Solved: Re: SAML SSO - UCM - Per Node vs Cluster Wide SSO Mode - Page 2

Jes80 · ‎02-10-2023

hi Expert,

Anyone know what is real different between "cluster wide" vs "per node" SSO Mode in UCM?

Dont tell me , one metadata per cluster/node ( I can read that myself in UCM page )

I am more interested on why we choose "per Node" and is there any specific scenario people choose this ? and What impact we not aware of when use "per node" ?

Thanks,

J

Jonathan Schulenberg · ‎02-16-2023

It won’t restart Jabber automatically but I recommend advising users that they may need to logout and back in to Jabber. It has not always handled this transition as gracefully as we’d like. Once Tomcat restarts on CUCM-IM&P any HTTP/S requests are going to fail until the client coughs up a SAML cookie (or OAuth token). In a perfect world Jabber would realize what has happened and trigger a SSO login on the spot. It hasn’t reliably in my experience.

Jes80 · ‎02-16-2023

I also read in Cisco doc, you can not use Oauth when use Webex App ( that got messaging from Webex, but calling from UCM) ?

Roger Kallberg · ‎02-16-2023

@Jes80 Where have you read that? That’s not my experience at all. We use the Webex application, with UCM calling and messaging in the cloud, with refresh token, ie an Oauth token, without any issues.

Jes80 · ‎02-16-2023

In this document:

Deploying OAuth with Cisco Collaboration
Solution Release 12.0
Authors: Bryan Morris, Kevin Roarty (Collaboration Technical Marketing)
Last Updated: December 2017

Roger Kallberg · ‎02-17-2023

I think that is related to something else than the refresh token. Apart from that it’s six years old and a lot has changed for Webex in that time. In 2017 there was no new Webex application, so likely what is referenced as Webex in that publication is Webex Meetings and that’s something all together different.

Roger Kallberg · ‎02-17-2023

Is it this part of the document that you referenced?

Hybrid deployment with WebEx Messenger
Cisco Jabber can also be run in a hybrid environment where instant message and presence services are provided by the Cisco WebEx Messenger cloud service. Telephony services in this model are provided by Unified CM. In this model OAuth operation is not supported.

If so that’s not related to the Webex application. Webex Messaging is something else that was used with Jabber messaging in the cloud and that service has since been deprecated.

Jes80 · ‎02-17-2023

Correct that is the one I refer to. Thanks for clarifying, we used Webex Desktop Meeting.

Jes80 · ‎02-16-2023

Thanks Roger,

I will setup refresh tokens at the same time when enabled SSO. Is there any impact to other UC applicaiton I need to be aware of for enable refresh token?

Rgds,

J

Roger Kallberg · ‎02-16-2023

No. As these two are mutually exclusive functions I would suggest that you turn on use of refresh token awhile before you turn on SSO. In fact I would suggest that you do that as soon as possible as it would not do anything bad, it would actually make the UX for your users a lot better.

Jes80 · ‎02-16-2023

Thanks, will enable it, do you see an issue if I enabled refresh token and SSO in the same change window?

Roger Kallberg · ‎02-17-2023

Yes. Otherwise I would not have made my previous comment.

Jes80 · ‎02-17-2023

When you mean enable "Refresh Token " , just Go To "Enterprise Parameter" and enable it?

Roger Kallberg · ‎02-17-2023

Yes. In that same section there is another setting that is recommended to be changed for getting a good working solution for any devices with iOS. The default is for these clients to use the embedded web browser and that doesn’t result in a good UX for your users. For a better experience it is recommended to set this to the other option, where it uses Safari as the web browser instead. This is so that the application on the Apple device can access the certificate trust store on the device.

Jes80 · ‎02-21-2023

Hi Jonathan,

I tried to use per-node IDP, however the wizard menu on CIsco Call Manager 12.5.1 SU7 does not work to upload the next IDP Metadata for Subscriber and IMPs. It only able to upload IdP metadata for UCM Publisher.

So when I clicked the "IdP", it just load and then gone, not give you option to upload IdP Metadata.