Re: Centralized IMP Deployment

Ab Saboor · ‎07-27-2018

Hello Experts!

I deployed centralized IMP in our infrastructure. ILS is configured between Telephony Cluster and IMP Service Central Cluster and tested successfully. I am assuming that the reason behind the login failure is that I have not configured IDP for SSO logins. Is IDP server is required for this type of deployments.

I included the guide as well.

Thanks in advance!

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/configAdminGuide/12_0_1/cup0_b_config-admin-guide-imp-1201/cup0_b_config-admin-guide-imp-1201_chapter_011000.html

Anthony Holloway · ‎07-30-2018

According to Cisco Live US 2018 Session BRKCOL-2239, you don't need an IdP and SAML SSO to make this work.

But, you do need to enable OAuth on CUCM for Authorization. This is available in CUCM 11.5(1)SU3+

However, the document you posted lists CUCM 11.5(1)SU4 to support OAuth. So, I'd go that route.

Additionally, it looks like you need to be running a version of Jabber which supports OAuth, and that looks like it will be 11.9+.

Go to ciscolive.com and find this session, then watch the OAuth section at 44:40, and then watch the Centralized Model section that follows at 1:02:25.

Let us know what you run into. I'd wager this isn't a widely explored feature as of this date. I personally have never done this, so I'm curious myself.

Ab Saboor · ‎08-24-2018

As you know, in a multi-cluster deployment you can not homecluster a user in two clusters, and if you homecluster a user in multiple-clusters, the users won't be able to log-in to Jabber because Jabber client get confused which cluster is it's home-cluster (UDS). with keeping that in mind, I homeclustered all LDAP integerated users to Centralized IMP Service Cluster only. The result is NEGATIVE. It worked finally with this approach= Homeclustering users in the corresponding telephony cluster and Centralized IMP Service Cluster and then BAM. The documentation is not very clear or maybe I missed something while reading it.

Andrea Vaccani · ‎09-14-2018

Hello,

we had the same problem and we fixed it disabling the Home Cluster setting on the CUCM Central Cluster, by updating all End Users with Bulk.

Bulk Administration -> Users -> Update Users -> Query

Step1: Uncheck "Home Cluster" and uncheck"Enable User for Unified CM IM and Presence"

Step2: Check "Enable User for Unified CM IM and Presence", check Assign Presence Server and select a Server from DropDown List.

Finally:

On Telephony Cluster, End Users must have settings "Home Cluster" enabled and "Enable User for Unified CM IM and Presence and Assign Presence Server" disabled.

On Central Cluster, End Users must have settings "Home Cluster" disabled and "Enable User for Unified CM IM and Presence and Assign Presence Server" enabled.

Home Cluster Discovery for a User must return only the Telephony Cluster as Home Cluster.

The procedure described in the "Centralized Deployment Configuration Task Flow", step 3 "Enable Users for IM and Presence via Bulk Admin" is a little bit confusing.

I hope this can be helpful.

Regards,

Andrea

bvanbenschoten · ‎11-18-2019

Actually you need to set the home cluster on the CUCM server supporting the central IM&P. (CUCM/IMP).

In my experience you cant check the "Enable User for Unified CM IM and Presence" in the interface if Home Cluster is not also checked.

However, the CUCM supporting the central IM&P should NOT be part of your ILS configuration. There is no need.

This avoids the issue were a user has home cluster enabled in two places since the CUCM/IMP is not participating in the ILS and the other clusters will never learn about it.

Kevin Li · ‎11-18-2019

I concur with @bvanbenschoten post and this is how we have our Centralized IM&P set up for a little while now.

The key is the UCM node for the Centralized IM&P cluster must not be part of the ILS network.

Anil Sharma · ‎12-14-2019

Hello Gentlemen,

Can someone please help me confirm if enabling OAuth on Telephony clusters mandatory for central IM&P ?

Many thanks for your help..

Regards,

Anil Sharma .