PDF(241.2 KB) View with Adobe Reader on a variety of devices
ePub(234.7 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(168.9 KB) View on Kindle device or Kindle app on multiple devices
Updated:May 17, 2021
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes the basics in order to enable Single Sign On (SSO) on vManage and how to check/verify on vManage, when this feature is enabled. Starting with 18.3.0, vManage supports SSO. SSO allows a user to login to vManage by authenticating against an external Identity Provider (IP). This feature supports SAML 2.0 specification for SSO.
Contributed by Shankar Vemulapalli,Cisco TAC Engineer.
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. As its name implies, SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions).
An Identity Provider (IdP) is “a trusted provider that lets you use single sign-on (SSO) in order to access other websites.”SSO reduces password fatigue and enhances usability. It decreases the potential attack surface and provides better security.
Service Provider - It is a system entity that receives and accepts authentication assertions in conjunction with an SSO profile of the SAML.
What are feature capabilities?
Only SAML2.0 is supported
Supported for - Single Tenant (standalone and cluster), Multi-Tenant (both at provider level and tenant level), Also, Multi-Tenant deployments are cluster by default. Provider-as-tenant isn't applicable.
Each tenant can have its own unique identity provider as long as the idp follows SAML 2.0 spec.
Supports configuration of IDP metadata via file upload as well as plain text copy, and download of vManage metadata.
Only browser based SSO is supported.
Certificates used for vmanage metadata are not configurable in this release. it is a Self-signed Certificate, created the first time you enable SSO, with the following parameters:
String CN = <TenantName>, DefaultTenant
String OU = <Org Name> String O = <Sp Org Name> String L = "San Jose"; String ST = "CA"; String C = "USA"; String validity = 5yrs; Certificate Signing Algorithm: SHA256WithRSA KeyPair Generation Algorithm: RSA
Single Login - SP Initiated and IDP Initiated supported
Single Logout - SP Initiated only
How to Enable it on vManage?
To enable single sign-on (SSO) for the vManage NMS to allow users to be authenticated using an external identity provider:
Ensure that you have enabled NTP on the vManage NMS.
connect to vManage GUI with the URL which is configured on IdP (e.g. vmanage-112233.viptela.net and don't use IP-Address, because this URL information is included in SAML Metadata)
Click the Edit button to the right of the Identity Provider Settings bar.
In the Enable Identity Provider field, click Enabled,
Copy and paste the identity provider metadata in the Upload Identity Provider Metadata box. Or click Select a File to upload the identity provider metadata file.
What is the workflow?
User enables SSO via the Administration->Settings page by uploading the identity provider metadata.
User then downloads the corresponding vManage tenant metadata to be uploaded onto the identity provider ( Must be done at least once to generate vManage metadata).
User can disable or update metadata at any time if required.
Sample vManage Meta
Does vManage support Two-Factor Authentication and how it is different from SSO?
Two-Factor Authentication (also known as2FA) is a type, or subset, of multi-factor authentication (MFA). It is a method of confirming users' claimed identities by using a combination oftwodifferent factors: 1) something they know, 2) something they have, or 3) something they are.
Example: Google GMail (Password w/One Time Password (OTP))
2FA is something that will be provided on the SSO Server. It is similar to how we log in to the internal Cisco Website.
It redirects you to the Cisco SSO, where you will be prompted for PingID / DUO 2FA.
Note: Please check the latest Cisco documentation for the latest IdPs supported by vManage
How to indicate user group membership in SAML assert?
Problem: front-ending the vManage with a SAML IdP. When the user is successfully authenticated, the only thing that the user can access is the dashboard.
Is there a way to give the user more access (via user group RBAC) when the user is authenticated via SAML?
This problem is caused by improper configuration of IDP. The key here is that the info sent by IDP during authentication should contain "Username" and "Groups" as attributes in the xml. If other strings are used in place of "Groups", then, the usergroup is default to "Basic". "Basic" users only have access to the basic dashboard.
Make sure IDP sends "Username/Groups", instead of "UserId/role" to vManage.
Below is an example as seen in /var/log/nms/vmanage-server.log file:
We see "UserId/role" been sent by IdP and the user is mapped to basic group.
SSO feature debug logging can be enabled as follows:
1. Navigate to https://<vManage_ip_addr:port>/logsettings.html
2. Select the SSO logging and enable it as shown in the image.
3. Once Enabled, hit the Submit button.
The SSO related logs will now be saved to the vManage log file /var/log/nms/vmanage-server.log of particular interest is the "Groups" setting for IDP authorization. If there is no match, the user will default to "Basic" group, which has read-only access;
In order to debug access privilege issue, check the log file and looking for string "SamlUserGroups". What follows that should be a list of strings of group names. One of them should match the group settings on the vManage. If no match is found, then the user has defaulted to the "Basic" group.
A tool for viewing SAML and WS-Federation messages sent through the browser during single sign-on and single logout.
SSO is only for browser login. You can manually direct vManage to the traditional login page and bypass SSO in order to use only username and password: https://<vmanage>:8443/login.html.
What Encryption Algorithm is used ?
Currently we support SHA1 as encryption Algorithm. vManage will sign the SAML metadata file with SHA1 algorithm which IdPs need to accept it. The support for SHA256 is coming in future releases, which we don't have the support currently.