Troubleshoot SSO in Cisco Unified Communications Manager
Available Languages
Contents
Introduction
This document describes how to configure Single Sign-On (SSO) in Cisco Unified Communications Manager (CUCM).
Prerequisites
Requirements
Cisco recommends that you have knowledge of the topics:
- CUCM
- Active Directory Federation Services (ADFS)
Components Used
The information in this document is based on these software and hardware versions:
- CUCM 11.5.1.13900-52 (11.5.1SU2)
- ADFS 2.0.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure
Refer to Configuration of Single Sign on in CUCM.
- https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-version-105/118770-configure-cucm-00.html
- https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/211302-Configure-Single-Sign-On-using-CUCM-and.html
SAML SSO Deployment Guide for Cisco Unified Communications Applications, Release 11.5(1).
SAML RFC 6596.
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
Login Flow in SSO
Decoding SAML Response
Using Plugins in Notepad++
Install these Plugins:
Notepad++ Plugin -> MIME Tools--SAML DECODE
Notepad++ Plugin -> XML Tools -> Pretty Print(XML only – with line breaks)
In SSO logs search for the string "authentication.SAMLAuthenticator - SAML Response is ::" which contains the encoded response.
Use this plugin or online SAML Decode in order to get the XML response. The response can be adjusted in a readable format with the use installed Pretty Print plugin.
In the newer version of CUCM SAML response is in XML format which can be found by searching "SPACSUtils.getResponse: got response=<samlp:
Response xmlns:samlp=“and then print with the use of Pretty Print plugin.
Use Fiddler:
This utility can be used to get the real-time traffic and decode it. Here is the guide for the same; https://www.techrepublic.com/blog/software-engineer/using-fiddler-to-debug-http/.
SAML Request:
ID="s24c2d07a125028bfffa7757ea85ab39462ae7751f" Version="2.0" IssueInstant="2017-07-15T11:48:26Z" Destination="https://win-91uhcn8tt3l.emeacucm.com/adfs/ls/" ForceAuthn="false" IsPassive="false" AssertionConsumerServiceIndex="0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">cucmsso.emeacucm.com</saml:Issuer> <samlp:NameIDPolicy xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="cucmsso.emeacucm.com" AllowCreate="true"/> </samlp:AuthnRequest>
SAML Response (unencrypted):
<samlp:Response ID="_53c5877a-0fff-4420-a929-1e94ce33120a" Version="2.0" IssueInstant="2017-07-01T16:50:59.105Z" Destination="https://cucmsso.emeacucm.com:8443/ssosp/saml/SSO/alias/cucmsso.emeacucm.com" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="s24c2d07a125028bfffa7757ea85ab39462ae7751f" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://win-91uhcn8tt3l.emeacucm.com/adfs/services/trust</Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:Status> <Assertion ID="_0523022c-1e9e-473d-9914-6a93133ccfc7" IssueInstant="2017-07-01T16:50:59.104Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <Issuer>http://win-91uhcn8tt3l.emeacucm.com/adfs/services/trust</Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /> <ds:Reference URI="#_0523022c-1e9e-473d-9914-6a93133ccfc7"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /> <ds:DigestValue>9OvwrpJVeOQsDBNghwvkLIdnf3bc7aW82qmo7Zdm/Z4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>VbWcKUwvwiNDhUg5AkdqSzQOmP0qs5OT2VT+u1LivWx7h9U8/plyhK3kJMUuxoG/HXPQJgVQaMOwNq/Paz7Vg2uGNFigA2AFQsKgGo9hAA4etfucIQlMmkeVg+ocvGY+8IzaNVfaUXSU5laN6zriTArxXwxCK0+thgRgQ8/46vm91Skq2Fa5Wt5uRPJ3F4eZPOEPdtKxOmUuHi3Q2pXTw4ywZ/y89xPfSixNQEmr10hpPAdyfPsIFGdNJJwWJV4WjNmfcAqClzaG8pB74e5EawLmwrfV3/i8QfR1DyU5yCCpxj02rgE6Wi/Ew/X/l6qSCzOZEpl7D8LwAn74KijO+Q==</ds:SignatureValue> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <ds:X509Data> <ds:X509Certificate>MIIC5DCCAcygAwIBAgIQZLLskb6vppxCiYP8xOahQDANBgkqhkiG9w0BAQsFADAuMSwwKgYDVQQDEyNBREZTIFNpZ25pbmcgLSBXSU4ySzEyLnJrb3R1bGFrLmxhYjAeFw0xNTA2MjIxOTE2NDRaFw0xNjA2MjExOTE2NDRaMC4xLDAqBgNVBAMTI0FERlMgU2lnbmluZyAtIFdJTjJLMTIucmtvdHVsYWsubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApEe09jnZXEcEC7s1VJ7fMXAHPXj7jgOOcs9/Lzxrx4c68tePGItrEYnzW9vLe0Dj8OJET/Rd6LsKvuMQHfcGYqA+XugZyHBrpc18wlhSmMfvfa0jN0Qc0lf+a3j72xfI9+hLtsqSPSnMp9qby3qSiQutP3/ZyXRN/TnzYDEmzur2MA+GP7vdeVOFXlpENrRfaINzc8INqGRJ+1jZrm+vLFvX7YwIL6aOpmjaxcPoxDcjgEGMYO/TaoP3eXutX4FuJV5R9oAvbqD2F+73XrvP4e/wHi5aNrHrgiCnuBJTIxHwRGSoichdpZlvSB15v8DFaQSVAiEMPj1vP/4rMkacNQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQA5uJZI0K1Xa40H3s5MAo1SG00bnn6+sG14eGIBe7BugZMw/FTgKd3VRsmlVuUWCabO9EgyfgdI1nYZCciyFhts4W9Y4BgTH0j4+VnEWiQg7dMqp2M5lykZWPS6vV2uD010sX5V0avyYi3Qr88vISCtniIZpl24c3TqTn/5j+H7LLRVI/ZU38Oa17wuSNPyed6/N4BfWhhCRZAdJgijapRG+JIBeoA1vNqN7bgFQMe3wJzSlLkTIoERWYgJGBciMPS3H9nkQlP2tGvmn0uwacWPglWR/LJG3VYoisFm/oliNUF1DONK7QYiDzIE+Ym+vzYgIDS7MT+ZQ3XwHg0Jxtr8</ds:X509Certificate> </ds:X509Data> </KeyInfo> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" NameQualifier="http:///win-91uhcn8tt3l.emeacucm.com/com/adfs/services/trust" SPNameQualifier="cucmsso.emeacucm.com">CHANDMIS\chandmis</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData InResponseTo="s24c2d07a125028bfffa7757ea85ab39462ae7751f" NotOnOrAfter="2017-07-01T16:55:59.105Z" Recipient="https://cucmsso.emeacucm.com:8443/ssosp/saml/SSO/alias/cucmsso.emeacucm.com" /> </SubjectConfirmation> </Subject> <Conditions NotBefore="2017-07-01T16:50:59.102Z" NotOnOrAfter="2017-07-01T17:50:59.102Z"> <AudienceRestriction> <Audience>ccucmsso.emeacucm.com</Audience> </AudienceRestriction> </Conditions> <AttributeStatement> <Attribute Name="uid"> <AttributeValue>chandmis</AttributeValue> </Attribute> </AttributeStatement> <AuthnStatement AuthnInstant="2017-07-01T16:50:59.052Z" SessionIndex="_0523022c-1e9e-473d-9914-6a93133ccfc7"> <AuthnContext> <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
</samlp:Response>
Version="2.0" :- The version of SAML being used. InResponseTo="s24c2d07a125028bfffa7757ea85ab39462ae7751f" :- The id for SAML Request to which this reponse corresponds to samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success :- Status Code of SAML reponse. In this case it is Success. <Issuer>http://win-91uhcn8tt3l.emeacucm.com/adfs/services/trust</Issuer> :- IdP FQDN SPNameQualifier="cucmsso.emeacucm.com" :- Service Provider(CUCM) FQDN Conditions NotBefore="2017-07-01T16:50:59.102Z" NotOnOrAfter="2017-07-01T17:50:59.102Z :- Time range for which the session will be valid. <AttributeValue>chandmis</AttributeValue> :- UserID entered during the login
In case the SAML response is encrypted then you won't be able to see the complete information and have to disable encryption on Intrusion Detection & Prevention (IDP) to see the complete response. The certificate detail used for encryption is under "ds:X509IssuerSerial" of the SAML response.
Logs and CLI Commands
CLI Commands:
utils sso disable
This command disables both (OpenAM SSO or SAML SSO) based authentication. This command lists the web applications for which SSO is enabled. Enter Yes when prompted in order to disable SSO for the specified application. You must run this command on both the nodes if in a cluster. SSO can also be disabled from Graphical User Interface (GUI) and select the Disable button, under specific SSO in Cisco Unity Connection Administration.
Command Syntax
utils sso disable
utils sso status
This command displays the status and configuration parameters of SAML SSO. It helps to verify the SSO status, enabled or disabled, on each node individually.
Command Syntax
utils sso status
utils sso enable
This command returns an informational text message that prompts that the administrator can enable SSO feature only from GUI. Both OpenAM based SSO and SAML based SSO cannot be enabled with this command.
Command Syntax
utils sso enable
utils sso recovery-url enable
This command enables the Recovery URL SSO mode. It also verifies that this URL works successfully. You must run this command on both the nodes if in a cluster.
Command Syntax
utils sso recovery-url enable
utils sso recovery-url disable
This command disables the Recovery URL SSO mode on that node. You must run this command on both the nodes if in a cluster.
Command syntax
utils sso recovery-url disable
set samltrace level <trace-level>
This command enables the specific traces and trace-levels that can locate any error, debug, information, warning or fatal. You must run this command on both the nodes if in a cluster.
Command syntax
set samltrace level <trace-level>
show samltrace level
This command displays the log level set for SAML SSO. You must run this command on both the nodes if in a cluster.
Command syntax
show samltrace level
Traces to look at the time of troubleshoot:
SSO logs are not set to detailed level by default.
First run the command set samltrace level debug in order to set the log levels to debug, reproduce the issue and the collect these set of logs.
From RTMT:
Cisco Tomcat
Cisco Tomcat Security
Cisco SSO
Common Issues
Incorrect Value for Unique Indentifier (UID):
It should exactly be UID and if it’s not the case, CUCM is unable to understand that.
Incorrect Claim Rule or Wrong NameID policy:
Most likely no username and password is prompt up in this scenario.
There won’t be any valid assertion in the SAML response and Status Code will be like:
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"/>
Verify that the claim rule is correctly defined at the IDP side.
Difference in case/name Defined in Claim Rule:
CUCM FQDN in claim rule should exactly match with the one specified on the actual server.
You can compare the entry in metadata xml file of IDP with the one on CUCM by running show network cluster/show network etho details command on CLI of CUCM.
Incorrect Time:
NTP between CUCM and IDP has a difference greater than the 3 seconds allowed in the Deployment Guide.
Assertion Signer Not Trusted:
At the time of the exchange of the metadata between IDP and CUCM (service provider).
Certificates are exchanged and if there is any revocation of certificate done, metadata should be exchanged again.
DNS Misconfiguration/No Configuration
DNS is the primary requirement for SSO to work. Run show network etho detail, utils diagnose test on the CLI in order to verify DNS/Domain is configured correctly.
Known Defects
ADFS Signing Certificate renews and adds two signing certs to IDP responses back to CUCM (SP) thus causes you to run into defect. You have to delete the signing certificate which is not required
When you navigate to the SAML SSO page from CCM Admin you are prompted with "The following servers failed during attempt to get SSO Status" followed by the node name.
CTI based SSO fails when defining CUCM server as IP address in CCMAdmin//System/Sever.
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)