cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
14939
Views
40
Helpful
14
Replies
ranjith raman
Beginner

Jabber SSO login with Azure AD.

Hi Team,

Customer is currently  using SSO for Jabber using ADFS. Customer is looking at migrating SSO to Azure AD, I would like to know if this is supported by Cisco.

Kindly suggest.

 

Version : Cisco Unified Presence 10.5.2.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Azure AD is *not* supported for LDAP synchronization on CUCM/CUC; however, any identity provider that supports SAML 2.0 is compatible for SSO. Be careful to keep these topics separate.

 

The challenge with SAML is that Cisco expects you to be knowledgeable about your chosen IdP and how to configure it. TAC supports the SAML functionality on their app only; you must work through properly integrating it to your IdP. For example, sometimes you need to manually modify the metadata file before uploading it. Cisco expects you to understand what modifications are required for your IdP to accept the file. There are a few configuration examples provided here:

https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-configuration-examples-list.html

 

On a related note, I suggest upgrading to 11.5 or later where the SSO integration supports a single agreement for the cluster vs. individual agreements per-node. You must configure a multi-server Tomcat cert for this to be an option.

View solution in original post

Just to update everyone - this thread keeps turning up in search results - Cisco has published a TechNote for SAML SSO Microsoft Azure Identity Provider.

The trick, a shared signing certificate for the Azure IdP, was first discovered by Bernhard Albler and Stoyan Stoitsev. It is published in their Medium.com article Cisco CUCM and Expressway SSO with Azure AD. Cisco had expected Microsoft to add support for multiple ACS URLs; however, that has reportedly slipped on their roadmap. The business unit chose to (re)publish Bernhard and Stoyan's approach so it would be officially on Cisco.com.

View solution in original post

14 REPLIES 14

Azure AD is *not* supported for LDAP synchronization on CUCM/CUC; however, any identity provider that supports SAML 2.0 is compatible for SSO. Be careful to keep these topics separate.

 

The challenge with SAML is that Cisco expects you to be knowledgeable about your chosen IdP and how to configure it. TAC supports the SAML functionality on their app only; you must work through properly integrating it to your IdP. For example, sometimes you need to manually modify the metadata file before uploading it. Cisco expects you to understand what modifications are required for your IdP to accept the file. There are a few configuration examples provided here:

https://www.cisco.com/c/en/us/support/unified-communications/unified-communications-manager-callmanager/products-configuration-examples-list.html

 

On a related note, I suggest upgrading to 11.5 or later where the SSO integration supports a single agreement for the cluster vs. individual agreements per-node. You must configure a multi-server Tomcat cert for this to be an option.

View solution in original post

Hi Jonathan Schulenberg,

 

Thanks a lot for the provided information, which was helpful for me.

 

 

Regards,

Ranjith Raman

How did you build the required custom claim rules? Azure AD doesn't support them.

Has anyone successfully made this work?

It appears Microsoft still has not implemented support for multiple Assertion Consumer Service (ACS) URLs with index attributes on Azure’s IdP offering. You won’t be able to get SAML working on subscribers without this. I just tried again this week and it’s not there. ADFS supports it but not Azure. If you work at a large/recognizable company that is likely to get Microsoft’s attention, I have the contact information of the responsible product manager - message me directly.

Do know when we can expect an solution from Microsoft / Cisco for that specific problem? 

Customers are migrating their MS Products to Cloud without AD onPrem.  

We need LDAP Sync with Azure AD and AzureIdP for SSO for installed Cisco onPrem Infrastructure.

Jaime Valencia
Hall of Fame Cisco Employee

Roadmap questions are NDA and cannot be discussed in a public forum.

If you're a partner, you can try the partner forum, or reach out to your SE/AM for this.

HTH

java

if this helps, please rate

Hello,

Any thoughts on the great solution by Bernhard Albler?

https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656

Regards

 

We implemented this and its working beautifully for us!

The latest third-hand info I have is Microsoft slipped support for multiple ACS URLs to the end of 2020. Bernhard and Stoyan did everyone a great service with that article. My understanding is that the BU intends to write a TechNote, or equivalent article, for that exact approach to make it "official". TAC will continue to only support the Cisco product and not the behavior/configuration of the SAML IdP; however, this will offer an equivalent to the ADFS-oriented articles they have posted.

I have followed the instructions as in my previous post.  Moved CUCM and CUC from Okta to Azure.  Still have to debug Expressway.  No post yet for Expressway.  My initial attempt has not worked.  Have to debug it.

George Paxson
Beginner

We are moving off Okta and did not renew our internet CA certs for the clusters.  I just tested single server AD domain certificates with Azure successful following the instructions in this blog.  I will soon remove my muti SAN certs and go with certs for each server.  The information in this blog worked.  Don't need to wait for the multi server to work.  Clusters are 11.5.  LDAP is AD not Azure.

https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656

 

Just to update everyone - this thread keeps turning up in search results - Cisco has published a TechNote for SAML SSO Microsoft Azure Identity Provider.

The trick, a shared signing certificate for the Azure IdP, was first discovered by Bernhard Albler and Stoyan Stoitsev. It is published in their Medium.com article Cisco CUCM and Expressway SSO with Azure AD. Cisco had expected Microsoft to add support for multiple ACS URLs; however, that has reportedly slipped on their roadmap. The business unit chose to (re)publish Bernhard and Stoyan's approach so it would be officially on Cisco.com.

View solution in original post

Hello,

We migrated our 5 cucm 11.5 clusters to azure successfully.

Initially we used this procedure https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656.to move two clusters. 

After this, at another mantenance window we try to use cisco official document https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/Azure/cucm_b_saml-sso-microsoft-azure-idp.html to chante 3 final clusters and we found a small difference, our environment did not worked with the "Default" mode as cisco document,  but "email address" as shown in the attached figure.

Today everything is working well on Azure.

Create
Recognize Your Peers
Content for Community-Ad