Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1566
Views
6
Helpful
4
Replies

CUCM SAML SSO logout not working

Go to solution
drehstrom
Level 1
Level 1

‎04-19-2022 07:35 AM - edited ‎04-19-2022 07:36 AM

Hi y'all,

we are using SSO (SAML) to login to our CUCM. Today I had to update the IdP Metadata because of a certificate renewal. No big deal, everything works smoothly with one exception: When I hit the logout button I get an error message from my ADFS stating that "The SAML logout did not complete properly." Checking my ADFS I found several logs pointing to a signing issue.

Knowing this I traced the logout process and had to find out that the CUCM sends the SAML logout request without any certificate at all. (I'm not sure if this was working before the certificate change for I don't know if I ever used that logout button before.)

According to the SAML 2.0 Profiles doc LogoutRequest MUST be signed when using POST or REDIRECT. So how can I get CUCM into sending proper LogoutRequest using the correct signature?

Best regards
Stephan

2 people had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kkalashnikoff
Level 1
Level 1

‎01-18-2024 06:46 AM

Hey Stephan,
to enable properly the SAML-Based Single Logout (SLO) feature perform below steps:

Step 1 For configuration at Microsoft ADFS 2.0 side, ensure the following points.

a) Select Relying Party Trust. On its Properties, select Endpoints.

b) Select Add SAML. Choose SAML Logout as Endpoint and Binding as Post.

c) Configure URL <url>/adfs/ls/?wa=wsignout1.0. Select Save and Restart ADFS 2.0 service.

Step 2 To log out using Microsoft ADFS 2.0, configure the logout URL in the idp.xml file.

Follow below mentioned steps on

UC side:

  1. Search Location in <SingleLogoutService> tag of idp.xml file.
  2. Update the URL as <url>/adfs/ls/?wa=wsignout1.0.

    Example:

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

Step 3 Restart SSOSP Tomcat service.

I just tested it in LAB and it works now without showing an error!

View solution in original post

Preview file
551 KB
4 Replies 4

Go to solution
Roger Kallberg
VIP
VIP

‎04-19-2022 08:16 AM

We're also getting an error when using logout option on the admin webUI.

image.png

Are you getting something similar to this?

As you I've never used this option earlier, so very likely this has always been like this. I did my test on a CM 14SU1 system.



Response Signature


Go to solution
drehstrom
Level 1
Level 1
In response to Roger Kallberg

‎04-19-2022 09:04 AM

Yes it's pretty similar:

 
Fehler
Es ist ein Fehler aufgetreten. Wenden Sie sich an Ihren Administrator, um weitere Informationen zu erhalten.

Fehlerdetails

  • Activity ID: 671324d1-53bf-49d9-3000-0080000000e3
  • Error details: MSIS7054: Die SAML-Abmeldung wurde nicht ordnungsgemäß abgeschlossen.
  • Node name: 4241435d-48e6-4449-be72-656cfbbd846e
  • Error time: Tue, 19 Apr 2022 13:47:48 GMT
  • Cookie: enabled
  • User agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.75 Safari/537.36

Okay, so this ist not an issue but "expected behaviour". Thanks for verifying.

0 Helpful

Go to solution
kkalashnikoff
Level 1
Level 1

‎01-18-2024 06:46 AM

Hey Stephan,
to enable properly the SAML-Based Single Logout (SLO) feature perform below steps:

Step 1 For configuration at Microsoft ADFS 2.0 side, ensure the following points.

a) Select Relying Party Trust. On its Properties, select Endpoints.

b) Select Add SAML. Choose SAML Logout as Endpoint and Binding as Post.

c) Configure URL <url>/adfs/ls/?wa=wsignout1.0. Select Save and Restart ADFS 2.0 service.

Step 2 To log out using Microsoft ADFS 2.0, configure the logout URL in the idp.xml file.

Follow below mentioned steps on

UC side:

  1. Search Location in <SingleLogoutService> tag of idp.xml file.
  2. Update the URL as <url>/adfs/ls/?wa=wsignout1.0.

    Example:

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

OLD ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/"/>

NEW ENTRY:

<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs.cb168.dc-03.com/adfs/ls/?wa=wsignout1.0"/>

Step 3 Restart SSOSP Tomcat service.

I just tested it in LAB and it works now without showing an error!

Preview file
551 KB

Go to solution
drehstrom
Level 1
Level 1

‎03-18-2024 09:34 AM

I just found the time to test it and you're right - it works perfectly. I had to add an SAML-Redirect within the Endpoints since it wasn't there from the initial configuration.

0 Helpful
Customers Also Viewed These Support Documents