cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1196
Views
9
Helpful
14
Replies

SSO on UCM and local accounts

tato386
Level 6
Level 6

What effect will enabling SSO on UCM have on my legacy local accounts?  After SSO is enabled I will still have many legacy non-SSO accounts, and I will not yet be enabling SSO on MRA as I would like to phase in the SSO migration instead of the "flipping a big switch" method.

I understand MRA physical phones don't use SSO and should be fine but what about Jabber clients (both internal and MRA) that do not have SSO enabled accounts?    I am running v12.5.1.SU8a on collab servers and v14.2.7 Expressway C/E.

TIA, 

14 Replies 14

b.winter
VIP
VIP

Once you enable SSO in CUCM, you cannot use local accounts for Jabber anymore. Every login in Jabber will be SSO enabled.
For MRA, if I remember correctly, it should still work with local accounts, if only CUCM is SSO enabled.

Why don't you enable SSO also on the Expressways? Why do you want to "flip 2 big switches" instead of 1 big? IMHO, I would either do it all at once, don't do it at all.

MRA phones or video conference systems do not use SSO, even if SSO is enabled on the Expressway(s).



Response Signature


We have a large number of "generic" legacy accounts.  These accounts are shared and the username is just a numerical extension number and PIN like password.  The accounts do not exist in our IdP.  I would have to create a bunch of personal accounts in our IdP and was hoping to push that back until all our regular users are migrated to SSO. 

Hello,

Why is it not possible for local user account to use Jabber after SSO enabled ?
I though i was possible to have a mixed of users (LDAP synchronized ones with SSO for auth. and local user account just defined on cucm)
Do you have any source of documents explaining that ?

Thank you in advance,
Thierry

Technically you should be able to do what you say, but then you'd need to disable use of SSO in Jabber for those endpoints that specifically should use local account with local authentication. The Parameters Reference Guide for Cisco Jabber 14.0 has more information on how to turn off SSO.



Response Signature


Hi Roger,

Thank you for your message.
So it's possible to disable the use of SSO in Jabber for a group of users (the local cucm users), isn't ?
I will read the guide your sent me

I guess I will have the same issue with UCCX : If I enable SOO, Only the synchronized user should be able to log in finess

Kind regards,
Thierry

It’s not really user specific as such. It’s specific to the endpoints that has Jabber installed. Meaning that it’s not specific to the user who login, it’s the installation of Jabber on the device. So you’ll either have the device enabled for use of SSO in Jabber or you don’t.



Response Signature


To follow up on what @Roger Kallberg said, yes it is possible for some Jabber clients to use SSO and some use local authentication by using different parameters in the jabberConfig.xml file. Providing you have CUCM v12 or later, you can create two different UC Services that are the jabberConfig.xml file and then create two different Service Profiles. One UC Service/Service Profile would include the Jabber Parameter (Roger provided a link earlier) that disables SSO for those clients.

Maren

Thanks @Maren Mahoney for pointing out how handling of the Jabber “xml” works in CM v12 and forward. With the build in handling in these versions it is actually user centric as the service profile is tied to the end user accounts.



Response Signature


@Roger Kallberg - So I suppose that begs the question of whether a non-SSO end user would be able to authenticate 'enough' for CUCM to get to the part where it is downloading the CUCM-based part of the config to the Jabber client. Are you proposing that the local client have a parameter for 'non-SSO authentication' prior to attempting to log into Jabber? This question is at the edge of what I know (or don't know) about the SSO authentication process so I am not sure.

Maren

Same thing that’s on my mind. I’ll be perfectly honest here, I don’t know. It’s like a hen and the egg question, who came first?



Response Signature


Hi Maren,

Thank you for your comments.
I understand that it's possible into a service profiles to disable SSO. (to be honest, I searched in the document that Roger sent, but I didn't find the specific parameter?!).

But, if a user wants to login the cucm user page, it won't work I guess.
It should be the same if this user is a uccx agent and wants to use Finesse.

So to sum up, it should be a problem to enable SSO with local user account

Do you agree with me ?

Kind regards,
Thierry


@TBerwart wrote:

So to sum up, it should be a problem to enable SSO with local user account

Do you agree with me ?

Kind regards,
Thierry


As @b.winter wrote SSO does not work with local user accounts.

On the document that I linked to I had a look in that and also the same document, but for Jabber version 12.5 and it turns out that the parameter for this SSO_Enabled was deprecated back in March 2021. That's why you can't find it.

image.png

With that it's not an applicable option to turn off use of SSO in Jabber any more.



Response Signature


Hi Roger,

Thank you for the confirmation, now it's crystal clear for me

Kind regards,

Thierry