cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1601
Views
10
Helpful
4
Replies
ravi.kumar1
Beginner

UCCX 11.6 SSO with Azure as IDP

i've been testing UCCX 11.6 SSO with Azure as IDP, there is no real document available which gives the steps to perform on Azure side, i found a document for CuCM, which worked with CuCM at the first attempt, i thought to replicate it for UCCX , taking below points under consideration from SRND

 

The following are the expectations from SAML Response:
• The entire SAML response (message and assertion) is signed or only the message is signed but not the
SAML assertion alone is signed.
• SAML Assertion must not be encrypted.
• SAML response must be signed using SHA-128.
• NameIDFormat in SAML response must be urn:oasis:names:tc:SAML:2.0:named-format:transient.
• uid and user_principal attributes should be present in SAML assertion in the AttributeStatement section.
The "uid" attribute value must be the user Id using which users log in to Cisco contact centre applications
that are SSO enabled and the "user_principal" attribute value must be in uid@domain format.

 

My SSO test on UCCX has been successful, then no problem when i enable it from UCCX admin page, also am able to get in to GUI using SSO, CuIC as well, but not on finesse. On cisco finesse i keep getting below error

sso.JPG
below is my SAML signing config from Azure side

saml.JPG
Not sure if it is a bug, while setting up SSO i faced this bug which i found on google for ucce, then i asked TAC to perform the workaround:https://quickview.cloudapps.cisco.com/quickview/bug/CSCvm57749

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
ravi.kumar1
Beginner

the issue was of case-sensitivity, as soon as i matched it with Azure, it fixed the issue

View solution in original post

4 REPLIES 4
ravi.kumar1
Beginner

the issue was of case-sensitivity, as soon as i matched it with Azure, it fixed the issue

Hi Ravi,

 

Can you tell what certificate you are using and what kind of the user claim you are using.

I have tried signing response with configuration as per your screenshot, and user claim below

default = user.onpremiseprinciple

uid = user.onpremisesamaccount

user_principle = user.onpremiseprinciple

Still not able to pass the SSO test.

 

Thanks,

Have your claims defined the way mentioned below
 
uid  ->  user.onpremisessamaccountname
user_principal  -> user.userprincipalname
Unique User Identifier  -> user.onpremisessamaccountname
 
Also, if your Azure redirects to ADFS for authentication and between them there is WS-fed defined, SSO won't work on 11.6
 
let me know if you have such a setup, i cna help you isolate the problem, if you don't above attributes and claims would be enough to make SSO test successful.

Thanks Ravi,

 

I will try the user claim by your suggestion below:

uid  ->  user.onpremisessamaccountname
user_principal  -> user.userprincipalname
Unique User Identifier  -> user.onpremisessamaccountname
And the Azure is not redirecting to ADFS for authentication.
 
Create
Recognize Your Peers
Content for Community-Ad