09-28-2023 07:34 AM
What effect will enabling SSO on UCM have on my legacy local accounts? After SSO is enabled I will still have many legacy non-SSO accounts, and I will not yet be enabling SSO on MRA as I would like to phase in the SSO migration instead of the "flipping a big switch" method.
I understand MRA physical phones don't use SSO and should be fine but what about Jabber clients (both internal and MRA) that do not have SSO enabled accounts? I am running v12.5.1.SU8a on collab servers and v14.2.7 Expressway C/E.
TIA,
09-28-2023 07:54 AM
Once you enable SSO in CUCM, you cannot use local accounts for Jabber anymore. Every login in Jabber will be SSO enabled.
For MRA, if I remember correctly, it should still work with local accounts, if only CUCM is SSO enabled.
Why don't you enable SSO also on the Expressways? Why do you want to "flip 2 big switches" instead of 1 big? IMHO, I would either do it all at once, don't do it at all.
09-28-2023 09:31 AM - edited 09-28-2023 09:32 AM
MRA phones or video conference systems do not use SSO, even if SSO is enabled on the Expressway(s).
09-28-2023 10:53 AM
We have a large number of "generic" legacy accounts. These accounts are shared and the username is just a numerical extension number and PIN like password. The accounts do not exist in our IdP. I would have to create a bunch of personal accounts in our IdP and was hoping to push that back until all our regular users are migrated to SSO.
02-28-2024 04:55 AM
Hello,
Why is it not possible for local user account to use Jabber after SSO enabled ?
I though i was possible to have a mixed of users (LDAP synchronized ones with SSO for auth. and local user account just defined on cucm)
Do you have any source of documents explaining that ?
Thank you in advance,
Thierry
02-28-2024 05:41 AM
Technically you should be able to do what you say, but then you'd need to disable use of SSO in Jabber for those endpoints that specifically should use local account with local authentication. The Parameters Reference Guide for Cisco Jabber 14.0 has more information on how to turn off SSO.
02-28-2024 06:04 AM
Hi Roger,
Thank you for your message.
So it's possible to disable the use of SSO in Jabber for a group of users (the local cucm users), isn't ?
I will read the guide your sent me
I guess I will have the same issue with UCCX : If I enable SOO, Only the synchronized user should be able to log in finess
Kind regards,
Thierry
02-28-2024 06:36 AM
It’s not really user specific as such. It’s specific to the endpoints that has Jabber installed. Meaning that it’s not specific to the user who login, it’s the installation of Jabber on the device. So you’ll either have the device enabled for use of SSO in Jabber or you don’t.
02-29-2024 06:47 AM
To follow up on what @Roger Kallberg said, yes it is possible for some Jabber clients to use SSO and some use local authentication by using different parameters in the jabberConfig.xml file. Providing you have CUCM v12 or later, you can create two different UC Services that are the jabberConfig.xml file and then create two different Service Profiles. One UC Service/Service Profile would include the Jabber Parameter (Roger provided a link earlier) that disables SSO for those clients.
Maren
02-29-2024 09:18 AM
Thanks @Maren Mahoney for pointing out how handling of the Jabber “xml” works in CM v12 and forward. With the build in handling in these versions it is actually user centric as the service profile is tied to the end user accounts.
02-29-2024 09:57 AM
@Roger Kallberg - So I suppose that begs the question of whether a non-SSO end user would be able to authenticate 'enough' for CUCM to get to the part where it is downloading the CUCM-based part of the config to the Jabber client. Are you proposing that the local client have a parameter for 'non-SSO authentication' prior to attempting to log into Jabber? This question is at the edge of what I know (or don't know) about the SSO authentication process so I am not sure.
Maren
02-29-2024 10:42 AM
Same thing that’s on my mind. I’ll be perfectly honest here, I don’t know. It’s like a hen and the egg question, who came first?
03-04-2024 12:48 AM
Hi Maren,
Thank you for your comments.
I understand that it's possible into a service profiles to disable SSO. (to be honest, I searched in the document that Roger sent, but I didn't find the specific parameter?!).
But, if a user wants to login the cucm user page, it won't work I guess.
It should be the same if this user is a uccx agent and wants to use Finesse.
So to sum up, it should be a problem to enable SSO with local user account
Do you agree with me ?
Kind regards,
Thierry
03-04-2024 03:50 AM - edited 03-04-2024 03:51 AM
@TBerwart wrote:
So to sum up, it should be a problem to enable SSO with local user account
Do you agree with me ?
Kind regards,
Thierry
As @b.winter wrote SSO does not work with local user accounts.
On the document that I linked to I had a look in that and also the same document, but for Jabber version 12.5 and it turns out that the parameter for this SSO_Enabled was deprecated back in March 2021. That's why you can't find it.
With that it's not an applicable option to turn off use of SSO in Jabber any more.