Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ADFS setup for SAML SSO for UC 10.x

This document outlines the basic steps required for configuring the Idp(ADFS) to enable SAML SSO on Cisco UC products like Communications Manager , Unity connection ,IM&Presence server  10.x.

Version history
Revision #:
1 of 1
Last update:
‎03-31-2014 12:08 AM
Updated by:
 
Labels (1)
Comments
New Member

What is the purpose of the Custom Claims rule ?

Per your instructions, you state to replace sections of the custom rule with the ADFS and the CUCM FQDN.   What is there are more than one CUCM node in the cluster?  How does this redundancy work ?    You mention to repeat steps 1 - 16 for Unity Connection, but I am wondering if steps 1 - 16 need to be performed for each CUCM / UCXN node in the cluster?

Cisco Employee

Custom Claim rule is required to send claims from ADFS to CUCM/UCXN based on values that are extracted from a Lightweight Directory Access Protocol (LDAP) attribute store using a custom LDAP filter. Here are select "uid" for outgoing claim in step 11.

Regarding the redundancy,  You need to create a Relying party trust entry in ADFS for each CUCM and UCXN servers. Ex: if you have 4 CUCM and 2 UCXN , you need to create all 6 Relying party trust in ADFS with steps 1-16 .

New Member

I know this topic is a few months old but hopefully someone is still monitoring it.  My question is related to the statement about creating multiple relying party trusts.  I am using a SAN certificate signed by my enterprise CA and the certificates are working properly on all servers.  I can create the first relying party trust and it works properly.  The problem is that since the cert is the same across the cluster it will not let me add a second rule, it tells me the signing certificate of the relying party trust is not unique.  If I can have all hostnames in the claim rule this would fix the issue.  I have tried different certificates on each server but I would like to use something other than the hostname to access the server and using a single cert does not let me do this.  Do you know a way to add multiple hostnames to the claim rule to make it work?

Thanks,

Erik

Cisco Employee

I guess your are using MULTISERVER certificate in CUCM and ADFS is throwing  error
 

If my understanding is correct , it’s a limitation on ADFS 2.0 and Check http://blog.msresource.net/2013/03/05/msis7613-the-signing-certificate-of-the-relying-party-trust-is-not-unique-across-all-relying-party-trusts-in-ad-fs-2-0-configuration/ It states the resolution is to upgrade to ADFS issue # 3 as previous version has a restriction where it expects and requires that each RP application utilize a unique token signing certificate. And in Issue #3 this restriction is waived

New Member

I have the same issue in my environment.  We are using CUCM with a multi-SAN certificate.  I am finding the same issue with ADFS not letting me add multiple relay trusts with the same certificate (error:  "MSIS7613: The signing certificate of the relying party trust is not unique across all relying party trusts in AD FS configuration").   However we are running ADFS 2.1 on Windows 2012.   The ADFS 2.0 Update Rollup #3 (http://support.microsoft.com/?id=2790338) only applies to Windows 2008, and not Windows 2012.  

I have searched for a while to find an appropriate update for Windows 2012 and haven't found anything.  I have found a solution on a blog that will work for Windows 2012.  The author mentioned that there is no update for Windows 2012 yet.  His solution is basically to install this update on a 2008 server and copy/edit the powershell scripts to run on 2012. 

Here is the blog: https://emnavarro02.wordpress.com/2014/01/28/windows-server-2012-adfs-2-1-erro-msis7613the-signing-certificate-of-the-relying-party-trust-is-not-unique-across-all-relying-party-trusts-in-ad-fs-2-0-configuration/

 

I have tested this in my environment.  When I ran the .\PostReleaseSchemaChanges.ps1 script, I had 1 error about copying the DLL and cer file to a directory that didn't exist (error on line 42 of the script).   Even though I had this error, ADFS works correctly for me now. I can add multiple relay trusts for CUCM with the same cert.