cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
27671
Views
41
Helpful
19
Replies

Jabber SSO login with Azure AD.

ranjith raman
Level 1
Level 1

Hi Team,

Customer is currently  using SSO for Jabber using ADFS. Customer is looking at migrating SSO to Azure AD, I would like to know if this is supported by Cisco.

Kindly suggest.

 

Version : Cisco Unified Presence 10.5.2.

19 Replies 19

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Just to update everyone - this thread keeps turning up in search results - Cisco has published a TechNote for SAML SSO Microsoft Azure Identity Provider.

The trick, a shared signing certificate for the Azure IdP, was first discovered by Bernhard Albler and Stoyan Stoitsev. It is published in their Medium.com article Cisco CUCM and Expressway SSO with Azure AD. Cisco had expected Microsoft to add support for multiple ACS URLs; however, that has reportedly slipped on their roadmap. The business unit chose to (re)publish Bernhard and Stoyan's approach so it would be officially on Cisco.com.

Hello,

We migrated our 5 cucm 11.5 clusters to azure successfully.

Initially we used this procedure https://medium.com/@stoyan.stoitsev/cucm-sso-with-azure-ad-1d6ccaa55656.to move two clusters. 

After this, at another mantenance window we try to use cisco official document https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/SAML_SSO_deployment_guide/Azure/cucm_b_saml-sso-microsoft-azure-idp.html to chante 3 final clusters and we found a small difference, our environment did not worked with the "Default" mode as cisco document,  but "email address" as shown in the attached figure.

Today everything is working well on Azure.

ly_36
Level 1
Level 1

We're planning to try to use SAML SSO with Azure for our CUCM, IM&P, Unity (14SU3) and Expressway (14.0.7) estate. The guide looks good.

Can I ask (possibly a stupid question) is there any requirement to have OAuth enabled first in Enterprise parameters and Expressway or is this not necessary? Azure will instead do the token work and not prompt to sign in constantly?

SAML and OAuth are technically independent of one another. When both are enabled the longer life OAuth tokens allow the client to skip the SAML IdP until/unless the refresh token expires. I consider it best practice to enable both, including SIP OAuth - an extra step, but you're not required to. An easy example of where OAuth makes a big difference are inbound calls on mobile devices. Without OAuth, the user will be prompted to re-authenticate to the SAML IdP if their cookie has expired. The chances of a user successfully re-authenticating - especially with MFA - before the CFNA timer expires are pretty low.

ly_36
Level 1
Level 1

What item are we using for Common Name when creating the certificate for Azure? Nothing in the guide to indicate this