Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2789
Views
1
Helpful
10
Replies

Webex SSO with ADFS 2019

IT-Sauer
Level 1
Level 1

‎09-08-2020 05:43 AM

Hi Comunity,

 

I am trying to establish a SSO Configuration with ADFS on Microsoft Server 2019.

 

I used this Documantation:

 

https://help.webex.com/en-us/nyx7kubb/Configure-Single-Sign-On-in-Cisco-Webex-Control-Hub-With-Active-Directory-Federation-Services

 

When I click the "Test SSO Connection" Button, i am getting redirected to our ADFS Site as expacted. But wenn I insert my Credentials, I get an Error  Invalid Status code in Response.

In the Eventlog on the ADFS Server i do not get any errors or warnings.

 

In the Claim Issuance Policy of the Rellying Party Trust I have two Rules, like descripted in the Documantation:

1. The Attributes Rule: LDAP Attribute --> uid

2. The Custom Role:

 

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://myfqdn/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "https://idbroker-.....");

 

Do anyone know what to do for Troubleshooting?

If you need more Information please let me know.

 

Thank you an kind regards,

 

BS

1 person had this problem
Labels:
0 Helpful
10 Replies 10

maqsood ahmed
Level 1
Level 1

‎09-08-2020 05:55 AM

 

Certificate revocation list is provided by IdP. Since you are using SSO with ADFS. This is something that needs to be checked from your ADFS team. In case it is enabled. You will need to turn off using the following command:

0 Helpful

IT-Sauer
Level 1
Level 1
In response to maqsood ahmed

‎09-08-2020 07:10 AM

Hello & thanks for your response,

 

wich command did you mean?

 

is it necessary to set the SigningCertificateRevocationCheck and EncryptionCertificateRevocationCheck of the Party trust to none?

0 Helpful

josviz
Cisco Employee
Cisco Employee

‎02-01-2023 08:37 PM

Hello @IT-Sauer,

Did you get it fixed? As per the problem, the description seems to be an issue with the relying party trust’s encryption certificate invalid and has been revoked. You should see the attempt in the Event Viewer log from your ADFS server.

Something similar like "An error occurred during an attempt to build the certificate chain..." run the following PowerShell commands to disable Relying Party certificates CRL check:
Set-AdfsRelyingPartyTrust -TargetName "Cisco WebEx" -EncryptionCertificateRevocationCheck None
Set-AdfsRelyingPartyTrust -TargetName "Cisco WebEx" -SigningCertificateRevocationCheck none
Just change the TargetName and use your own Relying Party Trust name.

Please rate if it's “Helpful”.
If this answered your question please click “Accept as Solution”.

0 Helpful

collinks2
Level 5
Level 5

‎11-27-2024 05:54 PM

Hi, i have the same problem? how did you resolve it ?

0 Helpful

josviz
Cisco Employee
Cisco Employee
In response to collinks2

‎12-01-2024 05:31 PM

@collinks2 see my previous post on 02-01-2023, it's an ADFS Cert revocation issue. Use the PowerShell commands provided to fix it.

 

 

0 Helpful

collinks2
Level 5
Level 5
In response to josviz

‎12-02-2024 04:17 AM

I have done it but still the samesso_error.PNG error

0 Helpful

josviz
Cisco Employee
Cisco Employee
In response to collinks2

‎12-02-2024 09:35 AM

@collinks2 based on your specific TrackingID, you have a time mismatch in your ADFS server. This is the error based on the screenshot provided:

com.sun.identity.saml2.common.SAML2Exception: Time is not valid in Conditions of Assertion.

Please follow this:

Ensure that your ADFS server's system clock is synchronized to a reliable Internet time source that uses the Network Time Protocol (NTP). Use the following PowerShell command to skew the clock for the Webex Relying Party Trust relationship only.

Set-ADFSRelyingPartyTrust -TargetIdentifier "https://idbroker.webex.com/$ENTITY_ID_HEX_VALUE" -NotBeforeSkew 3

The hexadecimal value is unique for your environment. Please replace the value from the SP EntityDescriptor ID value in the Webex metadata file.

Ref: https://help.webex.com/en-us/article/nyx7kubb/Configure-single-sign-on-in-Control-Hub-with-Active-Directory-FederationServices-(ADFS)

Please rate if it's “Helpful”.
If this answered your question please click “Accept as Solution”.

 

 

 

 

 

 

 

 

 

 

 

 

collinks2
Level 5
Level 5
In response to josviz

‎12-03-2024 02:21 AM

Yes, that command has fixed the issue. Thanks a lot. I think i am having the same issue with cucm as well

Preview file
36 KB
0 Helpful

josviz
Cisco Employee
Cisco Employee

‎12-04-2024 06:50 AM

@collinks2 CUCM is not my area of expertice but take a look on this guide, seems you are missing a step:

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/211302-Configure-Single-Sign-On-using-CUCM-and.html

@IT-Sauer do you mind confirming if the PowerShell commands provided solved the initial issue reported?

Please rate if it's “Helpful”.
If this answered your question please click “Accept as Solution”.

 

 

0 Helpful

collinks2
Level 5
Level 5
In response to josviz

‎12-04-2024 08:25 AM

Yes, the PowerShell command resolved the initial issue reported. I stated it in my response: "Yes, that command has fixed the issue." 

0 Helpful
Customers Also Viewed These Support Documents