This document describes how to configure Single Sign-On (SSO) in Cisco Unified Communications Manager (CUCM).
Cisco recommends that you have knowledge of the topics:
Active Directory Federation Services (ADFS)
The information in this document is based on these software and hardware versions:
CUCM 18.104.22.16800-52 (11.5.1SU2)
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Version="2.0" :- The version of SAML being used.
InResponseTo="s24c2d07a125028bfffa7757ea85ab39462ae7751f" :- The id for SAML Request to which this reponse corresponds to
samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success :- Status Code of SAML reponse. In this case it is Success.
<Issuer>http://win-91uhcn8tt3l.emeacucm.com/adfs/services/trust</Issuer> :- IdP FQDN
SPNameQualifier="cucmsso.emeacucm.com" :- Service Provider(CUCM) FQDN
Conditions NotBefore="2017-07-01T16:50:59.102Z" NotOnOrAfter="2017-07-01T17:50:59.102Z :- Time range for which the session will be valid.
<AttributeValue>chandmis</AttributeValue> :- UserID entered during the login
In case the SAML response is encrypted then you won't be able to see the complete information and have to disable encryption on Intrusion Detection & Prevention (IDP) to see the complete response. The certificate detail used for encryption is under "ds:X509IssuerSerial" of the SAML response.
Logs and CLI Commands
utils sso disable
This command disables both (OpenAM SSO or SAML SSO) based authentication. This command lists the web applications for which SSO is enabled. Enter Yes when prompted in order to disable SSO for the specified application. You must run this command on both the nodes if in a cluster. SSO can also be disabled from Graphical User Interface (GUI) and select the Disable button, under specific SSO in Cisco Unity Connection Administration.
Command Syntax utils sso disable
utils sso status
This command displays the status and configuration parameters of SAML SSO. It helps to verify the SSO status, enabled or disabled, on each node individually.
Command Syntax utils sso status
utils sso enable
This command returns an informational text message that prompts that the administrator can enable SSO feature only from GUI. Both OpenAM based SSO and SAML based SSO cannot be enabled with this command.
Command Syntax utils sso enable
utils sso recovery-url enable
This command enables the Recovery URL SSO mode. It also verifies that this URL works successfully. You must run this command on both the nodes if in a cluster.
Command Syntax utils sso recovery-url enable
utils sso recovery-url disable
This command disables the Recovery URL SSO mode on that node. You must run this command on both the nodes if in a cluster.
Command syntax utils sso recovery-url disable
set samltrace level <trace-level>
This command enables the specific traces and trace-levels that can locate any error, debug, information, warning or fatal. You must run this command on both the nodes if in a cluster.
Command syntax set samltrace level <trace-level>
show samltrace level
This command displays the log level set for SAML SSO. You must run this command on both the nodes if in a cluster.
Command syntax show samltrace level
Traces to look at the time of troubleshoot:
SSO logs are not set to detailed level by default.
First run the command set samltrace level debug in order to set the log levels to debug, reproduce the issue and the collect these set of logs.
Cisco Tomcat Security
Incorrect Value for Unique Indentifier (UID):
It should exactly be UID and if it’s not the case, CUCM is unable to understand that.
Incorrect Claim Rule or Wrong NameID policy:
Most likely no username and password is prompt up in this scenario.
There won’t be any valid assertion in the SAML response and Status Code will be like: