08-11-2021 01:22 PM
Hi All
2021-08-09T21:58:38.344+00:00 cisco-vcs edgeconfigprovisioning: UTCTime="2021-08-09 21:58:38,344"
Module="developer.edgeconfigprovisioning.server.sso" Level="WARN" CodeLocation="samlhelpers(784)"
Service="OAuth/SSO" Detail="No InResponseTo attribute in Assertion" 2021-08-09T21:58:38.349+00:00 cisco-vcs edgeconfigprovisioning UTCTime="2021-08-09 21:58:38,349"
Module="network.http.sso.server" Level="ERROR" Event="Invalid request"
Service="OAuth/SSO" Detail="Invalid SAML Response" Local-ip="127.0.0.1" Local-port="22111" Reason="SAML message from IdP is not verifiable" Src-ip="127.0.0.1" Src-port="35230" Trackingid="88b0afe7-7af2-4147-a9a2-c3400ee700d3" Username="<unknown>" 2021-08-09T21:58:38.349+00:00 cisco-vcs edgeconfigprovisioning UTCTime="2021-08-09 21:58:38,349"
Module="network.http.sso.server" Level="DEBUG" Action="Sent" Local-ip="127.0.0.1" Local-port="22111" Dst-ip="127.0.0.1" Dst-port="35230"
Code="403" TrackingID="88b0afe7-7af2-4147-a9a2-c3400ee700d3" HTTPMSG: |HTTP/1.1 403 Forbidden Trackingid: ['88b0afe7-7af2-4147-a9a2-c3400ee700d3'] Content-Security-Policy: ["default-src 'self';frame-ancestors 'none';base-uri 'self';block-all-mixed-content;"] Server: ['CE_C ECS']
08-31-2021 05:41 AM
@Roger Kallberg not at all. I am configuring everything as per the documentation and it doesn't work, therefore it is either a bug or something extra is required that is not documented.
The point about CUCM is that it supports Google SSO without anything special, and logic therefore assumes that Expressway *shouldn't* require anything non-standard either.
The errors posted in the original post show the issue, in that Expressway is saying
SAML message from IdP is not verifiable
but there is no further information it provides.
The strange thing is that the authentication through Google actually works (we can see it in the Google SAML logs our side), so it is the bit after where Expressway gets the reply where it fails.
So, definitely not ignoring advice but at present there isn't anything else that I can try.
Thanks
James
08-31-2021 07:22 AM
As mentioned by @b.winter the configuration in the IdP for Expressway differs from the one for other Cisco UC systems. You need to configure the trust in the IdP for Expressway differently than for the one for example CM.
08-31-2021 07:40 AM
I have, they are separately set up on the Google SSO (IDP) side, two diff apps and configured as such.
The screenshot I posted from the Google side is the one explicitly for Expressway, with the CUCM one being done a month prior.
There is no additional config that can be changed on the Google IDP side, so I'm stuck with the Expressway error...
Thanks
James
02-09-2022 02:20 PM
old thread, but I ran into this using Azure SSO, same error , just Expressway was giving same error.
I needed to fix in the Cert part
Sign SAML Response and Assertion.
it was set to Sign Assertion only.
This fixed it for me.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide