We recently updated our CUCM/CUPS/CUC system to 10.5 in order to take advantage of the SSO capabilities that are now built in. All of the documentation points to ADFS 2.0, and we have an ADFS 3.0 implementation. I am trying to figure out if this is an issue with the Claims Rule code, or if CUCM simply doesn't support ADFS 3.0.
We have gone through the following links:
But we are having trouble configuring the Custom Claims Rule, we get the attached error.
The rule we are applying is as follows, but with actual server names:
"c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, Originallssuer = c.Originallssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:3.0:nameid-format: transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "http://adfsserver.domain.com/adfs/com/adfs/service/trust", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "phoneservername.domain.com");"
Solved! Go to Solution.
i have exactly same issue. I cant enable the SAML Single Sign-On as i came not across the "Run SSO Test" .
First time i test i got a prompt for login and than after some time i have also "Error while processing SAML Response." and the SSO Test timed out in the background.
Could you make it run ?
Any idea someone?
No, mine seems to fail almost immediately. I have had a TAC case open, and it finally got escalated yesterday afternoon. I have a WebEx scheduled for noon EST today and will relay anything we find out.
My hunch is, it is something to do with certificates, or some silly misconfiguration on our end in CUCM.
I fixed the Problem.
For me it was a time issue. The ADFS Server was 10 minutes in the future and the CUCM was correct. :-) Thats because i tried this in LAB with no really time Server :-)
In RTMT traces (SSO_log4j) we saw this one:
Our servers are within a second of each other, since we use NTP. We are getting the following error in our logs.
2015-01-06 16:01:37,805 ERROR [http-bio-443-exec-276] authentication.SAMLAuthenticator - Error while processing saml responseInvalid Status code in Response.
When you're on the SAML SSO configuration page are your servers listed by IP address or FQDN? I'm curious if this has to do with your "System -> Server" setting. There might be a correlation between the two.
The very first SAML SSO page shows them with the FQDN, which seems like that would be right. I was kind of thinking the same thing as you, but changing that settings has so many more ramifications that I won't be trying it unless TAC is on the line. :)
Indeed. That does impact a few other things. The primary thing is to make sure all your endpoints have DNS servers and a DNS suffix search. Once the callmanager process is operating via FQDN everything needs to be able to resolve the CUCM nodes. Obviously changing it requires service restarts.
That shouldn't be directly related to what is happening between Tomcat and the browser so I was going out on a limb.
TAC basically suggested I use OpenAM, which isn't really an option.
The one thing they did point out is in the documentation (which is specific to OpenAM) it has a series of steps for creating a circle of trust. It was my understanding that the circle of trust was created when you go through the process of enabling SSO. Did I skip a step? Also, was there anything specific I needed to do with the CA signed certs to "enable them for SSO"? I don't think so, but that was another thing that was mentioned.
WOW! That is a terrible suggestion since the documentation covers ADFS.
Also the related links at the bottom cover ADFS configuration
Holy crap, apparently, I must have had something off in my claim rule despite it being accepted successfully. I copied the one from that document, and now it's working!!! THANK YOU!!!
Our issue was with the claims rule. I followed this document, copied the claim rule and it worked perfectly.
I have exactly the same issue, my sso is working for selfcare portal but for acess cucm administration page it asks always for credentials. Cucm is 11.0 and adfs3.0 . It Looks more certificate issue than sso issue. I dont see sso errors. Can someone help?
The SAML authentication request had a NameID Policy that could not be satisfied.
Name identifier format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token.
Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:2.0:nameid-format:transient SPNameQualifier: ISIN2022.Domain.COM.SG. Actual NameID properties: Format: urn:oasis:names:tc:SAML:2.0:nameid−format:transientoasis:names:tc:SAML:2.0:nameid−format:transient, NameQualifier: http://adfs.Domain.com.sg/adfs/com/adfs/services/trust SPNameQualifier: ISIN2022.Domain.COM.SG, SPProvidedId: .
This request failed. "