• https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/Azure/cucm_b_saml-sso-microsoft-azure-idp.html
• https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-communications-manager-callmanager/217268-configure-and-troubleshoot-sso-on-cisco.html

This document provides a configuration example of how to configure Microsoft Azure as the SAML SSO Identity Provider (IdP) for the following applications:

• Cisco Unified Communications Manager
• IM and Presence Service
• Cisco Unity Connection
• Cisco Expressway

1. Export metadata files from your Cisco UC applications
2. Generate a certificate for the IdP connection
3. Import UC metadata files into Azure and configure Azure to provide identity services. Export a Federation Metadata File from Azure
4. Import the Azure metadata file into your Cisco UC applications and complete the SSO configuration

There are various bugs and issues with using uPN with CUCM SSO and even without SSO.

When NOT using SSO - CUCM doesn't support using a suffix which is different that the main suffix in the AD / LDAP. i.e. CUCM attempts to find the user in the LDAP with the suffix of the user entered - which might NOT be how the LDAP is setup and so the user might not be found - even if this IS their uPN. This is a bug on CUCM side - which is NOT been fixed. i.e. Cisco workaround is “use mail attribute”.

When using SSO this issue doesn't occur as it doesn't attempt to verify and authenticate the user against the AD - but with SSO. However with SSO and using uPN - Jabber has a bug.

Jabber attempts to find the user in CUCM before attempting the SSO. It finds the user in CUCM by searching for that users mail attribute and not against the userID in CUCM. So if the user doesn't have a mail attribute or entered their uPN which is different that the mail attribute no SSO will be attempted as the user is not found.

So in effect the user has to enter their mail attribute as their username in Jabber. Jabber finds the user and THEN SSO will be attempted with the uPN - which is VERY confusing for the user if the uPN doesn't match the mail attribute.

And if it always match for all users why use uPN - just use the mail attribute instead.

Awaiting to test the behaviour of Webex One and CUCM and if it replicates this Jabber bug…. Update! Webex one works with uPN and SSO.

Before you configure Azure, you must export UC metadata from your Cisco Collaboration deployment.

• From Cisco Unified CM Administration, go to System > SAML Single Sign On.
• For the SSO Mode, select Per-node (Per node is required for Azure SSO)
• In the Certificates section, choose either Use Tomcat certificate or Use system-generated self-signed certificate.
• Click Export All Metadata and download the metadata file.
• After the metadata zip file downloads, unzip the file and verify that you have a separate file for each cluster node.

Note If you have the IM and Presence Service deployed in a Standard Deployment (non-centralized), your metadata zip file also includes IM and Presence Service nodes.

• In Cisco Unity Connection Administration, choose System Settings → SAML Single Sign On.
• Choose a Per Node agreement.
• Click Export All Metadata
• Unzip the file and verify that you have a separate node for each cluster.

• On the Expressway-C primary peer, go to Configuration → Unified Communications → Configuration.
• In the MRA Access Control section, set the Authentication path to either SAML SSO authentication or SAML SSO or UCM/LDAP.
• Set SAML Control to either Cluster or Peer, depending on which type of SAML agreement you want.
• Click Export SAML data.

Note With Cluster agreements, you will get an XML file download. With Peer agreements, you will get a zip file that contains XML files for each Expressway-C cluster node.

If you have OpenSSL installed, generate a certificate for Azure and provision it on the Azure application. Azure will include this certificate in its IdP metadata export and use this certificate to sign the SAML assertions that it sends to Cisco Unified Communications Manager, IM and Presence Service and Cisco Unity Connection nodes.

• There is no need to install this certificate on any Cisco UC applications.
• If you don’t have OpenSSL, use your enterprise CA to generate a certificate.
• It is recommended for the CA Certificate expiry date to be 5 years.

Note: This procedure is not required for Cisco Expressway.

• create a certificate and a private key:

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1825 -out certificate.pem

• Combine the certificate and the key into a password-protected PFX file, which is required by Azure. Make sure to take note of the password.

openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem

• Generate a single certificate for all nodes and custom apps in the cluster.

• Upload the certificate to the Azure Identity Provider.

Complete the following procedure separately for each cluster node in your Cisco Unified Communications Manager, IM and Presence Service, and Cisco Unity Connection deployment.

For Cisco Expressway, if you have a cluster agreement, complete the procedure once for the Expressway-C cluster. Otherwise, if you are using a peer agreement, complete the procedure separately for each Expressway-C node.

• In Microsoft Azure at Enterprise applications | All applications , select Add an application.

• In the Add an application window, do the following:
  • Click Non-gallery application.
  • Enter the Name of your new application (for example, UnifiedCM_Publisher) and click Add.

• In the left navigation bar, click Single sign-on.

• Click SAML - The Set up Single Sign-On with SAML window appears.

• Click Upload metadata file and then browse to the UC metadata XML file for the server for which you are configuring an agreement. After you select and open the file, click Add.

• The Basic SAML Configuration populates with Identifier (EntityID) and Reply URL (Assertion customer service URL) for the Collaboration server.
• Click Save.

• Edit the User Attributes & Claims section.
  • Under Required claim, click on Unique User Identifier (Name ID).
  • For the name identifier format, select Default.
  • For Source attribute, choose user.onpremisessamaccountname.
  • Click Save.
  • Under Additional claims, delete all existing claims. For each claim, click (…) and select Delete. Click OK to confirm.
  • Click Add new claim to add the uid claim.
  • For Name, enter uid.
  • Leave the Namespace field blank.
  • For Source, check the Attribute radio button.
  • From the Source attribute drop-down, select user.onpremisessamaccountname
    • if using mail as the user ID attribute enter user.mail
    • if using upn then enter user.userprincipalname
  • as per above - the uid attribute name depends on the LDAP System Settings configured in the Cisco UC Applications, i.e. whether you are mapping the LDAP User ID to sAMAccountName (the default), mail, employeeNumber, telephoneNumber or userPrincpalName
  • Click Save.

• Click SAML-based Sign-on to return to the SAML summary.

• Unified CM, IM and Presence Service, and Unity Connection nodes only. In the the SAML Signing Certificate section, click Edit:
  • Click Import Certificate.
  • In the Certificate field, click the cloud to browse to and open the certificate.pfx file that you created earlier.
  • Enter the password and click Add.

• Click Save

• In the SAML Signing Certificate section, click Edit and set the Expressway options:
• Set Signing Option to Sign SAML Response and Assertion.
• Set the Signing Algorithm to the appropriate SHA algorithm. For example, SHA-256.
• Click Save.

• Download the Federation Metadata XML file.

• Enable the Application in Azure and Assign Users:

• Azure provides you with the ability to assign individual users for SSO with Azure, or all users. For this example, it is assumed that you are enabling SSO for all users.
  • In the left navigation bar, select Manage > Properties.
  • Set Enabled for users to sign in? to Yes.
  • Set Visible to users? to No.
  • Click Save.

• Repeat this procedure separately for each Cisco Unified Communications Manager, IM and Presence Service and Cisco Unity Connection node.
• For Cisco Expressway, how many times you complete the procedure depends on the agreement type you chose in Expressway-C (i.e. cluster is recommended)
  • With Cluster agreements—Complete this procedure a single time only for the Expressway-C cluster. You don't need to complete the procedure for the Expressway-E cluster.
  • With Peer agreements—Complete this procedure separately for each Expressway-C node. You don't need to complete the procedure for Expressway-E nodes.

• From Cisco Unified CM Administration, navigate to System → SAML Single Sign On.
• Click Enable SAML SSO, click Continue and follow the prompts.
• Import the IdP Metadata file into Cisco Unified Communications Manager.
• Test the SSO connection.
• Restart the Cisco Tomcat Service.

• In Cisco Unity Connection Administration, go to System Settings → SAML Single Sign On.
• Click Enable SAML Single Sign On.
• Click Continue and follow the prompts.
• Import the IdP metadata file into Cisco Unity Connection.
• Test the SSO Connection.
• Restart the Cisco Tomcat service.

• On the Expressway-C primary peer go to Configuration → Unified Communications → Identity providers (IdP).
• Click Import new IdP from SAML.
• Locate and select the metadata file.
• Set Digest to the required SHA algorithm and click Upload.
• Verify that your Identity Provider appears.
• Click Associate domains.
• Check each of the domains that you want to associate to this IdP.
• Click Save.

Review troubleshooting guide URL (at the top of the page).

• Enable Debug Level

set samltrace level debug

• Find the name of the active ssosp log file

file list activelog tomcat/logs/ssosp/log4j/*

• View the log file

file view  activelog tomcat/logs/ssosp/log4j/ssosp000xx.log

• View it in real time

file tail activelog tomcat/logs/ssosp/log4j/ssosp000xx.log

• Set Log levels back to the default level of “info”

set samltrace level info

Also check out the following logs

• /tomcat/logs/authenticationrealm/log4j/authenticationrealm000xx.log
• /tomcat/logs/authenticationrealm/log4j/authenticationvalve000xx.log

To download all tomcat logs use the following command

file get activelog tomcat/logs/* recurs