configuration page by clicking “Export All Metadata”. You’ll need this file available to your ADFS management application so copy it to your server.
Now we have everything we need and it’s time to configure ADFS and Unity Connection.
- Open the ADFS Management application
- Select Add Relying Party Trust.
- From Add Relying Party Trust Wizard Welcome page, click Start.
- From the Select Data Source screen, click the Import data about the relying party from a file radio button and browse to the Fedlet metadata XML file which you downloaded from the SAML Single Sign-on configuration pages. Click Next.
- From the Specify Display Name screen, enter a name in the Display name field. Click Next.
- From the Choose Issuance Authorization Rules screen, choose Permit All Users to access this relying party. Click Next.
- Review the settings on the Ready to Add trust screen. Click Next.
- To add the Claim Rules, from the Finish screen, check the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box. Click Close.
- From the Edit Claim Rules screen, click Add Rule.
- Select the default Claim Rule template Send LDAP Attributes as Claims. Click Next.
- From the Configure Claim Rule screen, enter a claim rule name (Example: “Send uid attribute”) in the Configure rule name field.
- From the Attribute store drop-down list, choose Active Directory.
- From the LDAP Attribute drop-down list, choose the attribute in the directory that the Cisco Unified Communications application end users are synchronized with (typically “sAMAccountName” or “userPrincipalName”).
- From the Outgoing Claim Type drop-down list, enter “uid”. Note: “uid” will not appear in the list of drop-down items, you must manually enter it.
- Click Finish.
- To add a second rule, click Add Rule.
- From the Claim rule template drop-down list, select Send Claims Using a Custom Rule.
- In Claim rule name field, enter a name (Example: “Send additional attributes”).
- See the next paragraph and code and after pasting click OK and Apply.
So now you can paste your custom claim rule to this ADFS text input box. There is a bit of an issue copy and pasting this correctly from the Cisco documentation and the fact it’s plain wrong in Cisco documentation. Note the two modifications below for entityID and FQDN for Unity Connection on the last line. You should be able to copy below, modify two lines and be able to paste into ADFS management.
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "https://adfs.domain.com/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "unityconnection.domain.com");
Now that all of this has been done you can configure Unity Connection by clicking Enable SAML SSO and following the dialogs. Once you enable SAML SSO obviously you’ll need LDAP users synchronized with administrative privileges on the Unity Connection server. The recovery URL will be available on the start web page just in case ADFS is not functioning.
If everything is working click “Run SSO Test…” and select your administrator account that is synchronized via LDAP. If the redirect works and your browser automatically signs into ADFS you’ll get the wonderful pop-up below.