cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1364
Views
10
Helpful
8
Replies

Jabber, Expressway & SSO

Gordon Ross
Level 9
Level 9

I think I've followed the instructions at https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/216948-configure-saml-sso-on-cisco-unified-comm.html to setup SSO for CUCM & Expressway.

 

CUCM is working fine - as is Jabber when on-site.

 

But when I use Jabber remotely, it still uses CUCM authentication.

 

What am I likely to have missed/be doing wrong?

Please rate all helpful posts.
8 Replies 8

Can you please share your configuration from your MRA C for this?
image.png

image.png



Response Signature


 
Please rate all helpful posts.

I think you might have posted the wrong screenshot.

image.png



Response Signature


Doh! Fixed.

Please rate all helpful posts.

Looks correct from what I can tell. What is the log in C saying? Can you also could verify that the Enterprise Parameters for SSO is set per recommendation.

image.png



Response Signature


Gordon Ross
Level 9
Level 9

I opened a support case. It seems we were hitting BugID CSCux56434. (SAML Response has more than one signing certificate and Expressway can't cope with it)

 

The workaround section is "minimal" to say the least: Either remove the excess certs from the IdP and then re-import the metadata, or manually edit the metadata file to remove reference to the other certificates (and re-import).

 

We're using ADFS, so these are the basic steps we did:

  • Get your friendly AD/ADFS administrator to run the command "Get-AdfsCertificate -CertificateType Token-Signing" and note which is the primary certificate and which is the secondary.
  • You then need to edit your FederationMetadata.xml file you previously downloaded from the ADFS server.
  • Get yourself an XML Editor.
    • Search for "<KeyDescriptor use="signing">" In our metadata file there were six entries (Each certificate mentioned in three places)
    • Find a website which will decode the <X509Certificate> data and work out which PEM string is your primary and which is your secondary.
      • Look for the certificate serial numbers in both the Get-AdfsCertificate output and the certificate decode
      • You may need to manually wrap the PEM string in "-----BEGIN CERTIFICATE-----" & "-----END CERTIFICATE-----" when trying to decode it.
    • Delete the <KeyDescriptor use="signing"> sections/tags for the certificate you don't want. (again, my metadata had the certificate listed three times)
  • Save this new version of the metadata file and upload it to Expressway.

Once we did this users started being able to login. Some required Jabber to be reset, others required Jabber's cache to be cleared.

 

It's a shame Cisco haven't fixed this yet - it's quite an old bug and ADFS isn't exactly an unusual IdP for SAML. (CUCM copes with ADFS' SAML metadata file fine)

 

I hope this helps others.

Please rate all helpful posts.

Jes80
Level 1
Level 1

Hi Gord,

After enabled SSO for Jabber on-site. How is login behaviour?  Is it just IDP then straight to Jabber menu  or have to go to Jabber login again?

 

tks,

J

As your question is off topic to the OP it is recommended that you open your own post to ask your question.



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: