cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
788
Views
0
Helpful
1
Replies

CUCM / Jabber SSO Failure

brandon5203
Level 1
Level 1

I am having an issue using Jabber after turning on SAML/SSO.  Using Microsoft ADFS, I can successfully enable SSO in CUCM, to include completing the required SSO test. I can also access the CUCM WebUI and RTMT with SSO. In each of those two cases, a new browser window is launched and ask me to authenticate, then advances to allow access. 

This is not the case with Jabber. When Jabber first stats, the "waiting for network" indicator is shown, as was the case prior to enabling SSO in CUCM. I then select the cancel button and Jabber quickly changes to "Signing in..." and a Windows dialog box (not a web browser) is presented that ask me for credentials. I provide those credentials, username and password, then the prompt is presented one more time. After completing both prompts, the login process appears to fail and the message "Cannot open page. Try again later" is displayed. 

When looking at the Jabber logs, I see several events that correspond to the timestamp of the observed failure, referencing no tokens.

BrowserListener-Logger ...... No token or code found in URL

BrowserListener-Logger ...... No Token in result

BrowserListener-Logger ...... Found no token in the response

Single-Sign-On-Logger ..... No token in Result

Single-Sign-On-Logger ..... Navigation not allowed as NavigationTo has not been called

Begin Trace

SingleSignOn.noTokenInResult

End Trace

(system is in an air-gapped environment, or else I would share the exact logs)

Any thoughts on what my issue could be? 

 

1 Reply 1

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Does the SSL test succeed from the subscribers as well as the pub if you hit each one directly in the browser?

Do the ADFS logs offer any clue to the authentication transaction? “No token” sounds like Jabber didn’t get a SAML cookie in the response.

Fiddler can sometimes help spot the issue here as well by stripping TLS off so you can see the actual HTTPS payload - including the SAML response.