04-19-2022 07:35 AM - edited 04-19-2022 07:36 AM
Hi y'all,
we are using SSO (SAML) to login to our CUCM. Today I had to update the IdP Metadata because of a certificate renewal. No big deal, everything works smoothly with one exception: When I hit the logout button I get an error message from my ADFS stating that "The SAML logout did not complete properly." Checking my ADFS I found several logs pointing to a signing issue.
Knowing this I traced the logout process and had to find out that the CUCM sends the SAML logout request without any certificate at all. (I'm not sure if this was working before the certificate change for I don't know if I ever used that logout button before.)
According to the SAML 2.0 Profiles doc LogoutRequest MUST be signed when using POST or REDIRECT. So how can I get CUCM into sending proper LogoutRequest using the correct signature?
Best regards
Stephan
Solved! Go to Solution.
01-18-2024 06:46 AM
Hey Stephan,
to enable properly the SAML-Based Single Logout (SLO) feature perform below steps:
Step 1 For configuration at Microsoft ADFS 2.0 side, ensure the following points.
a) Select Relying Party Trust. On its Properties, select Endpoints.
b) Select Add SAML. Choose SAML Logout as Endpoint and Binding as Post.
c) Configure URL <url>/adfs/ls/?wa=wsignout1.0. Select Save and Restart ADFS 2.0 service.
Step 2 To log out using Microsoft ADFS 2.0, configure the logout URL in the idp.xml file.
Follow below mentioned steps on
UC side:
OLD ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>
NEW ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>
OLD ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>
NEW ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>
Step 3 Restart SSOSP Tomcat service.
I just tested it in LAB and it works now without showing an error!
04-19-2022 08:16 AM
We're also getting an error when using logout option on the admin webUI.
Are you getting something similar to this?
As you I've never used this option earlier, so very likely this has always been like this. I did my test on a CM 14SU1 system.
04-19-2022 09:04 AM
Yes it's pretty similar:
Okay, so this ist not an issue but "expected behaviour". Thanks for verifying.
01-18-2024 06:46 AM
Hey Stephan,
to enable properly the SAML-Based Single Logout (SLO) feature perform below steps:
Step 1 For configuration at Microsoft ADFS 2.0 side, ensure the following points.
a) Select Relying Party Trust. On its Properties, select Endpoints.
b) Select Add SAML. Choose SAML Logout as Endpoint and Binding as Post.
c) Configure URL <url>/adfs/ls/?wa=wsignout1.0. Select Save and Restart ADFS 2.0 service.
Step 2 To log out using Microsoft ADFS 2.0, configure the logout URL in the idp.xml file.
Follow below mentioned steps on
UC side:
OLD ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>
NEW ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>
OLD ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>
NEW ENTRY:
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>
Step 3 Restart SSOSP Tomcat service.
I just tested it in LAB and it works now without showing an error!
03-18-2024 09:34 AM
I just found the time to test it and you're right - it works perfectly. I had to add an SAML-Redirect within the Endpoints since it wasn't there from the initial configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide