Otomo End User SSO - TOI March 2014

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

OtomoEnd User SSO - TOI

March 2014

Otomo 10.5 – End User SSO Support

Presenter – Aastha Wal (aawal)

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2

Table of Contents

Abbreviations

Added Functionality in current release

OAuth API/Endpoints

Jabber- CUC SSO Flow

Enterprise parameters

OAuth token expiry

Counters

CLI command to set trace Level

Collect Logs from RTMT

Troubleshooting tips

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3

Abbreviations

CUC : Cisco Unity Connection

IDP : Identity Provider

OAuth : Authorization protocol / framework

SAML : Security Assertion Markup Language

SP : Service Provider

SSO : Single Sign On

SSOSP : CUC specific SP implementation

RTMT : Real Time Monitoring Tool

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4

Added Functionality in current release

Oz 10.0

SAML SSO, only Web Applications single sign on was possible.

CUC Admin

CUC Client Web Applications: - CiscoPCA

- Web-Inbox

- Mini-inbox

Otomo 10.5

In addition to features present in 10.0, this release has:

SAML enabled for CUC Serviceability

OAuth token based access to services like:

- VMRest (on Unity Connection)

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5

OAuth API / Endpoints

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7

Enterprise Parameters

There would be two new Enterprise level parameters specific to OAuth.

1)Enterprise parameter to set OAuth token expiry time in minutes.

2)Enterprise parameter to set a redirect URL for third party client. (no default value)

Once the administrator changes the timer, SSOSP web application pick up the new value instantaneously without having to restart Tomcat or SSOSP web application

Note: Clicking on Enterprise parameter gives the description about the parameter.

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8

OAuth Token Expiry Settings in CUC

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9

OAuth token expiry

The Authorization service /validate endpoint will return a HTTP 400 Bad Request for an expired token

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10

Counters

Two new counters introduced to track the number of failed/invalid SAML Requests/Responses

SAML_FAILED_REQUESTS

SAML_FAILED_RESPONSES

In case of a failed SAML request or a failed response counters will be incremented (like if request/response has some mandatory field missing etc. )

OAuth tokens are tracked by the following counters:

OAUTH_TOKENS_ISSUED

OAUTH_TOKENS_ACTIVE

OAUTH_TOKENS_VALIDATED

OAUTH_TOKENS_EXPIRED

OAUTH_TOKENS_REVOKED CLI command to get counter values:

show perf query class "SAML SSO"

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11

Counters

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12

CLI Command to Set Trace Level

Log level can be changed using the following CLI commands:

set samltrace level DEBUG

set samltrace level INFO (default)

set samltrace level WARNING

set samltrace level ERROR

set samltrace level FATAL 

Note: They are used for troubleshooting, DEBUG mode is best for troubleshooting

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13© 2005, Cisco Systems, Inc. Company Confidential© 2005, Cisco Systems, Inc. Company Confidential

Collect Logs from RTMT

Following log files can be collected from RTMT:

• ssosp.log: ssospxxxxx.log

• security.log: securityxxxxx.log

• Tomcat access: localhost_access_log.txt

Below are the steps to follow on RTMT

• Login to RTMT

• Goto: System Tools Trace Trace & Log Central

• For ssosp logs: Click on Collect files click next select Cisco SSO finish

• For security logs: Click on collect files click next select Cisco Tomcat Security finish

• For Tomcat access logs: Click on collect files click next select Cisco Tomcat finish

Log files will be downloaded <Path will be mentioned on the screen>

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14

Troubleshooting tips

Logs Location

OAuth endpoint logs: On all the nodes in the cluster

/var/log/active/tomcat/logs/ssosp/log4j/ssosp*

IMS: On all the nodes in the cluster

/var/log/active/tomcat/logs/security/log4j/security*

CUC Tomcat access logs:

/var/log/active/tomcat/logs/localhost_access_log.txt

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15

Troubleshooting tips for CUC cont..

Problem Description

1. VMRest API throws 401 response error

Solution

1. Check if OAuth Token has expired

2. Check if OAuth Token is no longer valid

-If the Tomcat service is restarted then all previous tokens are no longer valid and the client have to request for a new token.

- If the publisher server of Unity Connection cluster went down then the token generated on the publisher server becomes invalid, and clients have to request the subscriber to generate a new token.

© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16