Cisco CUCM 12.5 Multi Forest Domain Intra ID instead of AD LDS

roark-michael · ‎12-06-2024

Cisco CUCM 12.5 Multi Forest Domain SSO Intra ID instead of AD LDS server.

We have 4 UCM clusters, 3 are on Domain A and 1 is on Domain B. We are in the process of migrating user on Domain B to Domain A, is it possible to use SSO Intra ID for Authentication and Directory sync with users on multiple domains?

Elliot Dierksen · ‎12-06-2024

Perhaps someone here has a different suggestion, but AD LDS is the only reliable method of which I am aware that will work correctly in that scenario.

Jonathan Schulenberg · ‎12-07-2024

The single AD Forest limitation applies to CUCM’s DirSync service for LDAP Authentication. If you’re using SAML SSO, CUCM doesn’t care or know what’s on the other side of the IdP, only that it gets an access authorized response. If the IdP is capable of handling that multi-forest setup you’re fine. Just be real careful with LDAP synchronization since it assumes the AD forest guarantees account uniqueness (you should also be mapping the username to UPN instead of sAMAccountName in a multi-domain environment).

roark-michael · ‎12-10-2024

Hi Jonathan,

Thanks for the reply, we are not using SSO. One solution that we have looked into is using Webex Control hub Connected UC Directory to authenticate the users. Have you seen any issues with the existing users when migrating to WebEx Connected UC Directory?

Jonathan Schulenberg · ‎12-10-2024

Your OP said SSO. Please be clearer with your posts in the future.

CCUC Directory synchronization is just that: synchronization, not authentication. You’d still need a SAML SSO solution for auth. CCUC directory Sync is typically used with Entra ID or another SaaS IdP/IdM such as Okta, not on-premises AD though.