Hi Chris Deren,

I have also the same objective to achive but the thing is that client is not agreeing on Kerberos authentication since their core Oracle application will be impacted if it will be configured.

Asked Cisco and they responded that "There are so many third party applications that integrates with jabber/cucm/AD and certified with cisco to acheive SSO, if you can't use the cisco built in SSO solutions."

any suggestions will be appriciated.

Regards,

Farrukh

Cisco supports SAML 2.0 SSO, there is NO CISCO SSO, they always integrate with 3rd party SSO infastructure such as MSFT AFDS and others, but they have to be SAML 2.0 based. So not sure what you and your Cisco contact is stating, as that that has and will be the case to always use 3rd party SSO solution.

Chris,

Thank you for the response.  I will look into these options as well. 

In the meantime, I have abandoned the SAML SSO option and turned it off in Cisco and I have been able to tweak the jabber config file located at C:\Program Files (x86)\Cisco Systems\Cisco Jabber\jabber-config-defaults.xml and got it to pull in the username automatically, just not the password yet.  If the password is typed into and the checkbox "sign me in when Cisco Jabber starts" is checked, it continues to work even after rebooting computer, however we are trying to get it where the user does not have to enter a password or check the box at all.  Here is what I added to the config file to get the username part pulling down:

<!-- Directory -->
   <DirectoryServerType>EDI</DirectoryServerType>
   <ConnectionType>0</ConnectionType>
   <PrimaryServerName>Our domain name</PrimaryServerName>
   <UseWindowsCredentials>1</UseWindowsCredentials>
   <UseSecureConnection>1</UseSecureConnection>
   <CommonName>cn</CommonName>
   <DisplayName>displayName</DisplayName>
   <FirstName>givenName</FirstName>
   <LastName>sn</LastName>
   <EmailAddress>mail</EmailAddress>
   <SipUri>msRTCSIP-PrimaryUserAddress</SipUri>
   <PhotoSource>thumbnailPhoto</PhotoSource>
   <BusinessPhone>telephoneNumber</BusinessPhone>
   <MobilePhone>mobile</MobilePhone>
   <HomePhone>homePhone</HomePhone>
   <OtherPhone>otherTelephone</OtherPhone>
   <Title>title</Title>
   <CompanyName>company</CompanyName>
   <UserAccountName>sAMAccountName</UserAccountName>
   <DomainName>userPrincipalName</DomainName>
   <Location>co</Location>
   <Nickname>Nickname</Nickname>
   <PostalCode>postalCode</PostalCode>
   <City>l</City>
   <State>st</State>
   <StreetAddress>streetAddress</StreetAddress>
   <BaseFilter>(&amp;(objectCategory=person))</BaseFilter>
   <PredictiveSearchFilter>anr=</PredictiveSearchFilter>
   <DisableSecondaryNumberLookups>0</DisableSecondaryNumberLookups>
   <SearchTimeout>5</SearchTimeout>
   <UseWildcards>0</UseWildcards>
   <MinimumCharacterQuery>3</MinimumCharacterQuery>
   <SearchBase1>Path to our OU</SearchBase1>
   <PhotoUriSubstitutionEnabled>false</PhotoUriSubstitutionEnabled>
   <UseSIPURIToResolveContacts>false</UseSIPURIToResolveContacts>

Does anyone have any suggestions on how to get the password to pull down from active directory and to automatically have the check box selected for "sign me in when Cisco Jabber starts"?

(+5 to Chris)

This is the point of Kerberos authentication with SSO. Kerberos utilize the fact that the user is logged in to Active Directory. You will get rid of the username/password prompt at the SSO server and instead let the web browser use the Kerberos authentication of the Windows Domain.

There is no mechanism to pull down password automatically.

Also you dont need to do anything to get jabber to use the UPN (user pricipal name ) to login. This is done by default especially in vs 11.0 and above..Jabber grabs this from your pc.

Thanks Deji for rating but I think you forgot to actually do it :-)

+5 to you for articulate explanation.

chris

My bad Chris..You are right..Done :)

Thank you Ayodeji for the response.  Yes, the UPN didn't pull down when we had Jabber 10, but once we grabbed the latest version, UPN started to work.

As far as the Kerberos authentication and web browser, I had that part working when single sign on was turned on, but again this was only for the web browser functionality for logging into the Cisco Communications Manager or IM and Presence, not for Jabber.  My goal is to have Jabber automatically login, not the web browser.  SSO and ADFS would bring me to an ADFS login page for jabber, and would work, but every time the user logs out of Windows and back in, they have to re-enter their username and password which kind of defeats purpose of single sign on.

You must have missed something in the configuration. I am attaching the a lab guide which documents step by step what you need to do to get this working...

Use it to deploy your SSO and enable kerberos authentication.

Thank you for the document.  Very informative.  Very similar to some of the steps I had done before with saml sso setup. Will give this a try when I can.  Also, very new to Cisco so it will be a learning curve for me.