topic Re: Jabber SSO login with Azure AD. in Collaboration Applications

Jabber SSO login with Azure AD.

ranjith raman — Sun, 03 Feb 2019 08:49:27 GMT

Hi Team,

Customer is currently using SSO for Jabber using ADFS. Customer is looking at migrating SSO to Azure AD, I would like to know if this is supported by Cisco.

Kindly suggest.

Version : Cisco Unified Presence 10.5.2.

Re: Jabber SSO login with Azure AD.

Jonathan Schulenberg — Sun, 03 Feb 2019 20:53:22 GMT

Azure AD is *not* supported for LDAP synchronization on CUCM/CUC; however, any identity provider that supports SAML 2.0 is compatible for SSO. Be careful to keep these topics separate.

The challenge with SAML is that Cisco expects you to be knowledgeable about your chosen IdP and how to configure it. TAC supports the SAML functionality on their app only; you must work through properly integrating it to your IdP. For example, sometimes you need to manually modify the metadata file before uploading it. Cisco expects you to understand what modifications are required for your IdP to accept the file. There are a few configuration examples provided here:

https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-configuration-examples-list.html

On a related note, I suggest upgrading to 11.5 or later where the SSO integration supports a single agreement for the cluster vs. individual agreements per-node. You must configure a multi-server Tomcat cert for this to be an option.

Re: Jabber SSO login with Azure AD.

ranjith raman — Wed, 06 Feb 2019 05:53:20 GMT

Hi Jonathan Schulenberg,

Thanks a lot for the provided information, which was helpful for me.

Regards,

Ranjith Raman

Re: Jabber SSO login with Azure AD.

Daryl Clark — Wed, 06 Mar 2019 00:04:51 GMT

How did you build the required custom claim rules? Azure AD doesn't support them.

Re: Jabber SSO login with Azure AD.

Christopher Stock — Wed, 27 Nov 2019 14:45:33 GMT

Has anyone successfully made this work?

Re: Jabber SSO login with Azure AD.

Jonathan Schulenberg — Sun, 08 Dec 2019 21:13:28 GMT

It appears Microsoft still has not implemented support for multiple Assertion Consumer Service (ACS) URLs with index attributes on Azure’s IdP offering. You won’t be able to get SAML working on subscribers without this. I just tried again this week and it’s not there. ADFS supports it but not Azure. If you work at a large/recognizable company that is likely to get Microsoft’s attention, I have the contact information of the responsible product manager - message me directly.

Re: Jabber SSO login with Azure AD.

Thiago Perrini — Tue, 03 Mar 2020 16:07:33 GMT

Do know when we can expect an solution from Microsoft / Cisco for that specific problem?

Customers are migrating their MS Products to Cloud without AD onPrem.

We need LDAP Sync with Azure AD and AzureIdP for SSO for installed Cisco onPrem Infrastructure.

Re: Jabber SSO login with Azure AD.

Jaime Valencia — Tue, 03 Mar 2020 16:17:03 GMT

Roadmap questions are NDA and cannot be discussed in a public forum.

If you're a partner, you can try the partner forum, or reach out to your SE/AM for this.

Re: Jabber SSO login with Azure AD.

George Paxson — Fri, 08 May 2020 20:20:58 GMT

We are moving off Okta and did not renew our internet CA certs for the clusters. I just tested single server AD domain certificates with Azure successful following the instructions in this blog. I will soon remove my muti SAN certs and go with certs for each server. The information in this blog worked. Don't need to wait for the multi server to work. Clusters are 11.5. LDAP is AD not Azure.

https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656

Re: Jabber SSO login with Azure AD.

viraj0raut — Tue, 11 Aug 2020 16:09:42 GMT

Hello,

Any thoughts on the great solution by Bernhard Albler?

https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656

Regards

Re: Jabber SSO login with Azure AD.

Daryl Clark — Tue, 11 Aug 2020 16:21:26 GMT

We implemented this and its working beautifully for us!

Re: Jabber SSO login with Azure AD.

Jonathan Schulenberg — Tue, 11 Aug 2020 16:28:25 GMT

The latest third-hand info I have is Microsoft slipped support for multiple ACS URLs to the end of 2020. Bernhard and Stoyan did everyone a great service with that article. My understanding is that the BU intends to write a TechNote, or equivalent article, for that exact approach to make it "official". TAC will continue to only support the Cisco product and not the behavior/configuration of the SAML IdP; however, this will offer an equivalent to the ADFS-oriented articles they have posted.

Re: Jabber SSO login with Azure AD.

George Paxson — Tue, 11 Aug 2020 16:31:07 GMT

I have followed the instructions as in my previous post. Moved CUCM and CUC from Okta to Azure. Still have to debug Expressway. No post yet for Expressway. My initial attempt has not worked. Have to debug it.

Re: Jabber SSO login with Azure AD.

Jonathan Schulenberg — Fri, 04 Sep 2020 12:16:01 GMT

Just to update everyone - this thread keeps turning up in search results - Cisco has published a TechNote for SAML SSO Microsoft Azure Identity Provider.

The trick, a shared signing certificate for the Azure IdP, was first discovered by Bernhard Albler and Stoyan Stoitsev. It is published in their Medium.com article Cisco CUCM and Expressway SSO with Azure AD. Cisco had expected Microsoft to add support for multiple ACS URLs; however, that has reportedly slipped on their roadmap. The business unit chose to (re)publish Bernhard and Stoyan's approach so it would be officially on Cisco.com.

Re: Jabber SSO login with Azure AD.

Wagner Jose Fernandes Junior — Wed, 30 Sep 2020 15:24:37 GMT

Hello,

We migrated our 5 cucm 11.5 clusters to azure successfully.

Initially we used this procedure https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656.to move two clusters.

After this, at another mantenance window we try to use cisco official document https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/Azure/cucm_b_saml-sso-microsoft-azure-idp.html to chante 3 final clusters and we found a small difference, our environment did not worked with the "Default" mode as cisco document, but "email address" as shown in the attached figure.

Today everything is working well on Azure.

Re: Jabber SSO login with Azure AD.

Franklin Gonzalez Sevillano — Thu, 07 Dec 2023 20:06:08 GMT

Hi Jonathan Schulenberg,

What happens if we sign the certificates of the collaboration applications with a public CA?

In that case, this certificate that we must upload to Azure must be generated by the Public CA or it can be generated in an Enterprise CA?

Thanks!

Re: Jabber SSO login with Azure AD.

George Paxson — Thu, 07 Dec 2023 20:26:09 GMT

I believe this is covered in the technote SAML SSO Microsoft Azure Identity Provider

If not, you can generate a certificate anywhere as this is just to encrypt the communications. Simple non technical answer. I believe we just generated a cert with OpenSSL. We have reused the same cert though changes from on prem to Cisco dedicated instance.

Re: Jabber SSO login with Azure AD.

ly_36 — Thu, 22 Feb 2024 10:20:07 GMT

We're planning to try to use SAML SSO with Azure for our CUCM, IM&P, Unity (14SU3) and Expressway (14.0.7) estate. The guide looks good.

Can I ask (possibly a stupid question) is there any requirement to have OAuth enabled first in Enterprise parameters and Expressway or is this not necessary? Azure will instead do the token work and not prompt to sign in constantly?

Re: Jabber SSO login with Azure AD.

Jonathan Schulenberg — Thu, 22 Feb 2024 17:46:00 GMT

SAML and OAuth are technically independent of one another. When both are enabled the longer life OAuth tokens allow the client to skip the SAML IdP until/unless the refresh token expires. I consider it best practice to enable both, including SIP OAuth - an extra step, but you're not required to. An easy example of where OAuth makes a big difference are inbound calls on mobile devices. Without OAuth, the user will be prompted to re-authenticate to the SAML IdP if their cookie has expired. The chances of a user successfully re-authenticating - especially with MFA - before the CFNA timer expires are pretty low.

Re: Jabber SSO login with Azure AD.

ly_36 — Wed, 27 Mar 2024 09:55:32 GMT

What item are we using for Common Name when creating the certificate for Azure? Nothing in the guide to indicate this