Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

CUCM 10.x SAML/SSO with ADFS2.0

Cisco Employee

 

Introduction

 

Cisco provides many services in different form. As an end user, I want to sign on once for all of my Cisco Services. I want to find and manage my contacts from any of my Cisco application and devices, leveraging all possible sources (Corporate Directory, Outlook, Mobile contacts, Facebook, LinkedIn, History) and have them rendered in a common and consistent way which provides me with the information I need to know their availability and how best to contact them.

Singlo Sign On using SAML basically targets at this requirement. Through SAML/SSO we provide the baility to log into multiple devices through a common account and authorization identity called the IDP.

 

The overall objective of this work is to provide a scalable and standards based Single Sign On mechanism for our Unified Communications products. Single Sign On provides for a better user experience as the user needs to enter their authentication credentials only once for access to different UC services.
In order to create such solution, common Identity Infrastructure could be provided and has been agreed to take up on. As a outcome of this, Common Identity Stack Architecture (CIS) has been proposed and decided to have following functionalities:
o Common Identity/Directory Source
o SAML Base authentication
o SSO via SAML
o OAuth base Authorization

So here is how the flow works when using SAML/SSO with CUCM10.x and ADFS2.0

    1.    We create an SAML integration between CUCM10.x and ADFS.
    2.    When you try to log on to the CUCM admin page or user page the request is redirected to the IDP (adfs).
    3.    The IDP then prompts to enter the credentials for login.
    4.    Once the credentials are authorized it redirects us back to CUCM.
 

 

 

Prerequisites

 

In order to configure SAML/SSO with CUCM 10.x and ADFS2.0 as the IDP following are the prerequisites:

 

  1. DNS server and DNS enabled in the network.
  2. LDAP integration of CUCM with an Active Directory server.
  3. An Active Directory server running Active Directory Federation Service version 2.0 (adfs2.0).

 

Components Used

 

  1. Windows 2008R2 server with Active Directory and domain controller roles.
  2. Active Directory Federation service version 2.0 on one of the Active Directories within the domain.
  3. CUCM version 10.x.
  4. DNS server.

 

Configure

 

  1. Attached with the dosument is a video which talks about configuring SAML/SSO with cucm 10.x and adfs2.0. The first video talks about installation of ADFS on a windows 2008 R2 server with AD. The second video contains the integration steps.    ADFS2.0 installation video can be found on the following URL: https://supportforums.cisco.com/video/12155571/cucm-10x-samlsso-adfs20-installation  
  2. Also attached is a small troubleshooting guide to help you find the Claim Rules.
  3. A configuration guide pdf is attached as well.
  4. The call manager image used in the video is CUCM 10.0.0.98000-309.
17 Comments
New Member

That unity connection document has some serious problems with the text formatting for the claim rule. I managed to get things working with the following custom claim rule in addition to the NameID:uid rule

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://ad.org.internal/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "pub.org.internal");

Hope this helps someone else along the way

Cisco Employee

there was a doc defect created and now the document does update the correct syntax for Claim Rule;

here is the link;

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag112.html#32035

New Member

thanks for nice video on SSO configuration.

How much is user accounts limit in ADFS so that if we assign multiple users with admin rights can they log into system also?

 

would be work for CUC, UCCX, and IMP?

Cisco Employee

Hi Amit

 

There is no limit to number of admin accounts. You can have all your AD imported users as admins if you wish to.

Yes it is very much possible for IMP and CUC. You have to follow the same steps for them.

Unfortunately for UCCX this is not yet available.

New Member

Hello,

 

i am also getting error when uploading claim file...

how can fix it with correct way?

"c:[Type=="http://schemas.microsoft.com/ws/2008/06/identity/claims/windows account name"]=> issue(Type= "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer= c.Issuer, Originallssuer= c.Originallssuer, Value= c.Value, ValueType=c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]="urn:oasis:names:tc:SAML:2.0:nameid-format: transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"]="http://TP-ADSV.cgc-lab.com/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"]="cucm10pub.cgc-lab.com");"

New Member

i tired this link claim rule..but still showing claim rule is not correct...

New Member

hello Team,

 

thanks for nice video session on SSO...

i am getting this error when trying on CUCM....

New Member

getting error:"

 

Cisco Employee

Hi Amit

 

sorry for the delayed response. if you are still running into it just copy your claim rule to the textpad and remove all the ; and replace them with ".

this should get you going.

thanks

sarthak

New Member

Hi Sarthak,

 

Do we need to add AD as an account store in AD FS or its taken care as part of the ADFS federation server configuration wizard? How does the AD FS know about the AD server to redirect ?

When I run SSO test it prompts me for credentials but it doesnt get beyond that and keeps prompting. Followed all as per doc.

 

Thanks

Sriram

Cisco Employee

HI Sriram

 

You donot need to add AD as an account store that should happen when you ran the federation Wizard.

Have you ensured that the user that you are using is a CCM Admin and a CCM Super User as well?

 

Thanks

Sarthak

New Member

Hi Sarthak,

 

Yes the user is a superuser and hence its showing up in the SSO test page also. Any other checks?

I am not able to open your AD FS installation URL also, says not authorized.

Regards

Sriram

Cisco Employee

Can you send a normal Authentication post query to the AD from a PC and check if that works.

I just checked seems like the URL got disabled. You can view the installation videos here:

https://techzone.cisco.com/t5/Other-CUCM-Applications/CUCM-10-x-SAML-SSO-with-ADFS2-0/ta-p/466577

 

thanks

sarthak

New Member

Hi Sarthak,

 

Can you elaborate how to do that? If you are asking about AD authentication works for that user I am using, yes it works as Auth is enabled in CUCM and I am able to open the Self care portal for the user.

 

Regards

Sriram

 

Cisco Employee

Ok. In that case we will need to have a look at the SAML/SSO logs and the mozilla packet traces to check which point is it failing on.

If you are using Mozilla can you quickly download a plugin called SAML tracer and then run the test again with SAML tracer enabled. This will tell us where exactly does the request bounce from.

Regards

Sarthak

New Member

Hi Sarthak,

 

I am using Chrome to do but I can try firefox and see if I can get something. For the SAML/SSO logs is it from CUCM that we can collect and analyse?

 

Regards

Sriram

 

Cisco Employee

yes

here are the locations:

 

•Configuration logs:

  ccmadmin: Only on the node where admin configures sso.

      /var/log/active/tomcat/logs/ccmadmin/log4j/ccmadmin*.log

 

  Backend: On all the nodes in the cluster

      /var/log/active/platform/logs/ssoApp*.log

 

•SAML Request/Response processing

  /var/log/active/tomcat/logs/ssosp/log4j/ssosp*

 

Thanks

Sarthak

8633
Views
15
Helpful
17
Comments