Solved: Re: Jabber SSO login with Azure AD.

ranjith raman · ‎02-03-2019

Hi Team,

Customer is currently using SSO for Jabber using ADFS. Customer is looking at migrating SSO to Azure AD, I would like to know if this is supported by Cisco.

Kindly suggest.

Version : Cisco Unified Presence 10.5.2.

Jonathan Schulenberg · ‎02-03-2019

Azure AD is *not* supported for LDAP synchronization on CUCM/CUC; however, any identity provider that supports SAML 2.0 is compatible for SSO. Be careful to keep these topics separate.

The challenge with SAML is that Cisco expects you to be knowledgeable about your chosen IdP and how to configure it. TAC supports the SAML functionality on their app only; you must work through properly integrating it to your IdP. For example, sometimes you need to manually modify the metadata file before uploading it. Cisco expects you to understand what modifications are required for your IdP to accept the file. There are a few configuration examples provided here:

https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-configuration-examples-list.html

On a related note, I suggest upgrading to 11.5 or later where the SSO integration supports a single agreement for the cluster vs. individual agreements per-node. You must configure a multi-server Tomcat cert for this to be an option.

View solution in original post

Jonathan Schulenberg · ‎09-04-2020

Just to update everyone - this thread keeps turning up in search results - Cisco has published a TechNote for SAML SSO Microsoft Azure Identity Provider.

The trick, a shared signing certificate for the Azure IdP, was first discovered by Bernhard Albler and Stoyan Stoitsev. It is published in their Medium.com article Cisco CUCM and Expressway SSO with Azure AD. Cisco had expected Microsoft to add support for multiple ACS URLs; however, that has reportedly slipped on their roadmap. The business unit chose to (re)publish Bernhard and Stoyan's approach so it would be officially on Cisco.com.

View solution in original post

Jonathan Schulenberg · ‎02-03-2019

Azure AD is *not* supported for LDAP synchronization on CUCM/CUC; however, any identity provider that supports SAML 2.0 is compatible for SSO. Be careful to keep these topics separate.

The challenge with SAML is that Cisco expects you to be knowledgeable about your chosen IdP and how to configure it. TAC supports the SAML functionality on their app only; you must work through properly integrating it to your IdP. For example, sometimes you need to manually modify the metadata file before uploading it. Cisco expects you to understand what modifications are required for your IdP to accept the file. There are a few configuration examples provided here:

https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-configuration-examples-list.html

On a related note, I suggest upgrading to 11.5 or later where the SSO integration supports a single agreement for the cluster vs. individual agreements per-node. You must configure a multi-server Tomcat cert for this to be an option.

ranjith raman · ‎02-05-2019

Hi Jonathan Schulenberg,

Thanks a lot for the provided information, which was helpful for me.

Regards,

Ranjith Raman

Daryl Clark · ‎03-05-2019

How did you build the required custom claim rules? Azure AD doesn't support them.

Christopher Stock · ‎11-27-2019

Has anyone successfully made this work?

Jonathan Schulenberg · ‎12-08-2019

It appears Microsoft still has not implemented support for multiple Assertion Consumer Service (ACS) URLs with index attributes on Azure’s IdP offering. You won’t be able to get SAML working on subscribers without this. I just tried again this week and it’s not there. ADFS supports it but not Azure. If you work at a large/recognizable company that is likely to get Microsoft’s attention, I have the contact information of the responsible product manager - message me directly.

Thiago Perrini · ‎03-03-2020

Do know when we can expect an solution from Microsoft / Cisco for that specific problem?

Customers are migrating their MS Products to Cloud without AD onPrem.

We need LDAP Sync with Azure AD and AzureIdP for SSO for installed Cisco onPrem Infrastructure.

Jaime Valencia · ‎03-03-2020

Roadmap questions are NDA and cannot be discussed in a public forum.

If you're a partner, you can try the partner forum, or reach out to your SE/AM for this.

HTH

java

if this helps, please rate

viraj0raut · ‎08-11-2020

Hello,

Any thoughts on the great solution by Bernhard Albler?

https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656

Regards

Daryl Clark · ‎08-11-2020

We implemented this and its working beautifully for us!

Jonathan Schulenberg · ‎08-11-2020

The latest third-hand info I have is Microsoft slipped support for multiple ACS URLs to the end of 2020. Bernhard and Stoyan did everyone a great service with that article. My understanding is that the BU intends to write a TechNote, or equivalent article, for that exact approach to make it "official". TAC will continue to only support the Cisco product and not the behavior/configuration of the SAML IdP; however, this will offer an equivalent to the ADFS-oriented articles they have posted.

George Paxson · ‎08-11-2020

I have followed the instructions as in my previous post. Moved CUCM and CUC from Okta to Azure. Still have to debug Expressway. No post yet for Expressway. My initial attempt has not worked. Have to debug it.

Franklin Gonzalez Sevillano · ‎12-07-2023

Hi Jonathan Schulenberg,

What happens if we sign the certificates of the collaboration applications with a public CA?

In that case, this certificate that we must upload to Azure must be generated by the Public CA or it can be generated in an Enterprise CA?

Thanks!

George Paxson · ‎12-07-2023

I believe this is covered in the technote SAML SSO Microsoft Azure Identity Provider

If not, you can generate a certificate anywhere as this is just to encrypt the communications. Simple non technical answer. I believe we just generated a cert with OpenSSL. We have reused the same cert though changes from on prem to Cisco dedicated instance.

George Paxson · ‎05-08-2020

We are moving off Okta and did not renew our internet CA certs for the clusters. I just tested single server AD domain certificates with Azure successful following the instructions in this blog. I will soon remove my muti SAN certs and go with certs for each server. The information in this blog worked. Don't need to wait for the multi server to work. Clusters are 11.5. LDAP is AD not Azure.

https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656