cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
6013
Views
0
Helpful
10
Replies
Highlighted
Contributor

SSO on CUCM Cluster

Hello,

question, if I enable single sign-on on my cucm cluster, does it mean, that I have to use SSO on all endpoints, like Jabber or TSP? We are using CUCM 10.5.

If possible, I would like to start with TSP using SSO and later on also use Jabber.

Regards,

René

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

That  is not possible. Once you enable SSO on your cluster, jabber will automatically detect it and will attempt to use it.

Please rate all useful posts

View solution in original post

10 REPLIES 10
Highlighted
Cisco Employee

You'll possibly get error "Cannot open page. Try again later" with no option to login from Jabber with CUCM SSO enabled. In jabber log you can verify this using log (Problem report > jabber.log)-

.."[LifecycleController::OnSSOSignInRequired] - LifecycleController::OnSSOSignInRequired - Cannot open page. Try again later."

Highlighted

Hi Md Hasan,

is this a "yes" to my question, that whenever SSO is enabled in the Cluster, I have to use SSO on all endpoints?

Highlighted

Rene,

The answer is NO. Most of your endpoints dont require SSO. Its only Jabber that supports SSO. It also depends on your jabber version. From the client side ie Jabber you dont need to do anything for it to support SSO. Its automatically built into the client.

Please rate all useful posts
Highlighted

Hello,

sorry, I don't get it. Try to make it simple. I have 2 applications running on my client which have the feature SSO built in. One is Jabber 10.6 and the other is Cisco TSP (Tapi Client). I want to use TSP with SSO but I don't want to use Jabber for SSO. Is this still possible after I enabled SSO on the Cluster for TSP?

Regards

Rene

Highlighted

That  is not possible. Once you enable SSO on your cluster, jabber will automatically detect it and will attempt to use it.

Please rate all useful posts

View solution in original post

Highlighted

Hello,

This discussion is very relevant to my scenario. Only variation is that I have 2 domains and each domain is a separate forest with AD.

Will SSO work for me. Do I need to change to uid for user synchronization?

Thanks

Highlighted

MultiDomain will work with AD-LDS to aggregate Multi-Forest domains to the CUCM (v10.5+) This will take care of users in CUCm and address book for Jabber.

SSO will also be redirected to respective Forests for authentication by AD-LDS.

Highlighted

Hi Ayodeji, sorry to raise this question after so long time, I also have questions about JTAPI user SSO, hope you can help me!

 

1. When SSO is enabled for authentication on the cluster, our current understanding is JTAPI/TAPI user is also authenticated using SSO and we can not bypass SSO.
However we would like to avoid SAML authentication for JTAPI/TAPI user because it is integrated with external application.
So is there a way to bypass SSO just for JTAPI/TAPI user?


2. We have an application server which provide click-to-call service by integration through CTI and also a recording server.
Because it uses CTI, we create end user for the application, and link the device to the end user.
This CTI integration currently uses ID/PW authentication, but when we enable SSO, is it correct to say that since SAML and OAuth will be covered by TSP client provided by CUCM and JTAPI application side, the application server side doesn't need to care about SSO?
Or, does the application server side also needs to support SAML and OAuth protocol? In that case, is there any necessary task like approving access to certificate store etc.

Highlighted

You don't have to "Enable" SSO on the client (Because client automatically discovers CUCM has SSO enabled and Jabber must adhere to that - which means PC must Join the domain and must be able to communicate with SSO Sever/ADFS Server over HTTPS without any hickups -- Internet explorer specific settings may be needed.) The error I have posted was from a PC that is not domain Joined. Same environment where a PC is setup properly and Domain joined SSO works ok.

HTH

Highlighted

Hi Md Hasan,

  I've exactly this issue.

All works fine for the Jabber mobile (Android and iPhone) and also for MAC.

And Also This issue happen only accessing through the Expressway Infrastructure, in the corporate LAN authentication works like a Charm!! 

But, jabber for Windows (All versions) on Windows 10, with SSO enabled and ADFS site added to Intranet Sites in internet Option, when I try to login I get a Jabber popup that say:

Unable to open https://adfs.externaldomain.it and imeddiatly closed.

On the Jabber I see the error: Unable to open the Page, Try again later

But SSO authentication Works fines, if I put the ADFS URL in trusted Site in the Internet Option, But in this case, Jabber Always ask for domain username and password, and didn't use the windows logon credential. Very annoying things

Any Idea?

Many Thanks

Alessandro Bertacco