MRA phones or video conference systems do not use SSO, even if SSO is enabled on the Expressway(s).

We have a large number of "generic" legacy accounts.  These accounts are shared and the username is just a numerical extension number and PIN like password.  The accounts do not exist in our IdP.  I would have to create a bunch of personal accounts in our IdP and was hoping to push that back until all our regular users are migrated to SSO. 

Hello,

Why is it not possible for local user account to use Jabber after SSO enabled ?
I though i was possible to have a mixed of users (LDAP synchronized ones with SSO for auth. and local user account just defined on cucm)
Do you have any source of documents explaining that ?

Thank you in advance,
Thierry

Technically you should be able to do what you say, but then you'd need to disable use of SSO in Jabber for those endpoints that specifically should use local account with local authentication. The Parameters Reference Guide for Cisco Jabber 14.0 has more information on how to turn off SSO.

Hi Roger,

Thank you for your message.
So it's possible to disable the use of SSO in Jabber for a group of users (the local cucm users), isn't ?
I will read the guide your sent me

I guess I will have the same issue with UCCX : If I enable SOO, Only the synchronized user should be able to log in finess

Kind regards,
Thierry

It’s not really user specific as such. It’s specific to the endpoints that has Jabber installed. Meaning that it’s not specific to the user who login, it’s the installation of Jabber on the device. So you’ll either have the device enabled for use of SSO in Jabber or you don’t.

To follow up on what @Roger Kallberg said, yes it is possible for some Jabber clients to use SSO and some use local authentication by using different parameters in the jabberConfig.xml file. Providing you have CUCM v12 or later, you can create two different UC Services that are the jabberConfig.xml file and then create two different Service Profiles. One UC Service/Service Profile would include the Jabber Parameter (Roger provided a link earlier) that disables SSO for those clients.

Maren

Thanks @Maren Mahoney for pointing out how handling of the Jabber “xml” works in CM v12 and forward. With the build in handling in these versions it is actually user centric as the service profile is tied to the end user accounts.

@Roger Kallberg - So I suppose that begs the question of whether a non-SSO end user would be able to authenticate 'enough' for CUCM to get to the part where it is downloading the CUCM-based part of the config to the Jabber client. Are you proposing that the local client have a parameter for 'non-SSO authentication' prior to attempting to log into Jabber? This question is at the edge of what I know (or don't know) about the SSO authentication process so I am not sure.

Maren

Same thing that’s on my mind. I’ll be perfectly honest here, I don’t know. It’s like a hen and the egg question, who came first?

Hi Maren,

Thank you for your comments.
I understand that it's possible into a service profiles to disable SSO. (to be honest, I searched in the document that Roger sent, but I didn't find the specific parameter?!).

But, if a user wants to login the cucm user page, it won't work I guess.
It should be the same if this user is a uccx agent and wants to use Finesse.

So to sum up, it should be a problem to enable SSO with local user account

Do you agree with me ?

Kind regards,
Thierry

---

@TBerwart wrote:

So to sum up, it should be a problem to enable SSO with local user account

Do you agree with me ?

Kind regards,
Thierry

---

As @b.winter wrote SSO does not work with local user accounts.

On the document that I linked to I had a look in that and also the same document, but for Jabber version 12.5 and it turns out that the parameter for this SSO_Enabled was deprecated back in March 2021. That's why you can't find it.

With that it's not an applicable option to turn off use of SSO in Jabber any more.

Hi Roger,

Thank you for the confirmation, now it's crystal clear for me

Kind regards,

Thierry