Re: LDAP users are unable to login to jabber using SSO.

Yenosh · ‎02-01-2023

We have newly configured a Expressway C and E for jabber login. But LDAP users are unable to login to jabber using SSO.

When we try to login LDAP user internally using SSO getting: Password/Username incorrect.
When we try to login LDAP user over MRA using SSO getting: Cannot open page. Try again later.
LDAP users are able to login to cucm with SSO.
Local users are able to login and use jabber internally and over MRA.

We don't have IMP nodes in my infrastrcuture.

Any help would be really appreciated.

b.winter · ‎02-01-2023

When we try to login LDAP user internally using SSO getting: Password/Username incorrect. --> Have you checked the PRT of Jabber? You can also upload it here https://cway.cisco.com/csa/ and let it analyze the PRT.

When we try to login LDAP user over MRA using SSO getting: Cannot open page. Try again later. --> If SSO doesn't work internally, I doubt it won't work via MRA too. Do you have in mind, that Jabber needs to reach the IDP directly? The communication between Jabber and IDP is not going through Expressway, Jabber needs to be able to communicate with the IDP directly.

Local users are able to login and use jabber internally and over MRA. --> How is it possible, to be able to login with local users? If SSO is enable, every authentication is done via SSO, which in principle makes local users meaningless...

Which guide have you followed to configure the IDP? There are good configuration guide, how to configure the IDP for use with CUCM

Yenosh · ‎02-09-2023

I have followed this guide to enable IDP and SSO on expressway C

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/config_guide/X12-7/exwy_b_mra-deployment/exwy_m_basic-configuration.html#task_A458A57F311E876761D31B48B30F5AD5

User is able to login to CUCM using same LDAP credentials but when trying to login to jabber using same he is getting password error

It is multi domain environment

Extenernal:test1.example.com

INternal :test1.local.com

Any help to fix this issue would be great help.

b.winter · ‎02-09-2023

Hi,
you should probably take it step by step. If Jabber cannot login with LDAP credentials, then I wouldn't expect that SSO is working internally / externally.

So, I would check the following and only go to the next step, if the current step is OK.
E.g. it doesn't make any sense, to test MRA login, if the internal login isn't working.

SSO is disabled.
1. Can the user login with LDAP credentials to CUCM (e.g. self-service portal)
2. Can the user login with LDAP credentials in Jabber internally.
3. Can the user login with LDAP credentials in Jabber externally via MRA.

If all this steps work, then activate SSO and do the same steps again:
SSO is enabled.
1. Can the user login via SSO to CUCM (e.g. self-service portal)
2. Can the user login via SSO in Jabber internally.
3. Can the user login via SSO in Jabber externally via MRA.

Yenosh · ‎02-10-2023

I will check and update you

Yenosh · ‎02-14-2023

HI @b.winter

I have disabled SSO - Able to login to CUCM but not able to login to jabber, getting username /Password error.

b.winter · ‎02-14-2023

Then you need to generate a Probelm Report in Jabber and check it.
You can also upload it here and let it analyze: https://cway.cisco.com/csa/

But currently I don't have a solution, other then asking if you have configured everything correclty (CSF device, assigned device in the end user page, end user has the correct access control groups assigned, configured the UC services, assigned the UC services to a service profile, assigned to service profile to a user).

You also have IM&P? If yes, check if you have any errors there.

Yenosh · ‎03-15-2023

We have opened a case with TAC , TAC identified expressway-C is looking for UID filed which is not set properly in OKTA. After configuring the UID in okta application users were able to login Succefully

Roger Kallberg · ‎03-15-2023

Glad that you managed to get this sorted. However I thought you said that you disabled SSO? If so how can Okta be a part of the authentication flow from the Expressway(s)?

Yenosh · ‎03-15-2023

I have disabled SSO just for testing after that I did enable it again.