cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24722
Views
31
Helpful
32
Replies

SSO with CUCM 10.5 and ADFS 3.0

mbaker33
Level 1
Level 1

Hello,

 

We recently updated our CUCM/CUPS/CUC system to 10.5 in order to take advantage of the SSO capabilities that are now built in.  All of the documentation points to ADFS 2.0, and we have an ADFS 3.0 implementation.  I am trying to figure out if this is an issue with the Claims Rule code, or if CUCM simply doesn't support ADFS 3.0.  

 

We have gone through the following links:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag112.html#32035

https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20

 

But we are having trouble configuring the Custom Claims Rule, we get the attached error.

 

The rule we are applying is as follows, but with actual server names:

"c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Originallssuer = c.Originallssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:3.0:nameid-format: transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://adfsserver.domain.com/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "phoneservername.domain.com");"

 

32 Replies 32

Hi,

i have exactly same issue. I cant enable the SAML Single Sign-On as i came not across the "Run SSO Test" .

First time i test i got a prompt for login and than after some time i have also "Error while processing SAML Response." and the SSO Test timed out in the background.

@Mark
Could you make it run ?

Any idea someone?

No, mine seems to fail almost immediately.  I have had a TAC case open, and it finally got escalated yesterday afternoon.  I have a WebEx scheduled for noon EST today and will relay anything we find out.

 

My hunch is, it is something to do with certificates, or some silly misconfiguration on our end in CUCM.

I fixed the Problem.

For me it was a time issue. The ADFS Server was 10 minutes in the future and the CUCM was correct. :-) Thats because i tried this in LAB with no really time Server :-)

In RTMT traces (SSO_log4j) we saw this one:

2015-01-07 15:28:17,924 ERROR [http-bio-443-exec-180] authentication.SAMLAuthenticator - Error while processing saml responseInvalid SAML Response. SAMLResponse is outside the validity window.
com.sun.identity.saml2.common.SAML2Exception: Invalid SAML Response. SAMLResponse is outside the validity window.
 
Check your time on CUCM and ADFS Server, maybe ist the same.

Our servers are within a second of each other, since we use NTP.  We are getting the following error in our logs.  

 

2015-01-06 16:01:37,805 ERROR [http-bio-443-exec-276] authentication.SAMLAuthenticator - Error while processing saml responseInvalid Status code in Response.

When you're on the SAML SSO configuration page are your servers listed by IP address or FQDN? I'm curious if this has to do with your "System -> Server" setting. There might be a correlation between the two.

The very first SAML SSO page shows them with the FQDN, which seems like that would be right.  I was kind of thinking the same thing as you, but changing that settings has so many more ramifications that I won't be trying it unless TAC is on the line.  :)

Indeed. That does impact a few other things. The primary thing is to make sure all your endpoints have DNS servers and a DNS suffix search. Once the callmanager process is operating via FQDN everything needs to be able to resolve the CUCM nodes. Obviously changing it requires service restarts.

That shouldn't be directly related to what is happening between Tomcat and the browser so I was going out on a limb.

TAC basically suggested I use OpenAM, which isn't really an option.

 

The one thing they did point out is in the documentation (which is specific to OpenAM) it has a series of steps for creating a circle of trust.  It was my understanding that the circle of trust was created when you go through the process of enabling SSO.  Did I skip a step?  Also, was there anything specific I needed to do with the CA signed certs to "enable them for SSO"?  I don't think so, but that was another thing that was mentioned.

 

Thanks again,

 

Mark

WOW! That is a terrible suggestion since the documentation covers ADFS.

http://docwiki.cisco.com/wiki/SAML_SSO_Configure_Microsoft_Active_Directory_Federation_Services_Identity_Provider_on_Windows_Platform

Also the related links at the bottom cover ADFS configuration

 

 

Holy crap, apparently, I must have had something off in my claim rule despite it being accepted successfully.  I copied the one from that document, and now it's working!!!  THANK YOU!!!

Awesome!
 

Hi,

I've got the same behavior, what was the exact solution?

Thanks!

 

 

Our issue was with the claims rule.  I followed this document, copied the claim rule and it worked perfectly.

 

http://docwiki.cisco.com/wiki/SAML_SSO_Configure_Microsoft_Active_Directory_Federation_Services_Identity_Provider_on_Windows_Platform

 

I have exactly the same issue, my sso is working for selfcare portal but for acess cucm administration page it asks always for credentials. Cucm is 11.0 and adfs3.0 . It Looks more certificate issue than sso issue. I dont see sso errors. Can someone help?

 

Dear All,

 

We are integrating CUCM 10.5 with ADFS 3.0 for SSO, while running SSO test from CUCM we are getting following error and ADFS event log attached.

 

Please suggest your view on this.... thanks in advance.

 

 When we test the ADFS SSO using - https://<ADFS FQDN>/adfs/ls/IdpInitiatedSignon.aspx is working fine.

 

We have followed below url configuration procedure:

http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118771-configure-samlsso-00.html 

http://docwiki.cisco.com/wiki/SAML_SSO_Configure_Microsoft_Active_Directory_Federation_Services_Identity_Provider_on_Windows_Platform#sthash.rlonShgn.dpuf

 

 

 

"

Description:
The SAML authentication request had a NameID Policy that could not be satisfied. 
Requestor: ISIN2022.Domain.COM.SG 
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient 
SPNameQualifier: ISIN2022.Domain.COM.SG 
Exception details: 
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. 
Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: ISIN2022.Domain.COM.SG. Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid−format:transientoasis:names:tc:SAML:2.0:nameid−format:transient, NameQualifier: http://adfs.Domain.com.sg/adfs/com/adfs/services/trust SPNameQualifier: ISIN2022.Domain.COM.SG, SPProvidedId: . 

This request failed. "

best regards,

Naveen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: