Is XMPP (Finesse Notification Service) Usable with UCCX SSO?

daniel-walbridge · ‎05-20-2025

Hi Cisco team,

We’re currently integrating with UCCX (15.x) and are using both the REST APIs and XMPP (Finesse Notification Service via OpenFire) to support real-time event notifications.

We've trying to implement SSO using Cisco IdS with SAML 2.0.

I've been digging for awhile in your docs and can't seem to find a clear answer to these questions.

1. Can XMPP (Finesse Notification Service) be used with SSO?
From our research, the XMPP connection appears to still require the following:

Agent ID
Agent Password
XMPP Domain
XMPP PubSub Domain

This implies traditional username/password authentication is required. Since the Notification Service runs on OpenFire and uses SASL mechanisms for authentication, it’s unclear how (or if) SSO can be integrated into that flow. We couldn’t find any official confirmation on whether XMPP is compatible with SSO in UCCX environments.

2. If SSO is required for a user, can that user still authenticate to XMPP using traditional credentials?
In other words, if a deployment is enforcing SSO for web-based access (e.g., Finesse Desktop via browser), will those same users still be able to connect to the XMPP service using their old-style credentials for event subscription?

We're trying to determine whether:

XMPP is effectively incompatible with SSO-only environments.
We must collect both SSO tokens and traditional user credentials for XMPP support.
Or if there's a supported approach we’re overlooking.

If any documentation or clarification exists from the product team, it would be very helpful.

Thanks in advance!

dhiarumu · ‎05-20-2025

Hi Daniel,

1. Can XMPP (Finesse Notification Service) be used with SSO?

Yes, it is supported. You can just use the auth token in the place of password in this case.

XMPP Domain and XMPP PubSub Domain names can be found on the SystemInfo reponse.

https://finessefqdn/finesse/api/SystemInfo

2. If SSO is required for a user, can that user still authenticate to XMPP using traditional credentials?

No, Basic authentication will not work for the SSO enabled agents. Only auth token is required on this case.

Please check this document, how to use REST API to get access token for the SSO enabled agents.

https://pubhub.devnetcloud.com/media/finesse/docs/downloads/previous-documentation/rest-api-with-sso-guide/Cisco_Finesse_Rest_Api_With_SSO_Guide_Release_12.6(1).pdf

Thanks

daniel-walbridge · ‎05-29-2025

Thank for the reply.

We've tried using the access token as the password when connecting to the XMPP service (as recommended), but we consistently receive the following error:

org.jivesoftware.smack.sasl.SASLErrorException: SASLError using PLAIN: not-authorized

We’ve tested every logical combination of JID and User, all derived from the JWT access token (i.e., the same user who successfully completed the browser redirect flow). This user is able to:

Use the same token to hit REST API endpoints like https://(domain)/finesse/api/Users/
Dynamically refresh their access token without issue

However, despite that, XMPP authentication continues to fail with not-authorized.

The SSO guide you provided appears to apply strictly to REST API usage( so following it to setup XMPP doesn't get us anywhere).
We haven't been able to find any documentation clearly explaining how to authenticate to XMPP using an access token. Since we’ve had XMPP integration working for years via traditional username/password, we’re trying to confirm:

Is there a specific format or encoding expected when sending the access token as the XMPP password?
Are any additional configuration steps required on the Finesse/OpenFire side to enable XMPP access for SSO-authenticated users?

If there are examples, logs to enable, or any known limitations we should be aware of, we’d greatly appreciate the guidance.

Thanks again,
Daniel Walbridge

daniel-walbridge · ‎05-30-2025

I was able to get it to work!