SAML SSO Microsoft Entra ID Identity Provider
Revision History
Date |
Revision |
---|---|
April 02, 2024 |
Updated the document to include changes for enhancements to the Microsoft Entra ID Enterprise applications Catalog. |
June 21, 2022 |
Added support for clusterwide agreements with Microsoft Entra ID for Unified CM, IM and Presence Service, Unity Connection, and Expressway. |
Introduction
This document provides a configuration example of how to configure Microsoft Entra ID as the SAML SSO Identity Provider (IdP) for the following applications:
-
Cisco Unified Communications Manager
-
IM and Presence Service
-
Cisco Unity Connection
-
Cisco Expressway
Single sign-on (SSO) is a session or user authentication process that enables a user to provide credentials to access one or more applications. The process authenticates the user for all applications they have been given rights to and eliminates further prompts when they switch applications during a particular session.
For detailed information about the SAML SSO Solution, see the SAML SSO Deployment Guide for Cisco Unified Communications Applications.
Metadata Requirements
The following condition applies for metadata agreements with Microsoft Entra ID:
-
Cisco Unified Communications Manager, IM and Presence Service, Cisco Unity Connection, and Cisco Expressway supports clusterwide agreement with Microsoft Entra ID.
Note
Microsoft Entra ID officially supports only the cluster wide agreements and does not recommend per node agreements for SAML SSO.
Metadata Examples
Given the below UC deployment, see the following table for an example of the total number of metadata files that this deployment would give you for export. Note that the IM and Presence Service is deployed in a Standard Deployment, unless otherwise indicated.
-
A five-node Cisco Unified Communications Manager cluster
-
A three-node IM and Presence Service cluster (Standard deployment)
-
A two-node Cisco Unity Connection cluster
-
A three-node Expressway-C cluster
-
A three-node Expressway-E cluster
With this type of deployment |
These are the XML files that you get... |
---|---|
Expressway is in a Clusterwide agreement |
Example for Clusterwide agreement You would export three metadata XML files in total:
|
IM and Presence Service is in a Centralized Deployment |
If your IM and Presence Service nodes are in a Centralized Deployment, your IM and Presence metadata is exported separately from your Unified CM telephony cluster. This gives you an extra metadata XML file along with one extra metadata file for the standalone Unified CM node that is in the IM and Presence central cluster. This results in either 5 clusterwide XML metadata files in total, depending on the Expressway agreement type:
|
Configure Microsoft Entra ID as Identity Provider
Before you begin
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
Export metadata file from your Cisco UC applications. |
|
Step 2 |
Import the UC metadata file into Microsoft Entra ID and configure Microsoft Entra ID to provide identity services. Export a Federation Metadata File from Microsoft Entra ID. |
|
Step 3 |
Import the Microsoft Entra ID metadata file into your Cisco UC applications and complete the SSO configuration. |
Export UC Metadata File
Procedure
Step 1 |
Export UC metadata from Cisco Unified Communications Manager:
|
Step 2 |
If you have deployed the Centralized Deployment for the IM and Presence Service, repeat the previous step on the Unified CM publisher node that is located within your IM and Presence central cluster. |
Step 3 |
Export UC metadata from Cisco Unity Connection:
|
Step 4 |
Export UC metadata from Cisco Expressway.
|
Configure Microsoft Entra ID Catalog Application
Complete the following procedure for clusterwide agreements in your Cisco Unified Communications Manager, IM and Presence Service, Cisco Unity Connection, and Cisco Expressway deployment.
Procedure
Step 1 |
In Microsoft Entra ID at Enterprise applications | All applications, click New Application. |
||
Step 2 |
In the New Application window, do the following: |
||
Step 3 |
In the left navigation bar, click Single sign-on. |
||
Step 4 |
Click SAML. The Set up Single Sign-On with SAML window appears.
|
||
Step 5 |
Click Upload metadata file and then browse to the UC metadata XML file for the server for which you are configuring an agreement. After you select and open the file, click Add. The Basic SAML Configuration populates with Identifier (EntityID) and Reply URL (Assertion customer service URL) for the Collaboration server.
|
||
Step 6 |
Click Save. |
||
Step 7 |
If necessary, Edit the User Attributes & Claims section.
|
||
Step 8 |
Click SAML-based Sign-on to return to the SAML summary. |
||
Step 9 |
Download the Federation Metadata XML file.
|
||
Step 10 |
Enable the Application in Microsoft Entra ID and Assign Users:
|
Enable SAML SSO for Collaboration Applications
Procedure
Step 1 |
Enable SAML SSO on Cisco Unified Communications Manager:
|
Step 2 |
If you have an IM and Presence Centralized Deployment, repeat Step 1 on the Unified CM publisher node that is located in the IM and Presence central cluster. |
Step 3 |
Enable SAML SSO on Cisco Unity Connection:
|
Step 4 |
Enable SAML SSO on Expressway:
|
Troubleshooting
For debugging purposes, use a tool like the SAML tracer.
Make sure that the X.509 Certificate data that is sent as part of the SAML assertion matches with the certificate present in your Microsoft Entra ID enterprise application.
Check the ssosp logs for errors. Following is an example of a certificate issue that might appear in the ssosp logs:
2020-09-21 05:45:39,131 ERROR [http-bio-8443-exec-51] fappend.SamlLogger - FMSigProvider.verify: The cert contained in the document is NOT the same as the one being passed in.
2020-09-21 05:45:39,134 ERROR [http-bio-8443-exec-51] authentication.SAMLAuthenticator - Error while processing saml response The signing certificate does not match what's defined in the entity metadata.
com.sun.identity.saml2.common.SAML2Exception: The signing certificate does not match what's defined in the entity metadata.
at com.sun.identity.saml2.xmlsig.FMSigProvider.verify(FMSigProvider.java:334)
at com.sun.identity.saml2.assertion.impl.AssertionImpl.isSignatureValid(AssertionImpl.java:651)