Cisco Unified MeetingPlace, Release 7.0 -- How to Configure Trust External Authentication
Main page: Cisco Unified MeetingPlace, Release 7.0
Up one level: Configuration
Trust External Authentication represents a broad-range of enterprise security software that provides functions like authentication, resource access authorization, Single Sign On (SSO), and intrusion detection. Typically, this software protects your Web Server by installing a DLL plug-in into the Web Server service, for example IIS. This DLL plug-in, also called ISAPI Filter, intercepts user login credentials and passes them to a corporate authentication and authorization server. The software must be able to output user IDs in the HTTP header so that they can be passed to Cisco Unified MeetingPlace for authentication.
Note: Users cannot log in to Cisco Unified MeetingPlace as guests after you have configured this authentication mode.
Terms for Single Sign On Software Integration
Customer Premise Equipment (CPE) customers who implement SSO software integrations on their Cisco Unified MeetingPlace Web Servers do so at their own risk and are responsible for understanding the technical implementations and feasibility of SSO integrations on their systems.
By allowing SSO software integrations, we do not claim support for any SSO software packages or vendors.
Using SSO software integrations requires proper configuration of Cisco Unified MeetingPlace Web Conferencing systems through the Admin pages. If your SSO software integration requires a change in the Web Conferencing product source code, your SSO integration becomes an SSO customization, and we do not support customizations by either customers or any other parties.
Any CPE customers who want to integrate SSO packages can contact Cisco Managed Services to obtain a Service Request to implement SSO. This service is offered as a convenience and does not change the scope of the SSO integration: this service is an integration and configuration of the Web Conferencing product, not a customization of the product code.
Customers must first implement SSO software integrations on test or lab servers and verify that the integrated systems work, including Web Conferencing features and operations.
Customers are responsible for ensuring stability of integrated Web Conferencing-SSO systems, including communicating with SSO software vendors for the following reasons:
- To obtain necessary fixes and support
- To troubleshoot functional problems and technical problems, including crashes triggered by the SSO package
Many SSO software products include a web-server extension, called the IIS ISAPI extension or filter. Web Conferencing installs and uses four IIS extensions. Any incompatibility between an SSO software extension and the Web Conferencing extensions can make IIS non-functional or unstable. Any crash of the SSO IIS extension can cause IIS to crash and can generate a full Web Conferencing outage, resulting in a full system restart, ending of in-progress meetings, and disconnecting of Web Conferencing users. Any memory leak in the SSO package or module can make IIS or the whole server unstable, as well.
NOTE: When you restart the Web Server, all manual changes made to the registry are lost.
Although SSO software integration is productized for the Web Conferencing system, any changes in overall configuration, including Web Conferencing upgrades and SSO package upgrades, can potentially break integrated Web Conferencing-SSO systems.
Terms of Support for Single Sign On Software Integration
Customers must inform Cisco TAC that their Cisco Unified MeetingPlace Web Servers have third-party SSO packages installed and configured with Web Conferencing when opening a service request for Web Conferencing, Cisco Unified MeetingPlace for Microsoft Outlook, or Cisco Unified MeetingPlace for IBM Lotus Notes.
Customers must be able to provide SSO integration details upon request. Inability to provide details can result in Cisco TAC not being able to proceed with service requests.
If a service request is about troubleshooting the SSO integration, Cisco TAC can review the logs and identify whether the problem is on the SSO side or the Web Conferencing side. If the problem is on the SSO side, information will be provided to customers, so they can further troubleshoot with their SSO vendors.
If the service request is about troubleshooting a Web Conferencing problem that does not seem to be connected to the SSO integration, Cisco TAC will proceed per the normal support process. If TAC discovers that the SSO integration plays a role in the problem, information will be provided to customers, so they can further troubleshoot with their SSO vendors.
If Cisco TAC believes the problem is triggered by an SSO package, Cisco TAC can require customers to disable the SSO package to troubleshoot further.
Microsoft Debug Diagnostic tool, also called DebugDiag, may be required for troubleshooting IIS crashes and memory leaks to determine if these problems are produced by the SSO package.
Restrictions for Configuring Trust External Authentication
When configuring Trust External authentication, make sure that the /mpweb/scripts/public/ directory is not protected by SSO. Protecting this directory will prevent web conferencing from functioning properly.
To use SSO, you must enable SSL on the Application Server. If you have a failover system, with active and standby servers, ensure that SSL is installed and configured on the standby server as well as on the active server. This way, SSO will continue to work if the system has to move to the standby server for any reason.
Configuring Trust External Authentication
Before You Begin
- Sign in to the end-user web interface.
- Click Admin.
- Click Web Server.
- Click the name of the Web Server that you want to configure in the "View" section of the page.
- Scroll down to the Web Authentication section.
- Select Trust External Authentication for "Step 1: Directory."
- Enter an appropriate value for an external service for "HTTP Header Containing Username."
- Example: Enter HTTP_SM_USER for SiteMinder
- Select how you want user names transformed for "Username Conversion Function."
- Selecting None applies no transformation to the original user ID string.
- Click Submit and wait five minutes for the new configuration to take effect.
What to Do Next
(Optional) Proceed to Verifying the Trust External Authentication Configuration.
Verifying the Trust External Authentication Configuration
Use a Cisco Unified MeetingPlace end user profile when completing the this procedure.
Before You Begin
- Open your web browser and navigate to the Cisco Unified MeetingPlace home page.
- Verify the following end-user behaviors:
- Using a SiteMinder environment, you are immediately authenticated to MeetingPlace with your SiteMinder user ID and password.
- If you have a Cisco Unified MeetingPlace profile, you can log in with your SiteMinder password and schedule meetings.