.. _configure_single_sign-on_for_voss-4-uc:


.. rst-class:: chapter-with-expand

Configure Single Sign-On for VOSS-4-UC
--------------------------------------


**Before You Begin**

Create a self-signed or third-party-signed system certificate before you configure
self-service SSO. For more information, see :ref:`sso-certificate-management`.

The VOSS-4-UC server and the IdP (identify provider) server must be configured so
that their clocks are synchronized.

Follow these steps to configure self-service Single Sign-On (SSO) for VOSS-4-UC.
The configuration applies to the customers and customer administrators associated
with the IdP.

.. note::

   SSO support for administrative users is defined as follows:

   * SSO is not supported for administrative users under **User Management >
     Local Admins** because their passwords are stored locally (and so are
     not available for SSO).
   * SSO is supported for administrative users under **User Management >
     Users**, except for users with the Role set to SelfService.


**Procedure**

1. Log in to VOSS-4-UC as entadmin.
#. Choose **Single Sign On > SSO SP Settings**.
#. Click **Add**.

   Note: Configure only one instance of SSO SP Settings.

#. On the **Base** tab, from the mandatory **System Certificate** drop-down, choose
   the System Certificate to use. To allow the SSO SP Setting to expire, enter a
   number of hours in the **Validity (Hours)** field.

   Note:

   * Specifying an unsigned third-party-signed certificate will result in an error.
   * To renew an expired certificate, follow the steps: :ref:`renew_single_sign-on-certificate_for_voss-4-uc`.

#. On the **SAML SP Settings** tab, enter the mandatory **FQDN of the Server**.

   Select the **Sign Authn Requests** and **Want Assertions Signed** check boxes
   as required by your security environment.

   Note that if a secure connection is required with the secure attribute set
   on the cookies, the URL values for bindings of End Points must be
   specified with ``https``. 

#. Click **Save**.
#. To view the location of the VOSS-4-UC SP metadata that you will upload to the
   IdP, choose **Single Sign On > SSO SP Metadata**.
   Point your browser to the URL shown here, and then save a copy of the
   SP metadata.
#. Upload the SP metadata to the IdP.

   Refer to your IdP documentation for details on configuring SSO on your IdP.

   Note:

   The IdP must release the UID and map it to an appropriate attribute.
   For example, an IdP that authenticates with Active Directory can map
   the uid SAML attribute to sAMAccountName in the Active Directory server.

#. Download the IdP metadata from the IdP server.

   Refer to your IdP documentation for details on downloading IdP metadata.

   Note:

   If an expired SSO certificate is being renewed and the IdP metadata has
   *not* changed, then the download, configure and upload of the IdP metadata
   is not required.


#. Log in as provider, reseller, or customer administrator, depending on your
   IdP configuration level.
#. Choose **Administration Tools > File Management** and upload the IdP metadata.
#. Choose **Single Sign On > SSO Identity Provider**.
#. Click **Add** to add the SSO Identity Provider configuration.

   Note: Only one instance of an SSO Identity Provider can be configured
   for a hierarchy node.

#. On the **SSO Identity Provider** screen, complete at minimum, the mandatory **SSO
   Identity Provider** fields (see **SSO Identity Provider** fields).
#. Click **Save** to save the SSO Identity Provider Configuration and enable
   SSO if selected.
#. Choose **Single Sign On > SSO User** to display enabled SSO users.

Use this URL for your SSO login: 

``https://<FQDN of the Server>/sso/<login_URI>/login``

Upon login, the IdP will redirect you to this FQDN.



SSO Identity Provider Fields
............................


.. tabularcolumns:: |p{3.5cm}|p{12cm}|

+---------------------+----------------------------------------------------------+
| Field               | Description                                              |
+=====================+==========================================================+
|                     | Entity ID of the IdP. This can be extracted              |
| Entity Id \*        | from the IdP metadata file. This field is                |
|                     | mandatory.                                               |
+---------------------+----------------------------------------------------------+
|                     | Login URI for the IdP. This is the URI that              |
| Login URI \*        | will be embedded in SSO Login URL. It can                |
|                     | contain only alphanumeric characters and                 |
|                     | forward slashes. This field is mandatory.                |
+---------------------+----------------------------------------------------------+
| Local Metadata      | Choose the IdP metadata file. This field is mandatory    |
| File \*             | and must be unique across the system.                    |
+---------------------+----------------------------------------------------------+
|                     | Select the check box to enable SSO for users synced in or|
| SSO Enabled         | created at the current hierarchy level.                  |
|                     | Clear this check box to disable SSO for                  |
|                     | the users associated with the defined IdP.               |
+---------------------+----------------------------------------------------------+
| Note                | Reminder to upload the IdP metadata file                 |
+---------------------+----------------------------------------------------------+
| SSO Login URL       | Read-only field displays the SSO Login URL to use.       |
+---------------------+----------------------------------------------------------+