[cisco-voip] Expressway MRA and SSO

Matthew Loraditch MLoraditch at heliontechnologies.com
Tue Feb 14 12:56:42 EST 2017


There is no Custom Rule for Expressway C. I have this working in multiple ADFS 3 instances.
Just the LDAP rule mapping SAM-Account-Name to UID
[cid:image002.png at 01D286C1.C93C7B80]


Matthew G. Loraditch - CCNP-Voice, CCNA-R&S, CCDA
Network Engineer
Direct Voice: 443.541.1518

Facebook<https://www.facebook.com/heliontech?ref=hl> | Twitter<https://twitter.com/HelionTech> | LinkedIn<https://www.linkedin.com/company/helion-technologies?trk=top_nav_home> | G+<https://plus.google.com/+Heliontechnologies/posts>

From: cisco-voip [mailto:cisco-voip-bounces at puck.nether.net] On Behalf Of nimloth at nimloth.pl
Sent: Tuesday, February 14, 2017 12:47 PM
To: cisco-voip at puck.nether.net
Subject: [cisco-voip] Expressway MRA and SSO

Dear Group,

I'm trying to enable SSO for Expressway MRA setup based on this documentation:
https://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-9/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-9.pdf

For IdP we're using AD FS 3.0 and what I'm really interested is in part on page 43 (Active Directory Federation Services 2.0) - unfortunately no success so far.

So here questions:

1)      Does anyone have working solution with AD FS ?

2)      Does it require same Custom Rules as for CUCM ?
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccount
name<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccount%0bname>"]=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
identifier<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name%0bidentifier>", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/
claimproperties/format<http://schemas.xmlsoap.org/ws/2005/05/identity/%0bclaimproperties/format>"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/name
qualifier<http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/name%0bqualifier>"] = "http://<FQDN of ADFS>/com/adfs/services/trust<http://%3cFQDN%20of%20ADFS%3e/com/adfs/services/trust>", Properties
["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] =
"<FQDN of CUCM>");

Screenshots from working setup (AD FS rules)  would be nice (can be private if can't be send to group)

Hope someone have it working :)

Many thanks,
Lukasz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170214/295b28b8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 15775 bytes
Desc: image002.png
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20170214/295b28b8/attachment.png>


More information about the cisco-voip mailing list