Step 2. Navigate to Cisco Unified CM Administration > System > SAML Single Sign-On
Step 3. Click Enable SAML SSO
Step 4. You may receive a warning about Web Server Connections needing to be reset, simply hit Continue
Step 5. Next, CUCM instructs you to download the metadata file from your IdP. In this scenario, your AD FS server is the IdP, and we downloaded the metadata in Step 1 above, so click Next.
Step 6. You are asked to import the file.
Step 7. Click Browse > Select the .xml from Step 1 > Click Import IdP Metadata.
Step 8. You should receive a message that the import was successful:
Step 9. Click Next
Step 10. Now that you have the IdP metadata imported into CUCM, you need to import CUCM's metadata into your IdP.
Step 11. Click Download Trust Metadata File
Step 12. Click Next
Step 13. Move the .zip file that was downloaded in Step 12 to your Windows Server and extract the contents to a folder.
Import CUCM Metatdata to AD FS 2.0 Server and Create Claim Rules
Step 1. At this point, go back to your AD FS server and open the AD FS 2.0 Management window by clicking Start and searching for AD FS 2.0 Management.
Step 2. Click Required: Add a trusted relying party (note: if you do not see this, you may need to close the window and open it back up. This option will not show up if the window has been left open since the Federation Server Wizard completed).
Step 3. Once you have the Add Relying Party Trust Wizard open, click Start.
Step 4. Here, you need to import the .xml files that you extracted in Step 13, so select Import data about the relying party from a file and browse to the folder containing the files, select the .xml for your publisher.
Note: Follow the same steps above for any Unified Collaboration server you want to use SSO on.
Step 5. Click Next
Step 6. Edit the Display Name to whatever you'd like then click Next.
Step 7. Select Permit all users to access this relying party and click Next
Step 8. Click Next once more
Step 9. On this screen, make sure you have Open the Edit Claim Rules dialog for this relying party trust when the wizard closes checked, then click Close
Step 10. You should now be brought to a window that looks like this:
Step 11. In this window, click AddRule.
Step 12. For Claim rule template, select Send LDAP Attributes as Claims and click Next.
Step 13. On the next page, enter NameID for the Claim rule name
Step 14. Select Active Directory for the Attribute store
Step 15. Select SAM-Account-Name for the LDAP Attribute
Step 16. Enter uid for Outgoing Claim Type
Note: uid is not an option that will autofill or show up in the drop down list
Step 17. Click Finish
Step 18. You should now see your rule, however, we will need to add another rule so click Add Rule again.
Step 19. Select Send Claims Using a Custom Rule
Step 20. Enter a Claim rule name (this can be anything)
Step 21. In the Custom rule field, paste the following text:
Step 22. Make sure you modify the two blue text blocks with the appropriate values.
Note: If you are not sure about the AD FS Service Name, go to the comments of this document to learn how to idendtify the AD FS Service Name.
Step 23. Click Finish
Step 24. Click OK
Note: Claim rules are needed for any Unified Collaboration server you want to use SSO on.
Finish Enabling SSO on CUCM and run the SSO Test
Step 1. Now that the AD FS server is fully configured, you can go back to CUCM.
Step 2. You should be sitting on a page that looks like this:
Step 3. Go ahead and select your End User which has the Standard CCM Super Users role selected and click Run SSO Test...
Step 4. A popup window should appear that may take about 30 seconds to load, but eventually you should be presented with a challenge to login.
Step 5. Enter the password you configured on the LDAP server for the selected user and you should then see:
Step 6. Click Close on the popup window and then Finish.
SSO is now configured in your lab.
Set SSO logs to debug
To set the SSO logs to debug you have to run this command in the CLI of the CUCM: set samltrace level debug
The SSO logs can be downloaded from RTMT. The name of the log set is Cisco SSO.
Finding Federation Service Name
You can confirm the federation service name by clicking Start and searching for and opening AD FS 2.0 Management.
• Click on Edit Federation Service Properties… • While on the General tab look for Federation Service name
Dotless Certificate when Specifing the Federation Service name
If you receive the following error message while going through the AD FS configuration wizard, you will need to create a new certificate.
"The selected certificate cannot be used to determine the Federation Service name becuase the selected certificate has a dotless (short-named) Subject name (for example, fabrikam). Select another certificate without a dotless (short-named) Subject name (for example, fs.fabrikam.com), and then try again."
Click Start and search for iis then open Internet Information Services (IIS) Manager
Click on your server's name
Click on Server Certificates
Click on Create Self-Signed Certificate
Enter the name you want for the alias of your certificate
Time is out of sync between the CUCM and IDP servers
If you are receiving the error listed below when trying to run the SSO test from CUCM, you may need to configure the Windows Server to use the same NTP servers as the CUCM. The process to do this is covered in the comments of .
"Invalid SAML response. This may be caused when time is out of sync between the Cisco Unified Communications Manager and IDP servers. Please verify the NTP configuration on both servers. Run "utils ntp status" from the CLI to check this status on Cisco Unified Communications Manager."
Once the Windows Server has the NTP servers specified you should get the metadata from the Idp again and upload it to the CUCM. Then go directly to the SSO test and see if you still get the same error.