Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1703
Views
0
Helpful
3
Replies

Webex SSO with ADFS 2019

IT-Sauer
Level 1
Level 1

‎09-08-2020 05:43 AM

Hi Comunity,

 

I am trying to establish a SSO Configuration with ADFS on Microsoft Server 2019.

 

I used this Documantation:

 

https://help.webex.com/en-us/nyx7kubb/Configure-Single-Sign-On-in-Cisco-Webex-Control-Hub-With-Active-Directory-Federation-Services

 

When I click the "Test SSO Connection" Button, i am getting redirected to our ADFS Site as expacted. But wenn I insert my Credentials, I get an Error  Invalid Status code in Response.

In the Eventlog on the ADFS Server i do not get any errors or warnings.

 

In the Claim Issuance Policy of the Rellying Party Trust I have two Rules, like descripted in the Documantation:

1. The Attributes Rule: LDAP Attribute --> uid

2. The Custom Role:

 

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://myfqdn/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://idbroker-.....");

 

Do anyone know what to do for Troubleshooting?

If you need more Information please let me know.

 

Thank you an kind regards,

 

BS

Labels:
0 Helpful
3 Replies 3

maqsood ahmed
Level 1
Level 1

‎09-08-2020 05:55 AM

 

Certificate revocation list is provided by IdP. Since you are using SSO with ADFS. This is something that needs to be checked from your ADFS team. In case it is enabled. You will need to turn off using the following command:

0 Helpful

IT-Sauer
Level 1
Level 1
In response to maqsood ahmed

‎09-08-2020 07:10 AM

Hello & thanks for your response,

 

wich command did you mean?

 

is it necessary to set the SigningCertificateRevocationCheck and EncryptionCertificateRevocationCheck of the Party trust to none?

0 Helpful

josviz
Cisco Employee
Cisco Employee

‎02-01-2023 08:37 PM

Hello @IT-Sauer,

Did you get it fixed? As per the problem, the description seems to be an issue with the relying party trust’s encryption certificate invalid and has been revoked. You should see the attempt in the Event Viewer log from your ADFS server.

Something similar like "An error occurred during an attempt to build the certificate chain..." run the following PowerShell commands to disable Relying Party certificates CRL check:
Set-AdfsRelyingPartyTrust -TargetName "Cisco WebEx" -EncryptionCertificateRevocationCheck None
Set-AdfsRelyingPartyTrust -TargetName "Cisco WebEx" -SigningCertificateRevocationCheck none
Just change the TargetName and use your own Relying Party Trust name.

Please rate if it's “Helpful”.
If this answered your question please click “Accept as Solution”.

0 Helpful
Customers Also Viewed These Support Documents