Thanks Srinivasan.

Currently I am doing SSO using ADFS 3.0 as the IDP for authentication of internal Jabber users.  It looks like I should be able to integrate DUO two factor with ADFS.  If that's the case, I believe enabling SSO on the collab-edge/MRA should do the trick, correct?  

If you decide cert based authentication for MRA, you will need to setup a second expressway pair for IP endpoints such as phone and Telepresence endpoints.

Sent from my mobile.

Marcus Casimir | Sr. Collaboration Solutions Architect

Presidio | www.presidio.com<http://www.presidio.com>

One Penn Plaza Suite 2832, New York, NY 10119

D: 212.324.4317 | mcasimir@presidio.com<mailto:mcasimir@presidio.com>

Thanks Marcus.

Do you know if I will be able to user cert auth for devices such as a 8800 phones?  Or its for Jabber online?

Cert based authentication, once turned on for that expressway pair can only facilitate Jabber clients.

Sent from my mobile.

Marcus Casimir | Sr. Collaboration Solutions Architect

Presidio | www.presidio.com<http://www.presidio.com>

One Penn Plaza Suite 2832, New York, NY 10119

D: 212.324.4317 | mcasimir@presidio.com<mailto:mcasimir@presidio.com>

Marcus

Where do you see the requirement for a separate expressway pair needed for this? x8.9 docs are not out yet and I don't see anything like that mentioned in the alpha docs.

kroarty Can you please comment on this?

Kevin will chime in. The docs have not been updated yet.

Sent from my mobile.

Marcus Casimir | Sr. Collaboration Solutions Architect

Presidio | www.presidio.com<http://www.presidio.com>

One Penn Plaza Suite 2832, New York, NY 10119

D: 212.324.4317 | mcasimir@presidio.com<mailto:mcasimir@presidio.com>

Marcus

The statement that you need separate expressway pair is not completely accurate. If you use exclusive mode only then it is dedicated for Jabber. If you set it to On then you can do both cert based auth with IDP and support Phones/TP endpoints

This is confirmed with internal docs

Right, it's the usage of SSO Exclusive mode that would require another Expressway pair for non SSO MRA clients. 

The new option in X8.9 to allow iOS devices to use safari for MRA authentication with the IdP can be used with SSO = ON or Exclusive.

Yes, the exclusive mode is where the expressway pair will only authenticate devices through SSO. The normal username and password will not work. This feature is mainly used to prevent anyone from downloading the jabber client and trying to authenticate by brute force or compromised credentials.

Sent from my mobile.

Marcus Casimir | Sr. Collaboration Solutions Architect

Presidio | www.presidio.com<http://www.presidio.com>

One Penn Plaza Suite 2832, New York, NY 10119

D: 212.324.4317 | mcasimir@presidio.com<mailto:mcasimir@presidio.com>

i don't think that's the sole motivation for this feature. It's also for customers who didn't want to be annoyed with form based auth and using cert helps and to add to that it was needed specifically on iOS because safari is the only way to access the key chain store and jabber used the web view kit which didn't have access to the trust store on iOS

MDM policy can prevent access to jabber as an example however capability to enforce role based access without MDM is still on the roadmap.

Right that's my understanding too 11.5 is only needed for cert based auth

Thanks

Srini

Hello Adam,

Have you implemnented the MFA or certificate based login ?