Configure Single Sign-On using CUCM andAD FS 2.0 (Windows Server 2008 R2) Contents

IntroductionPrerequisitesRequirementsComponents UsedDownload and Install AD FS 2.0 on your Windows ServerConfigure AD FS 2.0 on Your Windows ServerImport the Idp Metadata to CUCM / Download the CUCM MetadataImport CUCM Metatdata to AD FS 2.0 Server and Create Claim RulesFinish Enabling SSO on CUCM and run the SSO TestTroubleshootingSet SSO logs to debugFinding Federation Service NameDotless Certificate when Specifing the Federation Service nameTime is out of sync between the CUCM and IDP servers

Introduction

This document describes how to configure Single Sign-On using Cisco Unified CommunicationManage (CUCM) and Active Directory Federation Service (AD FS) 2.0 (Windows Server 2008 R2).

Contributed by Scott Kiewert, Cisco TAC Engineer.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

Cisco Unified Communication Manager●

Basick Knowledge of ADFS 2.0●

In order to enable SSO in your lab environment, you need this configuration

Windows Server with AD FS 2.0 installed●

CUCM with LDAP sync configured .●

An End User with the Standard CCM Super Users role selected.●

Components Used

The information in this document is based on these software and hardware versions:

Windows Server with AD FS 2.0●

CUCM●

Cisco Internal Information

Download and Install AD FS 2.0 on your Windows Server

Step 1. Navigate to https://www.microsoft.com/en-us/download/details.aspx?id=10909 andclick Continue.

Step 2.  In the popup window, make sure you select the appropriate download based on yourWindows Server.

Step 3. Move the downloaded file to your Windows Server.

Step 4. Proceed with the installation:

Step 5. When prompted, select Federation Server:

Step 6.  Some dependencies may be installed automatically and you are prompted toclick Finish.

Now that you have AD FS 2.0 installed on your server, you need to add some configuration.

Configure AD FS 2.0 on Your Windows Server

Step 1. The AD FS 2.0 window should have opened after the install, however, you can find itby clicking Start and searching for AD FS 2.0 Management.

Step 2.. Once you have the AD FS window open, select AD FS 2.0 Federation ServerConfiguration Wizard.

Step 3.  Next, click Create a new Federation Service.

Step 4. For a lab environment, Stand-alone federation server is sufficient.

Step 5. Next, you are asked to select a certificate that the server uses.  This should autopopulate as long as the server has a certificate already.

Step 6. If you have an existing AD FS database on the server, you need to remove it tocontinue.

Step 7. Finally, you are on a summary screen where you can just click Next.

  

Import the Idp Metadata to CUCM / Download the CUCMMetadata

Step 1. Download the metadata from your AD FS server by navigating to the following URL: https://hostname/federationmetadata/2007-06/federationmetadata.xml

Step 2. Navigate to Cisco Unified CM Administration > System >  SAML Single Sign-On

Step 3. Click Enable SAML SSO

Step 4. You may receive a warning about Web Server Connections needing to be reset,

simply hit Continue

Step 5. Next, CUCM instructs you to download the metadata file from your IdP.  In thisscenario, your AD FS server is the IdP, and we downloaded the metadata in Step 1 above, soclick Next.

Step 6. You are asked to import the file.

Step 7. Click Browse > Select the .xml from Step 1 > Click Import IdP Metadata.

Step 8. You should receive a message that the import was successful:

Step 9. Click Next

Step 10. Now that you have the IdP metadata imported into CUCM, you need to importCUCM's metadata into your IdP.

Step 11. Click Download Trust Metadata File

Step 12. Click Next

Step 13. Move the .zip file that was downloaded in Step 12 to your Windows Server andextract the contents to a folder.

Import CUCM Metatdata to AD FS 2.0 Server and CreateClaim Rules

Step 1. At this point, go back to your AD FS server and open the AD FS 2.0 Managementwindow by clicking Start and searching for AD FS 2.0 Management.

Step 2. Click Required: Add a trusted relying party (note: if you do not see this, you mayneed to close the window and open it back up.  This option will not show up if the window hasbeen left open since the Federation Server Wizard completed).

Step 3. Once you have the Add Relying Party Trust Wizard open, click Start.

Step 4. Here, you need to import the .xml files that you extracted in Step 13, so select Importdata about the relying party from a file and browse to the folder containing the files, selectthe .xml for your publisher.

Note: Follow the same steps above for any Unified Collaboration server you want to useSSO on.

Step 5. Click Next

Step 6. Edit the Display Name to whatever you'd like then click Next.

Step 7. Select Permit all users to access this relying party and click Next

Step 8. Click Next once more

Step 9. On this screen, make sure you have Open the Edit Claim Rules dialog for thisrelying party trust when the wizard closes checked, then click Close

Step 10. You should now be brought to a window that looks like this:

Step 11. In this window, click Add Rule.

Step 12. For Claim rule template, select Send LDAP Attributes as Claims and click Next.

Step 13. On the next page, enter NameID for the Claim rule name

Step 14. Select Active Directory for the Attribute store

Step 15. Select SAM-Account-Name for the LDAP Attribute

Step 16. Enter uid for Outgoing Claim Type

Note: uid is not an option that will autofill or show up in the drop down list

Step 17. Click Finish

Step 18. You should now see your rule, however, we will need to add another rule soclick Add Rule again.

Step 19. Select Send Claims Using a Custom Rule

Step 20. Enter a Claim rule name (this can be anything)

Step 21. In the Custom rule field, paste the following text:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer =

c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] ="http://<AD_FS_SERVICE_NAME>/adfs/com/adfs/service/trust",Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "<CUCM_FQDN>");

Step 22. Make sure you modify the two blue text blocks with the appropriate values.

Note: If you are not sure about the AD FS Service Name, go to the comments of thisdocument to learn how to idendtify the AD FS Service Name.

Step 23. Click Finish

Step 24. Click OK

Note: Claim rules are needed for any Unified Collaboration server you want to use SSO on.

Finish Enabling SSO on CUCM and run the SSO Test

Step 1. Now that the AD FS server is fully configured, you can go back to CUCM.

Step 2. You should be sitting on a page that looks like this:

Step 3. Go ahead and select your End User which has the Standard CCM Super Users roleselected and click Run SSO Test...

Step 4. A popup window should appear that may take about 30 seconds to load, buteventually you should be presented with a challenge to login.

Step 5. Enter the password you configured on the LDAP server for the selected user and youshould then see:

Step 6. Click Close on the popup window and then Finish.

SSO is now configured in your lab.

Troubleshooting

Set SSO logs to debug

To set the SSO logs to debug you have to run this command in the CLI of the CUCM: setsamltrace level debug

The SSO logs can be downloaded from RTMT. The name of the log set is Cisco SSO.

Finding Federation Service Name

You can confirm the federation service name by clicking Start and searching for and opening ADFS 2.0 Management.

• Click on Edit Federation Service Properties…• While on the General tab look for Federation Service name

Dotless Certificate when Specifing the Federation Service name

If you receive the following error message while going through the AD FS configuration wizard,you will need to create a new certificate.

"The selected certificate cannot be used to determine the Federation Service namebecuase the selected certificate has a dotless (short-named) Subject name (for example,fabrikam). Select another certificate without a dotless (short-named) Subject name (forexample, fs.fabrikam.com), and then try again."

Click Start and search for iis then open Internet Information Services (IIS) Manager

Click on your server's name

Click on Server Certificates

Click on Create Self-Signed Certificate

Enter the name you want for the alias of your certificate

Time is out of sync between the CUCM and IDP servers

If you are receiving the error listed below when trying to run the SSO test from CUCM, you mayneed to configure the Windows Server to use the same NTP servers as the CUCM. The processto do this is covered in the comments of .

"Invalid SAML response. This may be caused when time is out of sync between the CiscoUnified Communications Manager and IDP servers. Please verify the NTP configuration onboth servers. Run "utils ntp status" from the CLI to check this status on Cisco UnifiedCommunications Manager."

Once the Windows Server has the NTP servers specified you should get the metadata from theIdp again and upload it to the CUCM. Then go directly to the SSO test and see if you still get thesame error.