Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
370
Views
1
Helpful
4
Replies

SSO CUCM - Entra Id

Go to solution
Juan Delgado Gutierrez
Level 1
Level 1

‎11-04-2024 01:31 PM

Hello All, 

Im trying to set the SSO between CUCM and Entra Id and i would like to know if in the SAML request the CUCM always sends the “userid” or there js a way (i think it’s not possible vía GUI but maybe by CLI) to modify this parameter and send the email or extension. 

Thanks you very much in advance. 
Juan 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to Juan Delgado Gutierrez

‎11-05-2024 12:36 PM

...the IdP passes to the CUCM all the information regarding that user

Technically the IdP sends the SAML response to the client which then forwards it on to CUCM; the IdP and SP, such as CUCM, never communicate directly.

Call Manager will be in charge of reviewing this information to see if any field matches the uid.

Not quite. The SAML response must contain a uid attribute that matches a username in CUCM. The CUCM username attribute supports URIs, so it can be the email address. M365/Entra best practices call for the userPrincipalName to be the user's email address, so that's the most common approach. Mail doesn't enforce uniqueness; multiple accounts could have the same mail address, but not the same UPN.

The point is that the uid must be the user's extension and in the IdP we have the email. And this must remain in that way.

If you meant that the CUCM username must remain the user's numeric extension then you'll have to configure the IdP to map that value into the uid attribute of the SAML response. Be careful about duplicates though if that numeric extension attribute doesn't enforce uniqueness in Entra.

The ideal solution should be to change the uid in the CUCM to take what is set on mail field.

This is possible. Again, UPN is more common than mail since it enforces unique values.

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎11-05-2024 02:45 AM

You have it backward: the IdP includes whatever the user identifier is in the SAML response given to the client. CUCM compares this value, in the uid attribute, to the user identifier in CUCM. That can be an email address or other valid URI. If you’re syncing accounts from LDAP, you would need to change the username attribute mapping away from sAMAccountName to mail or UPN under System > LDAP

Go to solution
Juan Delgado Gutierrez
Level 1
Level 1
In response to Jonathan Schulenberg

‎11-05-2024 03:06 AM

Many thanks for your answer Jonathan. 

I have a doubt. According to your explanation, the IdP passes to the CUCM all the information regarding that user and  Call Manager will be in charge of reviewing this information to see if any field matches the uid. Correct? The point is that the uid must be the user's extension and in the IdP we have the email. And this must remain in that way. From what you say, I understand that I cannot make the uid in CUCM be the mail field but i could make the IdP send what it is populated in the Extension field to match the uid in CUCM. Correct? The ideal solution should be to change the uid in the CUCM to take what is set on mail field. 

Again, thanks for your help. 

Juan

0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to Juan Delgado Gutierrez

‎11-05-2024 12:36 PM

...the IdP passes to the CUCM all the information regarding that user

Technically the IdP sends the SAML response to the client which then forwards it on to CUCM; the IdP and SP, such as CUCM, never communicate directly.

Call Manager will be in charge of reviewing this information to see if any field matches the uid.

Not quite. The SAML response must contain a uid attribute that matches a username in CUCM. The CUCM username attribute supports URIs, so it can be the email address. M365/Entra best practices call for the userPrincipalName to be the user's email address, so that's the most common approach. Mail doesn't enforce uniqueness; multiple accounts could have the same mail address, but not the same UPN.

The point is that the uid must be the user's extension and in the IdP we have the email. And this must remain in that way.

If you meant that the CUCM username must remain the user's numeric extension then you'll have to configure the IdP to map that value into the uid attribute of the SAML response. Be careful about duplicates though if that numeric extension attribute doesn't enforce uniqueness in Entra.

The ideal solution should be to change the uid in the CUCM to take what is set on mail field.

This is possible. Again, UPN is more common than mail since it enforces unique values.

 

0 Helpful

Go to solution
Juan Delgado Gutierrez
Level 1
Level 1
In response to Jonathan Schulenberg

‎11-12-2024 02:51 AM

Thank you very much for your support Jonathan. 

0 Helpful
Customers Also Viewed These Support Documents