Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
216
Views
3
Helpful
2
Replies

SSO on Expressway with ADFS

Bill
Level 1
Level 1

‎07-22-2024 01:48 PM

I am trying to configure SSO on Expressway-C (version X15.0.2) using ADFS on Server 2019.
I am following this guide.
https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X15-0/mra/exwy_b_mra-deployment-guide-x150.pdf

I am having trouble at the section where it says to do this:
Set-ADFSRelyingPartyTrust -TargetName "<Name>" -SAMLResponseSignature MessageAndAssertion
where <Name> must be a display name for the Relying Party Trust of Expressway-E as set in ADFS.

In the XML file exported from Exp-C, I see the Exp-E name in there.
But I cannot get ADFS to accept the command.
It returns this: PS0132: No RelyingPartyTrust found with name 'exp14-e.mydomain.com'.

Next, Instead of the Exp-E name, I used the entityID of the Trust.
I get a different error:  Set-AdfsRelyingPartyTrust : A parameter cannot be found that matches parameter name
'SAMLResponseSignatureMessageAndAssertion'.

 

Labels:
0 Helpful
2 Replies 2

Roger Kallberg
VIP
VIP

‎07-22-2024 11:23 PM

As per the section in the referenced document it’s the name of the Relaying Party Trust that you’ve created in ADFS that you should use in the mentioned command.

IMG_5101.jpeg

Depending upon what you named these in ADFS the command will vary. What names have you used for these in ADFS?



Response Signature


Bill
Level 1
Level 1
In response to Roger Kallberg

‎07-23-2024 06:36 AM

Thank you for the reply, Roger.

That's what I thought, and I tried that in the second command I showed.
And I get this response:
Set-AdfsRelyingPartyTrust : A parameter cannot be found that matches parameter name
'SAMLResponseSignatureMessageAndAssertion'.

Looks like a syntax error on my part.
I Copy and Pasted the command, and was entering the parameter as: -SAMLResponseSignatureMessageAndAssertion
But I believe it should have a space, like this: -SAMLResponseSignature MessageAndAssertion

I entered it with the space, and it accepted the command.

However it is not working.
In the Exp-C Event Log, I am seeing this:

edgeconfigprovisioning: Level="INFO" Event="Edge SSO" Service="OAuth/SSO" Detail="Redirected client to IdP" Dst-ip="127.0.0.1" Dst-port="32126" Idp="http://DC1a.mydomain.com/adfs/services/trust" Local-ip="127.0.0.1" Local-port="22111" Trackingid="152e5410-fefb-49d1-9ec1-2de93d5feae5" Username="user1" UTCTime="2024-07-23 13:16:46,159"

What looks odd is the DST-IP=127.0.0.1
I would expect it to be the IP of the ADFS server.
But I am not 100% sure.

I did take a packet capture from the Exp-C.
It never tries to talk to the ADFS server.

It can resolve it by name.

Still testing.

Thanks

0 Helpful
Customers Also Viewed These Support Documents