1 / 16

Otomo End User SSO - TOI March 2014

Otomo End User SSO - TOI March 2014. Otomo 10.5 – End User SSO Support. Presenter – Aastha Wal (aawal). Table of Contents. Abbreviations Added Functionality in current release OAuth API/Endpoints Jabber- CUC SSO Flow Enterprise parameters OAuth token expiry Counters

kanan
Download Presentation

Otomo End User SSO - TOI March 2014

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. OtomoEnd User SSO - TOI March 2014 Otomo 10.5 – End User SSO Support Presenter – Aastha Wal (aawal)

  2. Table of Contents • Abbreviations • Added Functionality in current release • OAuth API/Endpoints • Jabber- CUC SSO Flow • Enterprise parameters • OAuth token expiry • Counters • CLI command to set trace Level • Collect Logs from RTMT • Troubleshooting tips

  3. Abbreviations • CUC : Cisco Unity Connection • IDP : Identity Provider • OAuth : Authorization protocol / framework • SAML : Security Assertion Markup Language • SP : Service Provider • SSO : Single Sign On • SSOSP : CUC specific SP implementation • RTMT : Real Time Monitoring Tool

  4. Added Functionality in current release Oz 10.0 Otomo 10.5 In addition to features present in 10.0, this release has: SAML enabled for CUC Serviceability OAuth token based access to services like: - VMRest (on Unity Connection) • SAML SSO, only Web Applications single sign on was possible. • CUC Admin • CUC Client Web Applications: - CiscoPCA - Web-Inbox - Mini-inbox

  5. OAuth API / Endpoints

  6. Enterprise Parameters • There would be two new Enterprise level parameters specific to OAuth. 1)Enterprise parameter to set OAuth token expiry time in minutes. 2)Enterprise parameter to set a redirect URL for third party client. (no default value) • Once the administrator changes the timer, SSOSP web application pick up the new value instantaneously without having to restart Tomcat or SSOSP web application Note: Clicking on Enterprise parameter gives the description about the parameter.

  7. OAuth Token Expiry Settings in CUC

  8. OAuth token expiry • The Authorization service /validate endpoint will return a HTTP 400 Bad Request for an expired token

  9. Counters • Two new counters introduced to track the number of failed/invalid SAML Requests/Responses • SAML_FAILED_REQUESTS • SAML_FAILED_RESPONSES • In case of a failed SAML request or a failed response counters will be incremented (like if request/response has some mandatory field missing etc. ) • OAuth tokens are tracked by the following counters: • OAUTH_TOKENS_ISSUED • OAUTH_TOKENS_ACTIVE • OAUTH_TOKENS_VALIDATED • OAUTH_TOKENS_EXPIRED • OAUTH_TOKENS_REVOKED • CLI command to get counter values: show perf query class "SAML SSO"

  10. Counters

  11. CLI Command to Set Trace Level Log level can be changed using the following CLI commands: • set samltrace level DEBUG • set samltrace level INFO (default) • set samltrace level WARNING • set samltrace level ERROR • set samltrace level FATAL  Note: They are used for troubleshooting, DEBUG mode is best for troubleshooting

  12. Collect Logs from RTMT Following log files can be collected from RTMT: • ssosp.log: ssospxxxxx.log • security.log: securityxxxxx.log • Tomcat access: localhost_access_log.txt • Below are the steps to follow on RTMT • Login to RTMT • Goto: System  Tools  Trace  Trace & Log Central • For ssosp logs: Click on Collect files  click next  select Cisco SSO  finish • For security logs: Click on collect files  click next  select Cisco Tomcat Security  finish • For Tomcat access logs: Click on collect files  click next  select Cisco Tomcat  finish • Log files will be downloaded <Path will be mentioned on the screen>

  13. Troubleshooting tips Logs Location • OAuth endpoint logs: On all the nodes in the cluster • /var/log/active/tomcat/logs/ssosp/log4j/ssosp* • IMS: On all the nodes in the cluster • /var/log/active/tomcat/logs/security/log4j/security* • CUC Tomcat access logs: • /var/log/active/tomcat/logs/localhost_access_log.txt

  14. Troubleshooting tips for CUC cont.. • Problem Description • VMRest API throws 401 response error • Solution • Check if OAuth Token has expired • Check if OAuth Token is no longer valid -If the Tomcat service is restarted then all previous tokens are no longer valid and the client have to request for a new token. - If the publisher server of Unity Connection cluster went down then the token generated on the publisher server becomes invalid, and clients have to request the subscriber to generate a new token.

More Related