Showing results for 
Search instead for 
Did you mean: 

Error when enabling SSO with UCCX 12.5

In My UCCX Lab , and I am trying to Configure SSO 

UCCX : 12.5 &

Windows Server 2012 (AD+ DNS + CA + ADFS) all in one Box

I followed steps mentioned in bellow Link 

Configure the Identity Provider for Cisco Identity Service to enable SSO

when i am trying to execute last step in the document : 

"Enable Signed SAML Assertions for the Relying Party Trust (Cisco Identity Service)"

I am getting below error message on my Windows AD Server 


I tried to search in Microsoft related websites , but i couldn't understand everything listed there 

on My UCCX , when I am trying to test SSO from Ids Side 

getting below : 


VIP Mentor

This isn't the solution to your problem, but did you see that 12.5(1)ES1 came out and addresses some SSO changes?


Updated Features

In SSO mode the access token and refresh tokens are changed to 'httponly' mode cookies for security reasons.

Cisco Finesse REST APIs are enhanced to get the access token and refresh tokens in the response body.
Third-party clients who were relying on the SSO cookie values must change their JavaScript APIs to use the enhanced Finesse REST APIs.
Fetch Access Token API endpoint ( has a new optional parameter return_refresh_token=true|false to get the refresh token in the response body. Note: When you use the return_refresh_token=truequery parameter in Single Sign-On—Fetch Access Token API, access token and refresh token cookies are not added to the response. All information is provided as part of the response body, which can be directly used by the third-party clients.
Use this query parameter when third-party clients use Cisco Finesse SSO APIs alongside Finesse desktop in the same browser. Using this query parameter prevents agent logging out from Finesse desktop due to the override of the desktop cookie due to third-party client activity.
On Refreshing existing access token, use the new optional parameter refreshtoken=<refresh token value> along with the existing token in the query parameter. Note: If the token was initially fetched with the return_refresh_token=true query parameter, then the refresh token in request payload is mandatory.


Hi Anthony,

"Enable Signed SAML Assertions for the Relying Party Trust (Cisco Identity Service)"
was the last step in SSO Configuration and i couldn't execute it on Windows AD Server ,
and faced mentioned error message in Windows Powershell

Hi eslam rizk,

Skip that Step 2 & move to next step i.e. Step 3. As CMDlet is already enabled on windows 2012 & 2016.