Cisco Call Manager - SSO APM
Would anyone happen to have a sample Assertion being used for Cisco Call Manager? It's stated that F5 APM is supported though documentation is lacking. It also has a requirement for an Import of metadata instead of any manual configuration. So far this is what I've found -
It prefers ADFS - at least there is plenty of documentation.
NameIDFormat: transient Attributes: requires "uid" in the form of SamAccountName
There is a Cisco article that has some needed modifications for F5 BIG-IP: http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/rel_notes/11_0_1/CUCM_BK_R30921A8_00_CUCM_release-notes_1101.pdf
Step 1 Using an XML editor, open the exported F5 BIG-IP IDP metadata XML file.
Step 2 From the NameIDFormat tag, delete the following attributes:isDefault="true" index="0"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP".
Step 3 From the SingleSignOnService tag, delete Index and IsDefault attributes.
Step 4 From the SingleLogOutService tag, delete the IsDefault attribute.
Step 5 In the IDPSSODescriptor tag, change the order of the tags as follows:
1 KeyDescriptor
2 SingleLogoutService
3 NameIDFormat
4 SingleSignOnService
5 saml:Attribute
Through my testing - I'm still getting a generic 'import failed, please retry' error on IDP import within Cisco Call Manager.
I have a Cisco case open, so I'll update this Question either way when I get an answer.
Thank ya.
As promised, here is the solution -
Cisco Call Manager relies on a successful upload of your IdPs metadata to actually enable SSO.
- Verify you have uploaded your signing certificate into CCM.
- Verify you have 'must be signed' set on your assertion.
- Verify you are sending an attribute named 'uid' with the value of SamAccountName.
- Here is a working XML example: