Thanks b.winter,

Do I need to enable SSO and SAML in CUCM and Unity as well ? or on expressway only?

we are relay on ADFS and RSA as SSO and IDP but both are on premices and smart phones are connecting from internet . do we need reachability between the IDP and smartphones or the expressway will intercept the authentication and pass the OTP to jabber clients?

IF the MFA is not support .  How is it easy to limit the jabber MRA login to the enrolled devices only ?

1) You can have SSO enabled on Expressway only.
2) Jabber in the Internet needs to reach the IDP directly, Expressway won't intercept it.
3) Enroll a company certificate to the phone (e.g. via MDM software) and check the certificate as an authentication factor.

But again, your IDP has to support the MFA you want to have, not the Expressway. Expressway doesn't care, how the authentication works, because it is not involved. Only the IDP and the device are involved in this phase, that's why device needs to have direct reachability to the IDP.

Thanks so much for your response.

I have a discussion with cisco TAC and they always advise to enable SSO in CUCM and CUC which I don't agree as the scope is only MRA clients.

Since the IDP will not be accessable to the jabber MRA clients then the best option is certificate based authentication . would you please share more detail on the configuration part in expressway C and E  and also what the is required to share with MDM team.

Certificate based authentication was just another example of the authentication method, just like MFA. So you too need SSO via IDP.
If you cannot enable SSO, because the reachability is not given between the device and IDP, then you cannot do anything else than standard username / password authentication.
For everything else, you need SSO.