Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support Did you know that starting with the release of Prime Service Catalog 12.0 you can now enable single sign-on using SAML 2.0 between Prime Service Catalog and other applications such as Cisco Cloud Center and Cisco UCS Director?

SAML 2.0 Support Prime Service Catalog 12.0 supports SAML 2.0 Other applications integrating with Prime Service Catalog can use SAML as a means to provide Authentication and import user profile information from IDP.

What is SAML? SAML - Security Assertion Markup Language Enables Single Sign-On (SSO) One set of credentials for users to enter So, what is SAML? The Security Assertion Markup Language (SAML) is an XML based open standard data format for exchanging authentication and authorization across domains and products.   SAML enables Single Sign-On between multiple applications or services. For our purposes, we are talking about Web Single Sign-On with Prime Service Catalog. An application with SAML enabled allows a user to sign in and be authenticated once and subsequently access other integrated applications without having to sign in to each application.

SAML Terms Client - The end-user’s browser-based client that is attempting to log in to a service provider. Service provider –An application or service that the client is trying to access. For example, Cisco Prime Service Catalog. Identity Provider (IdP) - The entity that authenticates end user credentials, and issues SAML Assertions. Here are a few key terms to understand: Client (the end user’s client) - The browser-based client that is attempting to log in to a service provider. Service provider –An application or service that the client is trying to access. For our purposes here, Cisco Prime Service Catalog. Identity Provider (IdP) - The entity that authenticates end user credentials, and issues SAML Assertions.

SAML and Prime Service Catalog You must enable SAML in PSC to use it Must disable LDAP Log in behavior – Handled outside of PSC Log out behavior Global (default) – Log out of all sites Local – Only of log out of one site User Management – Handled outside of PSC As a prerequisite to integrate with CloudCenter, UCS Director, or other service providers using SAML, you must enable and configure SAML SSO in Prime Service Catalog If you enable SAML, LDAP SSO log in must be manually disabled. Implementing single sign-on via SAML means that the sign in process and user authentication are handled entirely outside of Prime Service Catalog. With SAML implemented, Prime Service Catalog does not authenticate the user, but uses SAML as means of securely authenticating against an IdP, You can configure what happens when a user logs in or out of Prime Service Catalog Sign in process and user authentication are handled entirely outside of Prime Service Catalog. You can specify whether when a user logs out of an application if they automatically log out of all applications within the same browser session or just the specific application they logged out of. By default global logout is enabled. Global logout means when the user logs out of one instance of Prime Service Catalog the user is also logged out of other instance on the same browser. With global logout disabled, when the user logs out of Prime Service Catalog or other applications integrated with Prime Service Catalog, SAML logs the user out only from that particular application. This is called local logout. User management is handled outside PSC, but changes made outside of your Prime Service Catalog are immediately synced back to Prime Service Catalog.

SAML Sequence of Events SERVICE PROVIDERS Cloud Center Prime Service Catalog UCS Director END USERS IDENTITY PROVIDER 1. Request target resource 2. (Discover the IdP) 3. Redirect to SSO service 7. Request Assertion Consumer Service 8. Redirect to target resource 9. Request target resource 10. Respond with request resource 4. Request SSO Service 5. (Identify the user) 6. Respond with XHTML form Here is an example sequence of events when end users sign in to integrated Cisco One Cloud Suite components. With SAML implemented, when a user authenticates to Prime Service Catalog (PSC), any other application integrating with Prime Service Catalog (such as Cisco Cloud Center or UCS Director) (or vice-versa) can use this as a means to provide authentication and import user profile information from the IdP.

Benefits Platform neutrality – Moves security framework away from platform architectures and particular vendor implementations Loose coupling of directories – User information in one place Improved online experience for end users – Sign-in once Reduced administrative costs - Standardizes the log in interfaces between systems for faster, less expensive, and more reliable integration and user management Platform neutrality - SAML abstracts the security framework away from platform architectures and particular vendor implementations. Loose coupling of directories - SAML does not require user information to be maintained and synchronized between directories. Improved online experience for end users – Single Sign-On saves time by providing the ability to use a variety of Internet and Intranet resources without having to log in repeatedly. Reduced administrative costs for service providers - Standardizes the log in interfaces between systems for faster, less expensive, and more reliable integration and user management.

Next Steps Cisco Prime Service Catalog 12.0 Administration and Operation Guide Cisco Prime Service Catalog 12.0 Integration Guide For more information on enabling and configuring SAML 2.0 SSO in Prime Service Catalog, refer to the Cisco Prime Service Catalog 12.0 Administration and Operation Guide and Cisco Prime Service Catalog 12.0 Integration Guide

Go to www.cisco.com and keyword search Prime Service Catalog For more information Go to www.cisco.com and keyword search Prime Service Catalog Both guides and more information about Cisco Prime Service Catalog 12.0 are available at www.cisco.com, keyword search Prime Service Catalog