Edit 3rd September, 2020. Cisco have now also tested and documented this on their site so TAC can support it. Their doc is actually better as they show how to do a cluster-wide agreement for Expressway. See their document here: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/Azure/cucm_b_saml-sso-microsoft-azure-idp.html
The important thing to remember with Azure is that you need to configure a PER NODE SAML agreement. This means that you need to create a custom enterprise app in Azure for every CUCM node you have. Same applies for other servers like CUC or Expressway. Below is an example with CUCM and Expressway. The setup for CUC is exactly the same as for CUCM.
Creating custom Azure apps might not be included in your Azure license. [Aug 18th, 2020] Looks like Microsoft have added this to their lower licensing tiers.
This was tested with a 3 node CUCM cluster version 126.96.36.19900–146, a non-clustered Expressway -C and -E pair running version 12.5.9 and OAuth refresh tokens enabled on all nodes.
Send thanks or Coke Zero to Bernhard Albler who actually got that going. I'm just writing the doc.
Export the CUCM and Expressway SP Metadata
In CUCM > System > SAML Single Sign-On make sure that the following is set - SSO Mode: Per node (One metadata file per node).
For Expressway-C, in Configuration > Unified Communications > Configuration set the "SAML Metadata" to "Peer". This will instruct the system to generate a separate SAML metadata for each node in your Expressway cluster.
Then export all metadata. This will generate a ZIP file for the CUCM cluster and for the Expressway cluster. Unzip the file and verify that you have an XML file for each node in your clusters.
For Expressway you download and configure SSO only on the -C node.
Generate a Certificate for Signing the Azure Responses
Assuming you have OpenSSL installed. If not install it or use your enterprise CA to generate the certificates.
First create a certificate and a private key:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 1095 -out certificate.pem
Then combine the certificate and the key in a password-protected PFX file. This is required by Azure. Note the password.
openssl pkcs12 -export -out certificate.pfx -inkey key.pem -in certificate.pem
Note that storing private keys on your PC might not be the best idea.
Generate just one certificate and use it for all custom apps you will create for all nodes in your CUCM or Expressway clusters. This is crucial as CUCM and Expressway support only a single IdP metadata file per cluster.
Create Azure SAML Custom App per Cluster Node
All steps are the same for CUCM and Expressway nodes unless otherwise noted.
Create a "Non-gallery application" in the Azure portal.
Name the new app and click on "Set up single sign on".
On the next screen select SAML as the single sing on method.
After that you will be presented with the default settings for a new app. You will have to edit almost all of them.
First, import the metadata file for the server you are configuring. This is one of the XML files that are in the SPMetadata.zip you downloaded from your CUCM or from the SAML Zip file from the Expressways.
This will automatically populate the "Basic SAML Configuration" section with the "Identifier (Entity ID)" and "Reply URL (Assertion Consumer Service URL)" that were included in the SP metadata file. Normally these are the FQDN of your server and a URL that looks like the one on the screenshot below. Do not edit any of these values nor do you add any more URL etc.
Edit the "User Attributes & Claims" section by removing all initial settings from it and configuring it as shown on the screenshot. This is the same for both CUCM and Expressway
Note that this was done with an Azure AD that is synced from an OnPrem MS AD. It could be that these might be different in your setup.
Edit the "SAML Signing Certificate" section.
Upload the certificate.pfx file you created earlier and enter the password to unlock it.
Make sure that this is the only certificate you have in the list and that it is set to active. Delete any other certificates even if they are not active.
For Expressway make sure to set "Signing Option" to Sign SAML Response and Assertion and to match the signing algorithm to the one configured in your Expressway.
At this point you can download the Federation Metadata XML.
Since you will upload the same certificate to all apps you create for your CUCM and Expressway servers, you can use that same IdP metadata file to import to all CUCM nodes or Expressway-Cs. This means that you download this metadata only for the first node you configure here.
Enable the App in Azure and Assign Users
Depending on your setup you might want to assign individual users or all user etc. These are standard Azure settings that are beyond our scope. For the test you can just enable all users for SSO. You might also want to hide the app as otherwise it will be shown to the users in their O365 app list.
This is also the last task of the SSO setup in Azure for this server. Repeat all steps above for all nodes in your cluster — create a new app, change attributes, import the same certificate, assign users. The only step you skip is downloading the Federation Metadata XML since you already have it.
Import Azure IdP Federation Metadata in CUCM/Expressway and Enable SSO
In CUCM > System > SAML Single Sign-On make sure that the following is set — SSO Mode: Per node (One metadata file per node).
Follow the standard steps for enabling SSO in CUCM and importing the Azure IdP metadata file. Make sure to run an SSO test for each node in your cluster.
Restarting the CUCM Tomcat after enabling SSO is a good idea.
For Expressway follow the normal steps to importing the IdP metadata and enabling SSO.
This article was updated on 18th of August, 2020 to add information about Expressway.