Guest

Preview Tool

Cisco Bug: CSCvu57642 - AD FS federationmetadata.xml should have only primary certificate in it

Last Modified

Jun 30, 2020

Products (1)

  • Cisco Unified Contact Center Express

Known Affected Releases

11.5(1)

Description (partial)

Symptom:
UCCE Feature guide should have the following details about configuration

AD FS federationmetadata.xml should have only primary certificate in it

You will have the following exception in ids.log
2020-06-08 16:12:02.905 EEST(+0300) [IdSEndPoints-SAML-50]        ERROR com.cisco.ccbu.ids IdSSAMLAsyncServlet.java:299 - SAML response processing failed with exception com.sun.identity.saml2.common.SAML2Exception: The signing certificate does not match what's defined in the entity metadata.
               at com.sun.identity.saml2.xmlsig.FMSigProvider.verify(FMSigProvider.java:331)
               at com.sun.identity.saml2.protocol.impl.StatusResponseImpl.isSignatureValid(StatusResponseImpl.java:371)
               at com.sun.identity.saml2.profile.SPACSUtils.getResponseFromPost(SPACSUtils.java:985)
               at com.sun.identity.saml2.profile.SPACSUtils.getResponse(SPACSUtils.java:196)
               at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(SPACSUtils.java:2028)
               at com.cisco.ccbu.ids.auth.api.IdSSAMLAsyncServlet.getAttributesMapFromSAMLResponse(IdSSAMLAsyncServlet.java:473)
               at com.cisco.ccbu.ids.auth.api.IdSSAMLAsyncServlet.processSamlPostResponse(IdSSAMLAsyncServlet.java:259)
               at com.cisco.ccbu.ids.auth.api.IdSSAMLAsyncServlet.processIdSEndPointRequest(IdSSAMLAsyncServlet.java:176)
               at com.cisco.ccbu.ids.auth.api.IdSEndPoint$1.run(IdSEndPoint.java:269)
               at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
               at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
               at java.lang.Thread.run(Thread.java:745)

There is 2 options:
1. To have only Primary certificate in AD FS and re-download federationmetadata.xml
2. Delete data about Secondary certificate from federationmetadata.xml

Conditions:
any version of UCCE with SSO
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.