Solved: Have to get educated on SAML SSO Cluster Wide on CUCM 11.5.1

RAustin70 · ‎03-29-2018

I'm running 11.5.1 Call Manager system with ~1500 users and we are running LDAP Sync on the UCM and Unity. Bossman recently decreed we are going to change things up and go with LDAP Authentication / Single Sign On so now I am scrambling to get educated quick on SAML SSO. Our AD is not run by us so I am coordinating with another engineer to get the IdP and CoT set up. The AD Team set a requirement to go cluster wide instead of per node, so I had to get a Multi Server SAN Tomcat Cert. I found and followed - https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/118731-configure-san-00.html

All goes well until step 5 " Once you obtain the certificate, you must upload the CA certificate as tomcat-trust and then upload the CA-signed certificate as tomcat." I submit the received certificate from our CA at tomcat-trust and that goes fine. Then I try to submit it again as just Tomcat, I cannot modify the description, and I get the error "CSR SAN and Certificate SAN does not match" I feel like I am missing something.

I can't move forward until I get this ironed out. Are there any other guides available for Cluster Wide Certs, SAML SSO cluster wide in 11.5.1, or people who have lived through this with stories to tell?

Rob.

Jonathan Schulenberg · ‎04-04-2018

The CSR has a SAN of your Parent Domain "joe.blow.com" but this was removed from the issued certificate. The order doesn't matter.

View solution in original post

panshar4 · ‎03-29-2018

Hi Rob, You might want to read below docs. https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/troubleshooting/guide/10xcuctsgx/10xcuctsg208.html https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/V10-5-1/config/CSR10-5-SAMLSSO-MicroSoft-ADFS-on-Windows-Configuration.html https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/200532-Configure-Single-SAML-IDP-Connection-Agr.html Hope above will help. Best Regards, Pankaj Sharma

Jonathan Schulenberg · ‎03-31-2018

The Common Name and Subject Alternate Name attributes in the CSR must exactly match the certificate issued by your CA. Decode both using OpenSSL and compare the before and after values; if they don’t match you must work with the CA Atl get them to exactly match; CUCM won’t accept the certificate if they don’t.

RAustin70 · ‎04-04-2018

Thank you for your input! I finally got a chance to decode the CSR and CER today, this is what came out (FQDN changed to protect the innocent)

CSR Information:
Common Name: ULDF-VLSC-UCMP1V.joe.blow.com
Subject Alternative Names: ULDF-AS-TFTP2V.joe.blow.com, uldf-as-imp2v.joe.blow.com, ULDF-VLSC-UCMS1V.joe.blow.com, joe.blow.com, ULDF-VLSC-UCMP1V.joe.blow.com, ULDF-AS-TFTP1V.joe.blow.com, ULDF-VLSC-UCMS2V.joe.blow.com, uldf-as-imp1v.joe.blow.com
Organization: U.S. Government
Organization Unit: AFRL
Locality: Rome
State: NY
Country: US

Certificate Information:
Common Name: ULDF-VLSC-UCMP1V.joe.blow.com
Subject Alternative Names: ULDF-VLSC-UCMP1V.joe.blow.com, ULDF-AS-TFTP1V.joe.blow.com, ULDF-AS-TFTP2V.joe.blow.com, ULDF-VLSC-UCMS1V.joe.blow.com, ULDF-VLSC-UCMS2V.joe.blow.com, uldf-as-imp1v.joe.blow.com, uldf-as-imp2v.joe.blow.com
Organization: U.S. Government
Organization Unit: DoD
Country: US
Valid From: March 26, 2018
Valid To: March 26, 2021
Issuer: CA-38, Uncle Sam
Serial Number: 217116 (0x3501c)

could it be that they are not in the same order?!?

Rob

Jonathan Schulenberg · ‎04-04-2018

The CSR has a SAN of your Parent Domain "joe.blow.com" but this was removed from the issued certificate. The order doesn't matter.