Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2357
Views
5
Helpful
4
Replies

Cisco Jabber SSO Login

pghninja
Level 1
Level 1

‎11-16-2018 07:40 AM

Does anyone know how Jabber clients pick the SSO server for SSO logins?  We recently added 2 news subscribers to our cluster, but they are not in any CM groups at this time as we prepare to move phones to those new groups. 

 

We started to get reports today that SSO was failing on Jabber for Windows and found that the authentication was being attempted on one of the new subscribers. We fixed immediately by updating the SAML server with the new subs metadata.  

 

What I want to know is what process does Jabber use to pick a CUCM server to authenticate against.  If there are 5 available servers and one of them fails, why would it not pick another one?  Does the Jabber client chose the server that is closest to the client?!

 

Just curious if anyone has any input.

 

Thanks.

Labels:
0 Helpful
4 Replies 4

timspiller
Level 1
Level 1

‎11-16-2018 08:01 AM

Hello pghninja,

 

Here is the process on SAML SSO for Jabber Clients.

1. Jabber login to CUCM/IMP/Unity
2. Redirect to LDAP for Authentication
3. Login - SAML Request
4. Authenticate User
5. Authentication Reply
6. SAML Assertion Response
7. Send SAML Response to > CUCM/IMP/Unity
8. CUCM/IMP/Unity Grants Access to Resources.

 

I have attached the topology below for you to look at as well. 

SSO-Jabber.png

 

 

 

 

 

 

 

 

 

 

 

 

 

Also, you can point Jabber to which server you would like to login with. This feature is under the Jabber "Advanced settings" before logging in. 

Screen Shot 2018-11-16 at 10.57.23 AM.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

I hope I was able to help you out!

 

Thanks,

Tim

pghninja
Level 1
Level 1
In response to timspiller

‎12-11-2018 05:49 AM

Hi Tim, 

 

Sorry, I have been out of the office.  Thanks for the diagram, I understand that flow.  The issue is this, one of our servers in the cluster did not have SSO enabled (it was a new build) and login was being denied.  What I don't understand is why wouldn't the client use another server in the cluster?

 

Once I updated the metadata on the new CUCM node, everything was fine.  So I was asking in the event that we had an issue with a SUB, SSO could potentially break users signing into Jabber since the client doesn't seem to try another node in the cluster.

 

Does that make sense?!

 

 

0 Helpful

mannygross
Level 1
Level 1
In response to timspiller

‎01-18-2023 11:58 AM

Would this also apply when configuring for use on macbooks?

0 Helpful

Roger Kallberg
VIP
VIP
In response to mannygross

‎01-18-2023 12:18 PM

Any client type works the same, it doesn’t matter if it’s a Apple or other type of device.



Response Signature


0 Helpful
Customers Also Viewed These Support Documents