12-29-2022 03:44 AM
Hi,
If we have SSO enabled for CUCM and IM&P, is it possible to still login via LDAPS to the administration pages? Local authentication works with the recovery URL, but we can't get LDAPS working even though it worked before integrating SSO.
Thanks.
Solved! Go to Solution.
12-30-2022 04:24 AM
The only place LDAP authentication will be used with SAML SSO enabled are sign-in flows where the latter are not supported. The prime examples being MRA-connected IP Phones if not using Activation Code Onboarding & OAuth, MRA-connected TelePresence endpoints (ie anything running CE/RoomOS software), and RTMT if you toggle the Enterprise Parameter off for it.
Invest in your IdP deployment; it’s just as critical as DNS. The recovery URLs are there for the worst case scenario of an IdP outage (or misconfiguration) only. They only work with local super-admin accounts.
12-29-2022 04:27 AM
Update: LDAPS isn't being used at all, for all screens other than OS admin and DRS it simply redirects to ADFS and you have to authenticate there. It still respects user roles configured in CUCM.
This isn't ideal since now you have a dependency on ADFS/idP to authenticate to an administrative portal with a domain user rather than just AD.
12-30-2022 04:24 AM
The only place LDAP authentication will be used with SAML SSO enabled are sign-in flows where the latter are not supported. The prime examples being MRA-connected IP Phones if not using Activation Code Onboarding & OAuth, MRA-connected TelePresence endpoints (ie anything running CE/RoomOS software), and RTMT if you toggle the Enterprise Parameter off for it.
Invest in your IdP deployment; it’s just as critical as DNS. The recovery URLs are there for the worst case scenario of an IdP outage (or misconfiguration) only. They only work with local super-admin accounts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide