Solved: CUCM User Sync with MS Entra/Azure or similar and Jabber Auth

simon hester · ‎10-23-2024

Hi

I have a customer who currently used LDAP sync to pull in users from AD. The customer has requested if this sync can be done directly with cloud based system MS Entra/Azure. Is that possible?

My additional questions sort of relate to the SSO for Jabber which i have explored before and tested which works. My question is can you have SSO with out the LDAP sync? I'm assuming not as you would need the users in CUCM for the Jabber to be set up.

If the above is not possible are there any alternatives.

Thanks

Jonathan Schulenberg · ‎10-23-2024

Entra account sync is facilitated through the Control Hub Entra ID wizard and Cloud Connected UC Directory service. Users are synced into Control Hub and then southbound into CUCM/CUC. This only replaces LDAP account imports, not LDAP authentication. You need to use SAML SSO with Entra to perform authentication. Also enabling OAuth & SIP OAuth on CUCM/CUC/Expressway is strongly recommended.

SAML SSO can be enabled independent of any account import process, LDAP or CCUC. It’s perfectly capable of authenticating a local end user as long as the uid attribute in the SAML response matches a username in the database.

View solution in original post

Jonathan Schulenberg · ‎10-23-2024

Entra account sync is facilitated through the Control Hub Entra ID wizard and Cloud Connected UC Directory service. Users are synced into Control Hub and then southbound into CUCM/CUC. This only replaces LDAP account imports, not LDAP authentication. You need to use SAML SSO with Entra to perform authentication. Also enabling OAuth & SIP OAuth on CUCM/CUC/Expressway is strongly recommended.

SAML SSO can be enabled independent of any account import process, LDAP or CCUC. It’s perfectly capable of authenticating a local end user as long as the uid attribute in the SAML response matches a username in the database.

simon hester · ‎10-23-2024

Hi Jonathan,

I had seen some of your other posts I had hoped something may have changed sadly it seems not.

The Cloud Connected UC I assume that's a separate product the customer would need to purchase? Currently it is all on prem servers.

I suspect we may go down the route of local users hard to say.

On one cluster they can do the Entra SSO piece as it is a single domain.

ON another cluster they have a few different organisation and some don't have traditional AD on prem to perform an LDAP sync to. As it is low numbers needed local account will work I think. If it ever scales much bigger i can see local accounts being a real pain.

Thanks for your reply.

Roger Kallberg · ‎10-23-2024

CCUC, or Cloud Connected UC as the full name of it is, is a Control Hub service that is free. If the customer doesn’t have a Webex org they can get one created for free to use for CCUC.

simon hester · ‎10-24-2024

I'll need to work out how i get to this control hub if there is an instance for my customer or have one created.

Thanks

Roger Kallberg · ‎10-24-2024

To access Control Hub you go to https://admin.webex.com

simon hester · ‎04-16-2025

Relooking at this as finally have access to the Webex Control hub for the customer.

With Webex control hub does this mean we can sync users from Entra/Azure to Control Hub and then from Control hub push the users to the on prem CUCM servers?

Thanks

derveniss1 · ‎05-20-2025

Hello,

I have configured Control Hub to be integrated with Azure AD for user's import and authentication.

Is it possible CUCM to import the users and authenticated them through Control Hub?

Something like this:

Azure AD -> Control Hub -> CUCM

Thank you.

Jonathan Schulenberg · ‎05-20-2025

No. The current design relies on SAML SSO. The recommended approach is to configure Webex Control Hub, CUCM, CUC, and Expressway to all use the same Identity Provider.