Re: SAML Processing Error on CUCM SSO via Azure

egoIT · ‎11-08-2022

Hello,

iam currently trying to enable SSO on our CUCM/Expressway via Micosoft Azure.

Cisco Unified CM version: 14.0.1.11900-132
Cisco Unity Connection version: 14.0.1.11900-128
Cisco Expressway-C version: X14.2

I have followed the SAML SSO configuration guide, as well as the SAML SSO Microsoft Azure Identity Provider.
I created all 3 Enterprise applications in MS Azure (CUCM,CUC, ExpC).

The error occurs in the test step after uploading the IdP metadata in CUCM (as well as CUC).
The Microsoft Azure login popup opens and after inserting my credentials, I am redirected to our CUCM and the following error is displayed:

The log from RTMT (CISCO SSO) doesn't really help me either.

Spoiler

2022-11-08 13:43:56,616 ERROR [http-nio-9448-exec-9] authentication.SAMLAuthenticator - Error while processing saml response Unable to get configuration instance for SAML2COT.
com.sun.identity.saml2.meta.SAML2MetaException: Unable to get configuration instance for SAML2COT.
at com.sun.identity.saml2.meta.SAML2MetaManager.<init>(SAML2MetaManager.java:131)
at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(SPACSUtils.java:1931)
at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.processResponse(SAMLAuthenticator.java:96)
at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.process(SAMLAuthenticator.java:80)
at com.cisco.cpi.sso.saml.sp.security.filter.SamlFilter.doFilter(SamlFilter.java:63)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
2022-11-08 13:43:56,617 DEBUG [http-nio-9448-exec-9] authentication.SAMLAuthenticator - error url is ::/ssosp/error?id=1000000
2022-11-08 13:43:56,628 INFO [http-nio-9450-exec-16] servlet.ErrorServlet - Dname Cisco Unified Communications Manager
2022-11-08 13:43:56,629 INFO [http-nio-9450-exec-16] servlet.ErrorServlet - Error while processing SAML Response.Error Message
2022-11-08 13:43:57,987 INFO [Thread-24] api.SAMLSSOManager - successfully executed executeCommand for API - SSOStatus
2022-11-08 13:43:57,988 INFO [Thread-24] utils.PropertiesFileUtil - No need, it's already loaded :ssoconfig.properties
2022-11-08 13:43:57,989 INFO [Thread-24] utils.PropertiesFileUtil - Loading the properties file content :ssoconfig.properties
2022-11-08 13:43:57,989 INFO [Thread-24] api.SAMLSSOManager - from properties file samlPlatformManagerImplClassName: com.cisco.vos.platform.api.manager.SAMLPlatformManager
2022-11-08 13:43:57,989 INFO [Thread-24] api.SAMLSSOManager - loaded samlPlatformManagerImplClassName: com.cisco.vos.platform.api.manager.SAMLPlatformManager
2022-11-08 13:43:57,989 INFO [Thread-24] api.SAMLSSOManager - Python Call for operation :SSOStatus

2022-11-08 13:43:56,616 ERROR [http-nio-9448-exec-9] authentication.SAMLAuthenticator - Error while processing saml response Unable to get configuration instance for SAML2COT.com.sun.identity.saml2.meta.SAML2MetaException: Unable to get configuration instance for SAML2COT.at com.sun.identity.saml2.meta.SAML2MetaManager.<init>(SAML2MetaManager.java:131)at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(SPACSUtils.java:1931)at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.processResponse(SAMLAuthenticator.java:96)at com.cisco.cpi.sso.saml.sp.security.authentication.SAMLAuthenticator.process(SAMLAuthenticator.java:80)at com.cisco.cpi.sso.saml.sp.security.filter.SamlFilter.doFilter(SamlFilter.java:63)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:747)at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1589)at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)at java.lang.Thread.run(Thread.java:748)2022-11-08 13:43:56,617 DEBUG [http-nio-9448-exec-9] authentication.SAMLAuthenticator - error url is ::/ssosp/error?id=10000002022-11-08 13:43:56,628 INFO [http-nio-9450-exec-16] servlet.ErrorServlet - Dname Cisco Unified Communications Manager2022-11-08 13:43:56,629 INFO [http-nio-9450-exec-16] servlet.ErrorServlet - Error while processing SAML Response.Error Message2022-11-08 13:43:57,987 INFO [Thread-24] api.SAMLSSOManager - successfully executed executeCommand for API - SSOStatus2022-11-08 13:43:57,988 INFO [Thread-24] utils.PropertiesFileUtil - No need, it's already loaded :ssoconfig.properties2022-11-08 13:43:57,989 INFO [Thread-24] utils.PropertiesFileUtil - Loading the properties file content :ssoconfig.properties2022-11-08 13:43:57,989 INFO [Thread-24] api.SAMLSSOManager - from properties file samlPlatformManagerImplClassName: com.cisco.vos.platform.api.manager.SAMLPlatformManager2022-11-08 13:43:57,989 INFO [Thread-24] api.SAMLSSOManager - loaded samlPlatformManagerImplClassName: com.cisco.vos.platform.api.manager.SAMLPlatformManager2022-11-08 13:43:57,989 INFO [Thread-24] api.SAMLSSOManager - Python Call for operation :SSOStatus

I currently suspect that perhaps an incorrect UID may be the problem, because in the guide mentioned above the uid is set to user.givenname, while in the cucm ldap configuration the userID is set to sAMAccountname. But changing the attribute in the enterprise application did not change the error though.

Does anyone know what could be causing this error or can point me in the right direction?

Thanks a lot!

Tino

frank_wakelin · ‎05-02-2024

What was the solution to this problem?

mfassler2 · ‎08-16-2024

I'm running into this too. It works perfectly for me in an Incognito/InPrivate window though. It also works when I delete my browser cache (Chrome/Firefox/Edge). But then after a day or so....back to the same SAML error again unless I go to Incognito mode.