cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

AMA-CUCM Troubleshooting: Best Practices for Reading Trace Files

522
Views
5
Helpful
2
Replies
Beginner

Cisco Jabber SSO Login

Does anyone know how Jabber clients pick the SSO server for SSO logins?  We recently added 2 news subscribers to our cluster, but they are not in any CM groups at this time as we prepare to move phones to those new groups. 

 

We started to get reports today that SSO was failing on Jabber for Windows and found that the authentication was being attempted on one of the new subscribers. We fixed immediately by updating the SAML server with the new subs metadata.  

 

What I want to know is what process does Jabber use to pick a CUCM server to authenticate against.  If there are 5 available servers and one of them fails, why would it not pick another one?  Does the Jabber client chose the server that is closest to the client?!

 

Just curious if anyone has any input.

 

Thanks.

2 REPLIES 2
Highlighted
Beginner

Re: Cisco Jabber SSO Login

Hello pghninja,

 

Here is the process on SAML SSO for Jabber Clients.

1. Jabber login to CUCM/IMP/Unity
2. Redirect to LDAP for Authentication
3. Login - SAML Request
4. Authenticate User
5. Authentication Reply
6. SAML Assertion Response
7. Send SAML Response to > CUCM/IMP/Unity
8. CUCM/IMP/Unity Grants Access to Resources.

 

I have attached the topology below for you to look at as well. 

SSO-Jabber.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Also, you can point Jabber to which server you would like to login with. This feature is under the Jabber "Advanced settings" before logging in. 

Screen Shot 2018-11-16 at 10.57.23 AM.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I hope I was able to help you out!

 

Thanks,

Tim

Beginner

Re: Cisco Jabber SSO Login

Hi Tim, 

 

Sorry, I have been out of the office.  Thanks for the diagram, I understand that flow.  The issue is this, one of our servers in the cluster did not have SSO enabled (it was a new build) and login was being denied.  What I don't understand is why wouldn't the client use another server in the cluster?

 

Once I updated the metadata on the new CUCM node, everything was fine.  So I was asking in the event that we had an issue with a SUB, SSO could potentially break users signing into Jabber since the client doesn't seem to try another node in the cluster.

 

Does that make sense?!

 

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards