McDewey

Note: This scenario can apply to deployments that uses cluster-wide or per-node agreement for single sign-on configuration Login within CUCM with Single Sign-on (SSO) it displays an error message ¨Error while processing saml response¨ or ¨Error while processing saml response Failed to decrypt the secret key¨ Verification Ensure all nodes contains a valid tomcat certificate if self-signed or contains the new multi-san tomcat certificate associated. 1. Use set samltrace level debug in all CUCM nodes via CLI in order to activate SSO logs on debug level 2. Recreate the issue by login again to CUCM and use SSO method. 3. Collect Tomcat SSO logs after the incident, and verify you get this message: 2026-01-10 06:06:31,274 ERROR [http-nio-81-exec-157] cpi.sso.saml.sp.security.authenticatio com.sun.identity.saml2.common.SAML2Exception: Failed to decrypt the secret key. at com.sun.identity.saml2.xmlenc.FMEncProvider.getEncryptionKey(FMEncProvider. at com.sun.identity.saml2.xmlenc.FMEncProvider.decrypt(FMEncProvider.java:607) at com.sun.identity.saml2.assertion.impl.EncryptedAssertionImpl.decrypt(Encryp ... • 4. Solution Export of CUCM metadata after Tomcat certificate renewal and import to the Idendity Provider Server to ensure they have the new tomcat certificate for this communication. Procedure to renew tomcat with SSO deployment enabled: Caution: Techinical Assistance Center (TAC) recommends the next steps in order to prevent any issue after the renew of Tomcat certificate, recommend to perform this procedure after hours.