10-01-2016 05:06 AM - edited 03-17-2019 06:24 PM
We have UC infrastructure in version 11. We use SSO for all authentication. Also we use Jabber in all format.
Only on the Jabber mobile, also iphone and android device Don.'t store user credentials.
Every day users need to insert username and password domain to login, making Jabber mobile unusable.
WY Cisco can't correct this issue storing o the device the domain user credential and pass it automatically to the idp provider? In our case Microsoft Adfs 2.0.
I've also opened a Cisco Tac , bit engineer don't know how to reply.
Anyone solved the issue?
Thank you.
Regards
Alessandro Bertacco
10-01-2016 12:37 PM
Hi,
1. What all versions of Jabber on Android have you tested? I have version 11.7 which works fine.
2. Are you using Jabber-config.xml file? If yes then can you check if the below parameter is set to false?
<CachePasswordMobile>FALSE</CachePasswordMobile>
Aseem
(please rate if useful)
10-01-2016 01:14 PM
Hi Asim, and thank you for your answer. Yes we have all Jabber 11.7 version both on desktop and mobile devices.
On desktop windows device, credential are automatically passed from Windows system.
Yes I use Jabber-config . xml but I don't have such parameter configured, and also I don't have any parameter configured in the Jabber-config . xml that belongs to SSO procedure.
Note that we are using SSO environments , that is completely different from integrated authentication, also the IDP is involved.
Alessandro
10-04-2016 07:53 PM
On desktop windows device, credential are automatically passed from Windows system.
It's not Jabber that passes your credentials to the IdP on Windows. This is done by Windows with the ADSI APIs and a Kerberos token from the domain controller that IE presents to the IdP. Should that fail (e.g. on a non-domain joined PC) Jabber for Windows would prompt you for the username and password each time just as Jabber for iPhone is.
At a basic level, Jabber just opens the IdP URL in a browser when the IM&P/CUCM/CUC server tell it to go get a SAML cookie. Whatever the OS browser does (e.g. IE on Windows, Safari on iOS) is up to the browser. It could pass a user certificate, a Kerberos token, or prompt for username and password. That negotiation is entirely between the browser and the IdP. All Jabber gets is the SAML cookie at the end.
If you don't want the user to be prompted for a password then you'll need to implement a solution that allows an iOS device to authenticate to the IdP without prompting the user for credentials. Typically that's a user certificate managed through an MDM. There is one roadblock with that approach: Expressway does not yet support certificates-based authentication for MRA. Also, Jabber for iOS supports certificates-based authentication but Jabber for Android does not. There is no public date when Expressway will add certificates-based authentication support. I suggest you discuss the business impact this has with your Cisco AM, assuming you're actually willing to implement it when Cisco adds that last piece. Certificate management is not trivial so don't beat them up over this if you're not going to follow through.
10-05-2016 12:26 AM
Hi Jonathan, thank you for the answer.
Ok so you agree with me that use or not of SSO authentication is a key decision when implementing UC infrastructure, that offer some advantage to users that can use their personal credentials, and also is an advantage for administrator's that can forget to have two different database users..
But if the behaviour of the SSO with the mobile mobile device ask users to every day out the credential SSO is unsuccessful.
Cisco UC engineer must know this big limitation that can make the final decision on use or not SSO.
Also we know that users don't want to be bored with credentials. They use what's app, Skype, and other UC consumer client that don't ask credential. This apps runs and connect to the networks and are ready to use.
As you know, users and VIP users not matter complexity of infrastructure they want smart app, not apps with great security that always ask something to input in.
So a question for you.
Is possible to disable only for mobile device SSO and tell them to use CUCM credentials?
Thanks so much.
10-05-2016 06:02 AM
Is possible to disable only for mobile device SSO and tell them to use CUCM credentials?
No. It's all-or-nothing.
As for the comparison against other solutions (including Cisco Spark): I agree but that's well beyond the scope of the support forums. We can help you with the product as it exists today here. You need to direct conversation about how it should work to your Cisco AM. Just be prepared to cough up a business case of the value - in hard dollars - to your company for solving this. IMO, this is the only thing that gets product backlogs reprioritized.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide