SSO with Multiple MRA clusters

ravi.pandey · ‎10-04-2022

with multiple MRA clusters scattered in different regions with their respective cucm cluster, is it possible to just enable SSO on one single region cluster of cucm, unity and Expressways and leave other region clusters on non-SSO, the reason i ask is because in an ILS setup, you discover all CuCM, unity, im&p clusters on Exp-C of all regions , so an EMEA cucm, unity and im&p will exist in APAC, US, and EMEA exp-C cluster if you have a 3 region cluster and lets say if you enable SSO just for EMEA region apps(cucm, unity and exp-c&E), what will happen if a user from APAC hits APAC Exp-E and APAC Exp-C and from Exp-C using round robin lands on EMEA cucm and EMEA cucm using ILS sends the request back to APAC cluster, so now you have 2 CuCMs at play one is SSO and one is non-SSO

expressways:14.0.8
cucm:12.5

Roger Kallberg · ‎10-05-2022

Please note that this is untested, but if you have this set as per the screenshot I believe that it should work with both SSO and non-SSO.

ravi.pandey · ‎10-05-2022

No, it won’t help, ‘authorise by user token’ is a token that is just used with SAML sso authentication it cannot work with both saml sso and ldap unlike self described tokens i.e the refresh tokens, the first option of your screenshot.
Authroise by user token also means that if a user authenticates first on local network and then goes to off-net, then that user would require reauthentication.

And if i keep both the options on, refresh will supersede ‘authorise by user token’ option.

Roger Kallberg · ‎10-05-2022

Now I’m puzzled, if you knew all this already why did you then ask?

ravi.pandey · ‎10-05-2022

Bcoz that wasn’t my question, you are talking about something else. That has nothing to do with my ask.

Roger Kallberg · ‎10-05-2022

Okay if you say so. Hopefully someone else can answer your question.

ravi.pandey · ‎10-05-2022

Thanks for responding Roger as always