Single Sign-On
Single sign-on (SSO) is an authentication and authorization process. (Authentication proves that you are the user you say that you are, and authorization verifies that you are allowed to do what you want to do.) SSO allows you to sign in to one application and then securely access other authorized applications without a prompt to resupply user credentials. SSO permits Cisco supervisors or agents to sign on only once with a username and password. Supervisors and agents gain access to all of their Cisco browser-based applications and services within a single browser instance. By using SSO, Cisco administrators can manage all users from a common user directory and enforce password policies for all users consistently.
![]() Note |
Before enabling SSO in Unified CCE, ensure to sign in to the Cisco Unified Intelligence Center OAMP interface and perform the Unified CCE User Integration operation (Cluster Configuration > UCCE User Integration) once manually to import the Supervisors with the required roles. |
SSO is an optional feature whose implementation requires you to enable the HTTPS protocol across the enterprise solution.
You can implement single sign-on in one of these modes:
-
SSO - Enable all agents and supervisors in the deployment for SSO.
-
Hybrid - Enable agents and supervisors selectively in the deployment for SSO. Hybrid mode allows you to phase in the migration of agents from a non-SSO deployment to an SSO deployment and enable SSO for local PGs. Hybrid mode is useful if you have third-party applications that don't support SSO, and some agents and supervisors must be SSO-disabled to sign in to those applications.
-
Non-SSO - Continue to use existing Active Directory-based and local authentication, without SSO.
SSO uses Security Assertion Markup Language (SAML) to exchange authentication and authorization details between an identity provider (IdP) and an identity service (IdS). The IdP authenticates based on user credentials, and the IdS provides authorization between the IdP and applications. The IdP issues SAML assertions, which are packages of security information transferred from the IdP to the service provider for user authentication. Each assertion is an XML document that contains trusted statements about a subject including, for example, username and privileges. SAML assertions are digitally signed to ensure their authenticity.
The IdS generates an authentication request (also known as a SAML request) and directs it to the IdP. SAML does not specify the method of authentication at the IdP. It may use a username and password or other form of authentication, including multi-factor authentication. A directory service such as LDAP or AD that allows you to sign in with a username and a password is a typical source of authentication tokens at an IdP.
Prerequisites
The Identity Provider must support Security Assertion Markup Language (SAML) 2.0. See the Compatibility Matrix for your solution at https://www.cisco.com/c/en/us/support/customer-collaboration/packaged-contact-center-enterprise/products-device-support-tables-list.htmlhttps://www.cisco.com/c/en/us/support/customer-collaboration/unified-contact-center-enterprise/products-device-support-tables-list.html for details.
Contact Center Enterprise Reference Design Support for Single Sign-On
Unified CCE supports single sign-on for these reference designs:
-
2000 Agents
-
4000 Agents
-
12000 Agents
-
24000 Agents
-
Contact Director (Maximum of 24000 agents, Each target system must include a dedicated Cisco IdS deployment.)
Coresidency of Cisco Identity Service by Reference Design
Reference Design |
Unified CCE |
---|---|
2000 Agent |
Cisco IdS is coresident with Unified Intelligence Center and Live Data on a single VM. |
4000 Agent |
Standalone Cisco IdS VM |
12000 Agent |
Standalone Cisco IdS VM |
24000 Agent |
Standalone Cisco IdS VM |
Single Sign-On Support and Limitations
Note the following points that are related to SSO support:
-
To support SSO, enable the HTTPS protocol across the enterprise solution.
-
SSO supports agents and supervisors only. SSO support is not available for administrators in this release.
-
SSO supports multiple domains with federated trusts.
-
SSO supports only contact center enterprise peripherals.
-
SSO support is available for Agents and Supervisors that are registered to remote or main site PG in global deployments.
Note the following limitations that are related to SSO support:
-
SSO support is not available for third-party Automatic Call Distributors (ACDs).
-
The SSO feature does not support Cisco Finesse IP Phone Agent (FIPPA).
-
The SSO feature does not support Cisco Finesse Desktop Chat.
-
In Hybrid mode,
-
When an agent in SSO mode tries to log in to CUIC, and if the agent does not exist in CUIC, the agent cannot log in to CUIC.
-
When a Supervisor in SSO mode tries to log in to CUIC, and if the Supervisor user does not exist in CUIC, the Supervisor cannot log in to CUIC. For the Supervisor to log in to CUIC, perform Unified CCE User Integration. For more information on Unified CCE User Integration, see Administration Console User Guide for Cisco Unified Intelligence Center at https://www.cisco.com/c/en/us/support/customer-collaboration/unified-intelligence-center/products-maintenance-guides-list.html.
-