6.
7.
am doing which has killed my SSO session. There is a small handful of web apps with a higher confidentiality rating that
require login every time, but most of Cisco workforce are not accessing these, including myself.
It is in the active roadmap to eliminate SSO username/password with a valid Kerberos certificate tied to laptop login
and Cisco on-prem status (VPN, blizzard or hardwire). There are factors and dependencies getting worked through
to implement this successfully.
Logins to desktop apps are separate and do prompt me for additional SSO logins. But for the main Cisco desktop apps
(Webex Teams, Jabber, Productivity Tools), these have long-lived sessions and do not prompt me for login unless I
explicitly sign out (which I don’t do).
Per 10 hour work day –
Laptop login at start of day and any time I need to lock
1 SSO login per browser window
Plus SSO login per desktop app (which is rarely required in my experience)
More detailed list of reasons why you may be prompted for a new SSO login:
a) Cookies are disabled in your browser.
The existence and validity of SSO sessions are tracked via browser cookies. If you have disabled the creation or storying of
cookies in your browser, then you will be prompted for credentials on every attempt to access an SSO-protected resource.
b) Brand new browser window
Best to keep your browser window open for your whole work day if possible. Closing and re-opening your browser window will
require a new authentication.
c) Different browser (i.e. switching from Chrome to Firefox)
Each new browser window will require a login.
d) New Desktop Application login
When desktop applications (e.g. Webex Teams, Desktop Webex Meetings, Jabber, etc.) prompt for login inside an embedded
browser frame inside the application, this browser frame does not have access to create/use saved cookies similar to full browser
windows.
Unfortunately, no workaround to this. However, these applications should also require login very infrequently. Unless a user
explicitly signs out or "resets" the application.
e) No SSO activity on domain for 10 hours or more (new: recently extended from 4 to 10 hours to cover a standard work cisco.com
day)
Please note: Continuous activity on certain popular websites like WebEx, Jive, Smartsheet and Box will not count as SSO activity
because they are not hosted on . cisco.com
Initial login to these sites uses the common login page and communicates with Cisco SSO server. However, once login is
complete, continued activity on the site no longer communicates with Cisco SSO servers.
f) After using 'Logout' button on Cisco websites and applications which have implemented a global logout action, i.e. logout that kills
your SSO session.
Note: This varies between application.
Logout from CEC, , Oracle EBS (iProc), applications kills your SSO session. www.cisco.com
Logout from Box does not kill your SSO session.
g) Also, note that some applications are not integrated with centralized SSO. These may require CEC credentials to log in, but these
handle login and/or validity of login sessions independently.
For example, , , and others.eman.cisco.com onramp.cisco.com cdanalytics.cisco.com
If you don't find SSO is working for you as described above, please open a case via and our support team can help At Your Service
investigate and resolve problems if required.
Can I reduce the number of times I need to enter username/password or do Duo MFA?
If you log in once at the start of your day and use that same browser window for the rest of the day, you should not be prompted to
log in again for 10 hours. Browser can be minimized if working on other things. But as long as window stays open and you just close
/open new tabs, SSO session stays valid. Please see above FAQ #6 for reasons why SSO session could be killed despite browser
window staying open.
Username/Password - It is on our short-term roadmap to enable Kerberos validation as part of the Web SSO login flow. Kerberos
validation is a combination of validating a certificate on your device and location on Cisco network.
If Kerberos validation is successful, Web SSO login will not require username/password entry.
Duo MFA - Make sure to check the 'Remember me' checkbox on Duo MFA prompt screen.
You may need to cancel the automatic push notification in order to see/check this box. But you should only need to do
Please note:
this once at the start of your day, per browser.
'Remember me' capability also requires the use of browser cookies. So if cookies are disabled, or deleted for whatever reason, or
you are switching between different browsers (e.g. chrome vs. firefox), you will be prompted again for Duo MFA.