I can enable and disable sso on expressway. See documentation for that product http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/config_guide/X8-5/Mobile-Remote-Access-via-Expressway-Deployment-Guide-X8-5.pdf

Deleted

Hi Ayodeji

If SSO is enable on CUCM but not enable on expressway, users still be able to log in over Expressway MRA?

Yes definitely, SSO just wont be available and jabber will default to normal sign in.

HI Ayodeji.

How users will be able to login over MRA if they will not be ablle to acces to IdP server ?

They will not

How about the other way around?

Can we enable SSO on Exp without enabling it on CUCM?

Thanks

Pasha.

Pasha,

No you need to enable SSO on both CUCM and expressway-c/e for SSO to work over MRA. This is because once the client has been asserted at the edge by the expresway, CUCM still needs to verify from IdP server that the client is authroized for the request.

Please refer here for more details

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/expressway/admin_guide/Cisco-Expressway-Administrator-Guide-X8-5-1.pdf

Thanks Deji,

I read the doc, i did notice it said IdP & CUCM should exchange SAML metadata, it just didn't explicitly say SSO should be active on CUCM. I understand it was implicit, i was just hoping that someone had different experience :)

Thanks again.

Test it. If SSO is enable on the CUCM cluster,it  needs to be enable on MRA or user will not be able to log on.and will get message SSO access denied.

Yes, this is correct. SSO needs to be enabled on all infrastructure for Jabber to work

Looks like my testing procedure was not really good after all :)

YES, it is possible to have SSO enable on CUCM/Unity and not-SSO enable on Express. Then your initial comment was right!.

Thank you for the update. I have learnt a lot from interacting with you, so thank you