otomo end user sso - toi march 2014
DESCRIPTION
Otomo End User SSO - TOI March 2014. Otomo 10.5 – End User SSO Support. Presenter – Aastha Wal (aawal). Table of Contents. Abbreviations Added Functionality in current release OAuth API/Endpoints Jabber- CUC SSO Flow Enterprise parameters OAuth token expiry Counters - PowerPoint PPT PresentationTRANSCRIPT
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1
OtomoEnd User SSO - TOI
March 2014
Otomo 10.5 – End User SSO Support
Presenter – Aastha Wal (aawal)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 2
Table of Contents
Abbreviations
Added Functionality in current release
OAuth API/Endpoints
Jabber- CUC SSO Flow
Enterprise parameters
OAuth token expiry
Counters
CLI command to set trace Level
Collect Logs from RTMT
Troubleshooting tips
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 3
Abbreviations
CUC : Cisco Unity Connection
IDP : Identity Provider
OAuth : Authorization protocol / framework
SAML : Security Assertion Markup Language
SP : Service Provider
SSO : Single Sign On
SSOSP : CUC specific SP implementation
RTMT : Real Time Monitoring Tool
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 4
Added Functionality in current release
Oz 10.0
SAML SSO, only Web Applications single sign on was possible.
CUC Admin
CUC Client Web Applications: - CiscoPCA
- Web-Inbox
- Mini-inbox
Otomo 10.5
In addition to features present in 10.0, this release has:
SAML enabled for CUC Serviceability
OAuth token based access to services like:
- VMRest (on Unity Connection)
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 5
OAuth API / Endpoints
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 6
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 7
Enterprise Parameters
There would be two new Enterprise level parameters specific to OAuth.
1)Enterprise parameter to set OAuth token expiry time in minutes.
2)Enterprise parameter to set a redirect URL for third party client. (no default value)
Once the administrator changes the timer, SSOSP web application pick up the new value instantaneously without having to restart Tomcat or SSOSP web application
Note: Clicking on Enterprise parameter gives the description about the parameter.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 8
OAuth Token Expiry Settings in CUC
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 9
OAuth token expiry
The Authorization service /validate endpoint will return a HTTP 400 Bad Request for an expired token
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 10
Counters
Two new counters introduced to track the number of failed/invalid SAML Requests/Responses
SAML_FAILED_REQUESTS
SAML_FAILED_RESPONSES
In case of a failed SAML request or a failed response counters will be incremented (like if request/response has some mandatory field missing etc. )
OAuth tokens are tracked by the following counters:
OAUTH_TOKENS_ISSUED
OAUTH_TOKENS_ACTIVE
OAUTH_TOKENS_VALIDATED
OAUTH_TOKENS_EXPIRED
OAUTH_TOKENS_REVOKED CLI command to get counter values:
show perf query class "SAML SSO"
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 11
Counters
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 12
CLI Command to Set Trace Level
Log level can be changed using the following CLI commands:
set samltrace level DEBUG
set samltrace level INFO (default)
set samltrace level WARNING
set samltrace level ERROR
set samltrace level FATAL
Note: They are used for troubleshooting, DEBUG mode is best for troubleshooting
© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 13© 2005, Cisco Systems, Inc. Company Confidential© 2005, Cisco Systems, Inc. Company Confidential
Collect Logs from RTMT
Following log files can be collected from RTMT:
• ssosp.log: ssospxxxxx.log
• security.log: securityxxxxx.log
• Tomcat access: localhost_access_log.txt
Below are the steps to follow on RTMT
• Login to RTMT
• Goto: System Tools Trace Trace & Log Central
• For ssosp logs: Click on Collect files click next select Cisco SSO finish
• For security logs: Click on collect files click next select Cisco Tomcat Security finish
• For Tomcat access logs: Click on collect files click next select Cisco Tomcat finish
Log files will be downloaded <Path will be mentioned on the screen>
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 14
Troubleshooting tips
Logs Location
OAuth endpoint logs: On all the nodes in the cluster
/var/log/active/tomcat/logs/ssosp/log4j/ssosp*
IMS: On all the nodes in the cluster
/var/log/active/tomcat/logs/security/log4j/security*
CUC Tomcat access logs:
/var/log/active/tomcat/logs/localhost_access_log.txt
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 15
Troubleshooting tips for CUC cont..
Problem Description
1. VMRest API throws 401 response error
Solution
1. Check if OAuth Token has expired
2. Check if OAuth Token is no longer valid
-If the Tomcat service is restarted then all previous tokens are no longer valid and the client have to request for a new token.
- If the publisher server of Unity Connection cluster went down then the token generated on the publisher server becomes invalid, and clients have to request the subscriber to generate a new token.
© 2008 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 16