<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr">Is there valid TLS trust between UCM and Idp?</div><div dir="ltr"><br><blockquote type="cite">On Sep 16, 2021, at 19:46, Johnson, Tim <johns10t@cmich.edu> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:remialcxesans;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Nah, looks like he said logging into CCM Admin pages, with AD accounts, so all areas of the web UI (I believe). The NTP errors that I’ve seen are presented as SAML assertion errors.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m curious if this is a new SSO config, or if it was working properly and something’s changed.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> cisco-voip <cisco-voip-bounces@puck.nether.net>
<b>On Behalf Of </b>Kent Roberts<br>
<b>Sent:</b> Thursday, September 16, 2021 8:37 PM<br>
<b>To:</b> Matthew Loraditch <MLoraditch@heliontechnologies.com><br>
<b>Cc:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> [External] Re: [cisco-voip] Error Processing SAML Response<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Remember he said it also was happening on the CUCM Admin account which has nothing to do with SSO/SAML. So means its most likely internal to cucm...<o:p></o:p></p>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On Sep 16, 2021, at 4:36 PM, Matthew Loraditch <<a href="mailto:MLoraditch@heliontechnologies.com">MLoraditch@heliontechnologies.com</a>> wrote:<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black">The logs are pretty clear when its a time difference as the error. I’ve not seen it randomly occur but definitely the error will be it’s
time and may even show the difference. </span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal" style="background:white"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif;color:black">Its the 4j log file for sso I believe </span><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
</div>
</div>
<div id="ms-outlook-mobile-signature">
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Get<span class="apple-converted-space"> </span><a href="https://aka.ms/o0ukef">Outlook for iOS</a><o:p></o:p></span></p>
</div>
</div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="934" style="width:700.5pt">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:0in 7.5pt 0in 0in">
<p class="MsoNormal"><span style="font-size:1.0pt"> <o:p></o:p></span></p>
</td>
<td style="padding:7.5pt 0in 7.5pt 7.5pt">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="487" style="width:365.15pt">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:#F3800B">Matthew Loraditch</span></b><b><span style="font-size:1.0pt;font-family:"remialcxesans",serif;color:white"></span></b><b><span style="color:#F3800B"><o:p></o:p></span></b></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:gray">Sr. Network Engineer<o:p></o:p></span></b></p>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:gray">(He/Him/His)<o:p></o:p></span></b></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:7.5pt 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="color:#F3800B">p:</span><span style="color:gray"> <a href="tel:443.541.1518" target="_blank"><strong><span style="font-family:"Calibri",sans-serif;color:gray;font-weight:normal;text-decoration:none">443.541.1518</span></strong></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="color:#F3800B">w:</span><span style="color:gray"> <a href="http://www.heliontechnologies.com/" target="_blank"><strong><span style="font-family:"Calibri",sans-serif;color:gray;font-weight:normal;text-decoration:none">www.heliontechnologies.com</span></strong></a><o:p></o:p></span></p>
</td>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="color:gray"> | <o:p></o:p></span></p>
</td>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="color:#F3800B">e:</span><span style="color:gray"> <a href="mailto:MLoraditch@heliontechnologies.com" target="_blank"><strong><span style="font-family:"Calibri",sans-serif;color:gray;font-weight:normal;text-decoration:none">MLoraditch@heliontechnologies.com</span></strong></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="bottom" style="padding:0in 0in 0in 0in">
<p class="MsoNormal"><span style="font-size:1.0pt"><a href="http://www.heliontechnologies.com/" target="_blank"><span style="text-decoration:none"><image657209.png></span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="487" style="width:365.15pt">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:7.5pt 0in 7.5pt 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="18" style="width:13.5pt">
<tbody>
<tr>
<td valign="top" style="padding:0in 0in 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:1.0pt"><a href="https://facebook.com/heliontech" target="_blank"><span style="text-decoration:none"><image487691.png></span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="21" style="width:15.75pt">
<tbody>
<tr>
<td valign="top" style="padding:0in 2.25pt 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:1.0pt"><a href="https://twitter.com/heliontech" target="_blank"><span style="text-decoration:none"><image529913.png></span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
<td valign="top" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="21" style="width:15.75pt">
<tbody>
<tr>
<td valign="top" style="padding:0in 2.25pt 0in 0in">
<p class="MsoNormal" align="center" style="text-align:center"><span style="font-size:1.0pt"><a href="https://www.linkedin.com/company/helion-technologies" target="_blank"><span style="text-decoration:none"><image776611.png></span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="915" style="width:686.5pt" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>cisco-voip <<a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>> on behalf of Lelio Fulgenzi <<a href="mailto:lelio@uoguelph.ca">lelio@uoguelph.ca</a>><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Thursday, September 16, 2021 4:32:12 PM<br>
<b>To:</b><span class="apple-converted-space"> </span>Jonathan Charles <<a href="mailto:jonvoip@gmail.com">jonvoip@gmail.com</a>>; Benjamin Turner <<a href="mailto:benmturner@hotmail.com">benmturner@hotmail.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><span class="apple-converted-space"> </span><<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a>><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [cisco-voip] Error Processing SAML Response<span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p></o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"> <o:p></o:p></span></p>
</div>
</div>
<div>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
</div>
<div style="border:solid #9C6500 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<p class="MsoNormal" style="line-height:12.0pt;background:#FFEB9C"><span style="font-size:10.0pt;color:#9C6500">[EXTERNAL]</span><span style="font-size:10.0pt"><o:p></o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
<div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><o:p> </o:p></span></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal">Have you been able to confirm the time difference?<o:p></o:p></p>
</div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<div>
<p class="MsoNormal">I’m not trying to take their side of things, but if it’s minutes off, I wouldn’t doubt that’s possible. SSO is highly secure, right? A time difference might be enough to throw it off?<o:p></o:p></p>
</div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<div>
<p class="MsoNormal">Here’s reference:<o:p></o:p></p>
</div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<div>
<p class="MsoNormal"><a href="https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907">https://support.pingidentity.com/s/article/Accounting-for-Time-Drift-Between-SAML-Endpoints50907</a><o:p></o:p></p>
</div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<div>
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>cisco-voip <<a href="mailto:cisco-voip-bounces@puck.nether.net">cisco-voip-bounces@puck.nether.net</a>><span class="apple-converted-space"> </span><b>On Behalf Of<span class="apple-converted-space"> </span></b>Jonathan
Charles<br>
<b>Sent:</b><span class="apple-converted-space"> </span>Thursday, September 16, 2021 6:23 PM<br>
<b>To:</b><span class="apple-converted-space"> </span>Benjamin Turner <<a href="mailto:benmturner@hotmail.com">benmturner@hotmail.com</a>><br>
<b>Cc:</b><span class="apple-converted-space"> </span><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<b>Subject:</b><span class="apple-converted-space"> </span>Re: [cisco-voip] Error Processing SAML Response<o:p></o:p></p>
</div>
</div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<div style="border:solid #9C6500 1.0pt;padding:2.0pt 2.0pt 2.0pt 2.0pt">
<div>
<p class="MsoNormal" style="line-height:12.0pt;background:#FFEB9C"><b><span style="font-size:10.0pt;color:black">CAUTION:</span></b><span class="apple-converted-space"><span style="font-size:10.0pt;color:black"> </span></span><span style="font-size:10.0pt;color:black">This
email originated from outside of the University of Guelph. Do not click links or open attachments unless you recognize the sender and know the content is safe. If in doubt, forward suspicious emails to<span class="apple-converted-space"> </span><a href="mailto:IThelp@uoguelph.ca">IThelp@uoguelph.ca</a></span><o:p></o:p></p>
</div>
</div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<div>
<div>
<p class="MsoNormal">No... TBH, I have never heard of it...<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">TAC is hyper-asserting that the issue is time mismatch between CUCM/CUC and ADFS... <o:p></o:p></p>
</div>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Jonathan<o:p></o:p></p>
</div>
</div>
</div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
<div>
<div>
<div>
<p class="MsoNormal">On Thu, Sep 16, 2021 at 4:08 PM Benjamin Turner <<a href="mailto:benmturner@hotmail.com">benmturner@hotmail.com</a>> wrote:<o:p></o:p></p>
</div>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt">
<div>
<div>
<p class="MsoNormal">Have you tried to run a SAML Tracer?<span class="apple-converted-space"> </span><o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div id="x_gmail-m_6287419307271280829ms-outlook-mobile-signature">
<div>
<p class="MsoNormal">Sincerely,<br>
Benjamin M. Turner<o:p></o:p></p>
</div>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="2" width="98%" align="center">
</div>
<div id="x_gmail-m_6287419307271280829divRplyFwdMsg">
<div>
<p class="MsoNormal"><b>From:</b><span class="apple-converted-space"> </span>cisco-voip <<a href="mailto:cisco-voip-bounces@puck.nether.net" target="_blank">cisco-voip-bounces@puck.nether.net</a>> on behalf of Jonathan Charles <<a href="mailto:jonvoip@gmail.com" target="_blank">jonvoip@gmail.com</a>><br>
<b>Sent:</b><span class="apple-converted-space"> </span>Thursday, September 16, 2021 4:56:48 PM<br>
<b>To:</b><span class="apple-converted-space"> </span><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><span class="apple-converted-space"> </span><<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br>
<b>Subject:</b><span class="apple-converted-space"> </span>[cisco-voip] Error Processing SAML Response<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
</div>
<div>
<div>
<div>
<p class="MsoNormal">So, users are randomly getting the above error when logging into CUCM UCMUser or CUC Inbox... we are also getting it using AD credentials into admin pages for CUCM/CUC/etc.<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">For a user, it will work find repeatedly, then you will get the error, close your browser, and reopen, still get the error for a few minutes. Then later it will work. When a user is affected, other users work fine.<o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">TAC is saying it is an NTP issue, however, NTP between CUCM 12.5 and IdP (ADFS 2.0) is fine.<o:p></o:p></p>
</div>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Pings are around 1ms between servers.<o:p></o:p></p>
</div>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Any ideas?<o:p></o:p></p>
</div>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal">Jonathan<o:p></o:p></p>
</div>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
<div>
<p class="xmsonormal" style="margin:0in"> <o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<span>_______________________________________________</span><br><span>cisco-voip mailing list</span><br><span>cisco-voip@puck.nether.net</span><br><span>https://puck.nether.net/mailman/listinfo/cisco-voip</span><br></div></blockquote></body></html>