Troubleshoot UCCE SSO Integration with Azure IdP

Available Languages

Download Options

  • PDF     (12.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (82.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (68.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:April 28, 2021
Document ID:217089

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to troubleshoot some common issues faced while performing UCCE SSO integration with Microsoft Azure IdP.

    Contributed by Anurag Atul Agarwal, Cisco TAC Engineer.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Security Assertion Markup Language (SAML) 2.0
    • Cisco Unified/Packaged Contact Center Enterprise UCCE/PCCE
    • Single Sign On (SSO)
    • Cisco Identity Service (IdS)
    • Identity Provider (IdP)

    Components Used

    The information in this document is based on these software and hardware versions:

    • Azure IdP
    • UCCE 12.0.1
    • Cisco IdS 12.0.1

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    This document describes some of the common issues faced during integration of Cisco Identity Service (IdS) and Identity Provider (IdP) for Azure based SSO and their potential fixes.  It is always recommended to gather these logs to troubleshoot issues with SSO integration:

    • Cisco IdS logs: Link to collection: IDS logs
    • Browser console logs
    • Any logs from IdP

    Problem: Certificate Does Not Match

    Test SSO fails with message 'IdS was unable to process the SAML response even though, the authentication was successful' and IdS logs print the error message: "SAML response processing failed with exception com.sun.identity.saml2.common.SAML2Exception: The signing certificate does not match what's defined in the entity metadata'"

    Solution

    Verify the certificate and setting Signing Algorithm in Azure. Ensure it matches with the supported hash algorithm based on the IdS version. Refer to Chapter 'Single Sign-On' in Features Guide and verify the supported secure hash algorithm. Download the latest IdP metadata file and upload it to Cisco IdS via the Identity Service Management user interface.

    Problem: AADSTS900235 - Authentication Context Issue

    Test SSO redirects to Microsoft page and fails with message: "Sorry, but we’re having trouble signing you in."
    AADSTS900235: SAML authentication request's RequestedAuthenticationContext Comparison value must be Exact. Received value: Minimum

    Solution

    AuthContext might need to be tuned as described in bug CSCvm69290 . Please contact Cisco TAC to perform the workaround in IdS.

    Problem: SAML Response Is Not Signed

    Test SSO fails with message, IdS was unable to process the SAML response even though, the authentication was successful' and IdS logs print the error message: "SAML response processing failed with exception com.sun.identity.saml2.common.SAML2Exception: Response is not signed."

    Solution

    Azure IdP needs to send signed assertion to IdS. Modify Azure setting to have signing option: Sign SAML response and assertion

    Problem: Issue with Claim Rules

    Test SSO fails with message 'IdP configuration error : SAML processing failed. Could not retreive user principal from SAML response.' and IdS logs print the error message: "SAML response processing failed with exception com.sun.identity.saml.common.SAMLException: Could not retreive user principal from SAML response."

    Solution

    This error points to wrong 'Claim names' configured in Azure. This could happen with other attributes like UID,NameID etc. and similar errors with different attribute names is generated. To fix this, locate any attribute in Azure in this format, 'schemas.xmlsoap.org/ws/2005/05/identity/claims/<attribute_name>'. Remove everything before the actual attribute name.

    This section provides the example configuration for ADFS in the Features guide and that needs to be replicated in Azure.

    ADFS Example Configuration

    Problem: AADSTS50011 - Reply URL Does Not Match

    Test SSO redirects to Microsoft page and fails with message: "Sorry, but we’re having trouble signing you in.
    AADSTS50011: The reply URL specified in the request does not match the reply URL's configured for the application"

    Solution

    Please contact Cisco TAC. 'Assertion Consumer Service' parameter needs to be checked in root on the IdS node where this fails. If the parameter is correct, Microsoft Azure has to troubleshoot this. 

    Revision History

    Revision Publish Date Comments
    1.0
    29-Apr-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Anurag Atul Agarwal
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products