cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2258
Views
6
Helpful
4
Replies

CUCM SAML SSO logout not working

drehstrom
Level 1
Level 1

Hi y'all,

we are using SSO (SAML) to login to our CUCM. Today I had to update the IdP Metadata because of a certificate renewal. No big deal, everything works smoothly with one exception: When I hit the logout button I get an error message from my ADFS stating that "The SAML logout did not complete properly." Checking my ADFS I found several logs pointing to a signing issue.

Knowing this I traced the logout process and had to find out that the CUCM sends the SAML logout request without any certificate at all. (I'm not sure if this was working before the certificate change for I don't know if I ever used that logout button before.)

According to the SAML 2.0 Profiles doc LogoutRequest MUST be signed when using POST or REDIRECT. So how can I get CUCM into sending proper LogoutRequest using the correct signature?

Best regards
Stephan

1 Accepted Solution

Accepted Solutions

kkalashnikoff
Level 1
Level 1

Hey Stephan,
to enable properly the SAML-Based Single Logout (SLO) feature perform below steps:

Step 1 For configuration at Microsoft ADFS 2.0 side, ensure the following points.

a) Select Relying Party Trust. On its Properties, select Endpoints.

b) Select Add SAML. Choose SAML Logout as Endpoint and Binding as Post.

c) Configure URL <url>/adfs/ls/?wa=wsignout1.0. Select Save and Restart ADFS 2.0 service.

Step 2 To log out using Microsoft ADFS 2.0, configure the logout URL in the idp.xml file.

Follow below mentioned steps on

UC side:

  1. Search Location in <SingleLogoutService> tag of idp.xml file.
  2. Update the URL as <url>/adfs/ls/?wa=wsignout1.0.

    Example:

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

Step 3 Restart SSOSP Tomcat service.

I just tested it in LAB and it works now without showing an error!

View solution in original post

4 Replies 4

We're also getting an error when using logout option on the admin webUI.

image.png

Are you getting something similar to this?

As you I've never used this option earlier, so very likely this has always been like this. I did my test on a CM 14SU1 system.



Response Signature


Yes it's pretty similar:

 
Fehler
Es ist ein Fehler aufgetreten. Wenden Sie sich an Ihren Administrator, um weitere Informationen zu erhalten.

Fehlerdetails

  • Activity ID: 671324d1-53bf-49d9-3000-0080000000e3
  • Error details: MSIS7054: Die SAML-Abmeldung wurde nicht ordnungsgemäß abgeschlossen.
  • Node name: 4241435d-48e6-4449-be72-656cfbbd846e
  • Error time: Tue, 19 Apr 2022 13:47:48 GMT
  • Cookie: enabled
  • User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36

Okay, so this ist not an issue but "expected behaviour". Thanks for verifying.

kkalashnikoff
Level 1
Level 1

Hey Stephan,
to enable properly the SAML-Based Single Logout (SLO) feature perform below steps:

Step 1 For configuration at Microsoft ADFS 2.0 side, ensure the following points.

a) Select Relying Party Trust. On its Properties, select Endpoints.

b) Select Add SAML. Choose SAML Logout as Endpoint and Binding as Post.

c) Configure URL <url>/adfs/ls/?wa=wsignout1.0. Select Save and Restart ADFS 2.0 service.

Step 2 To log out using Microsoft ADFS 2.0, configure the logout URL in the idp.xml file.

Follow below mentioned steps on

UC side:

  1. Search Location in <SingleLogoutService> tag of idp.xml file.
  2. Update the URL as <url>/adfs/ls/?wa=wsignout1.0.

    Example:

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

Step 3 Restart SSOSP Tomcat service.

I just tested it in LAB and it works now without showing an error!

drehstrom
Level 1
Level 1

I just found the time to test it and you're right - it works perfectly. I had to add an SAML-Redirect within the Endpoints since it wasn't there from the initial configuration.