Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26677
Views
31
Helpful
32
Replies

SSO with CUCM 10.5 and ADFS 3.0

Go to solution
mbaker33
Level 1
Level 1

‎10-27-2014 06:04 AM - edited ‎03-19-2019 08:47 AM

Hello,

 

We recently updated our CUCM/CUPS/CUC system to 10.5 in order to take advantage of the SSO capabilities that are now built in.  All of the documentation points to ADFS 2.0, and we have an ADFS 3.0 implementation.  I am trying to figure out if this is an issue with the Claims Rule code, or if CUCM simply doesn't support ADFS 3.0.  

 

We have gone through the following links:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/10x/administration/guide/10xcucsagx/10xcucsag112.html#32035

https://supportforums.cisco.com/video/12155556/cucm-10x-samlsso-adfs20

 

But we are having trouble configuring the Custom Claims Rule, we get the attached error.

 

The rule we are applying is as follows, but with actual server names:

"c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Originallssuer = c.Originallssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:3.0:nameid-format: transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://adfsserver.domain.com/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "phoneservername.domain.com");"

 

3 people had this problem
Labels:
Preview file
11 KB
0 Helpful
32 Replies 32

Go to solution
carlo alberto michelotti
Level 1
Level 1
In response to Naveen Subramaniam

‎02-12-2021 12:51 AM

Hi, did you solved the issue ?

thanks,

C.

0 Helpful

Go to solution
Roger Kallberg
VIP
VIP
In response to carlo alberto michelotti

‎02-12-2021 02:40 AM - edited ‎02-12-2021 02:41 AM

The most common reasons for this to not work is that the claim rule is not setup correctly, or that the time between the client, IdP system and CUCM isn't in sync. For the claim rule look at the example below.

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://<FQDN of your ADFS>/adfs/services/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<FQDN of your CM Pub>");

This document is still valid, even if it says ADFS 2.0 it works with later versions. We use ADFS 4.0 as an example. Configure Single Sign-On using CUCM and AD FS 2.0 (Windows Server 2008 R2) - Cisco

I would also recommend you to read through this document in it's entirety, even is it is somewhat lengthy. SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 11.5(1) - Cisco



Response Signature


0 Helpful

Go to solution
carlo alberto michelotti
Level 1
Level 1

‎02-14-2021 01:04 AM

Hi all, just for share my solution that have worked for my case.

my cucm have hostname with the uppercases and in  my custom claim rule into ADFS I have use lowecase for cucm host name.

Once I have corrected the hostname in the custom rule with UPPERCASEs  the sso test is passed 

Customers Also Viewed These Support Documents