Hi Md Hasan,

is this a "yes" to my question, that whenever SSO is enabled in the Cluster, I have to use SSO on all endpoints?

Rene,

The answer is NO. Most of your endpoints dont require SSO. Its only Jabber that supports SSO. It also depends on your jabber version. From the client side ie Jabber you dont need to do anything for it to support SSO. Its automatically built into the client.

Hello,

sorry, I don't get it. Try to make it simple. I have 2 applications running on my client which have the feature SSO built in. One is Jabber 10.6 and the other is Cisco TSP (Tapi Client). I want to use TSP with SSO but I don't want to use Jabber for SSO. Is this still possible after I enabled SSO on the Cluster for TSP?

Regards

Rene

Hello,

This discussion is very relevant to my scenario. Only variation is that I have 2 domains and each domain is a separate forest with AD.

Will SSO work for me. Do I need to change to uid for user synchronization?

Thanks

MultiDomain will work with AD-LDS to aggregate Multi-Forest domains to the CUCM (v10.5+) This will take care of users in CUCm and address book for Jabber.

SSO will also be redirected to respective Forests for authentication by AD-LDS.

Hi Ayodeji, sorry to raise this question after so long time, I also have questions about JTAPI user SSO, hope you can help me!

1. When SSO is enabled for authentication on the cluster, our current understanding is JTAPI/TAPI user is also authenticated using SSO and we can not bypass SSO.
However we would like to avoid SAML authentication for JTAPI/TAPI user because it is integrated with external application.
So is there a way to bypass SSO just for JTAPI/TAPI user?

2. We have an application server which provide click-to-call service by integration through CTI and also a recording server.
Because it uses CTI, we create end user for the application, and link the device to the end user.
This CTI integration currently uses ID/PW authentication, but when we enable SSO, is it correct to say that since SAML and OAuth will be covered by TSP client provided by CUCM and JTAPI application side, the application server side doesn't need to care about SSO?
Or, does the application server side also needs to support SAML and OAuth protocol? In that case, is there any necessary task like approving access to certificate store etc.

You don't have to "Enable" SSO on the client (Because client automatically discovers CUCM has SSO enabled and Jabber must adhere to that - which means PC must Join the domain and must be able to communicate with SSO Sever/ADFS Server over HTTPS without any hickups -- Internet explorer specific settings may be needed.) The error I have posted was from a PC that is not domain Joined. Same environment where a PC is setup properly and Domain joined SSO works ok.

HTH

Hi Md Hasan,

  I've exactly this issue.

All works fine for the Jabber mobile (Android and iPhone) and also for MAC.

And Also This issue happen only accessing through the Expressway Infrastructure, in the corporate LAN authentication works like a Charm!! 

But, jabber for Windows (All versions) on Windows 10, with SSO enabled and ADFS site added to Intranet Sites in internet Option, when I try to login I get a Jabber popup that say:

Unable to open https://adfs.externaldomain.it and imeddiatly closed.

On the Jabber I see the error: Unable to open the Page, Try again later

But SSO authentication Works fines, if I put the ADFS URL in trusted Site in the Internet Option, But in this case, Jabber Always ask for domain username and password, and didn't use the windows logon credential. Very annoying things

Any Idea?

Many Thanks

Alessandro Bertacco