I have cucm and expressway installed for mra. All work fine. I want to enable sso just on cucm and don't want enable it on expressway. Is it supported configuration or i need enable sso on cucm ande expressway at the same time ?
SSO is enabled cluster wide on CUCM. You can't enable or disable it on expressway. Once your cluster is enabled for SSO, jabber will automatically discover it through expressway.
I can enable and disable sso on expressway. See documentation for that product http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-5.pdf
No you need to enable SSO on both CUCM and expressway-c/e for SSO to work over MRA. This is because once the client has been asserted at the edge by the expresway, CUCM still needs to verify from IdP server that the client is authroized for the request.
Please refer here for more details
I read the doc, i did notice it said IdP & CUCM should exchange SAML metadata, it just didn't explicitly say SSO should be active on CUCM. I understand it was implicit, i was just hoping that someone had different experience :)
Test it. If SSO is enable on the CUCM cluster,it needs to be enable on MRA or user will not be able to log on.and will get message SSO access denied.
Looks like my testing procedure was not really good after all :)
YES, it is possible to have SSO enable on CUCM/Unity and not-SSO enable on Express. Then your initial comment was right!.