[cisco-voip] Jabber Mobile 11.7 don't Store SSo User Credential

Ankur Srivastava ansrivastava at linkedin.com
Sat Oct 1 23:49:50 EDT 2016 

Hi Alessandro,

When you enable SSO then CUCM does not control the authentication process
and at every login Expressway or CUCM will reach out to ADFS to confirm if
the user is authorised or not.

ADFS verifies the last SSO cookie to confirm whether it should allow the
request or prompt for login. CUCM or Expressway can't control this behavior.

So your users are being prompted for login because the SSO cookies expire
and ADFS requests re-Authentication. You do not have any way to work around
this. This is how SSO works.

If you want less prompts you can increase the SSO timers on ADFS to not to
expire for 2-3 days, but that will affect all SSO requests not just UC.

Regards,
Ankur

On Oct 2, 2016 02:37, "Alessandro Bertacco" <bertacco.alessandro at alice.it>
wrote:

We have UC environment all in version 11.0 (CUCM, CUPS, CUC), and we use
Jabber 11.7 on all platform, Windows, MAC, IOS and Android



SSO authentication enabled using Microsoft ADFS 2.0 as IDP.



SSO  works fine from all devices, and on Windows Domain computer SSO User
Credential are pushed directly from the Operating System to the SSO
Infrastructure, so user need only to open Jabber Client and do nothing to
login.



Instead, from Jabber for mobile device, SSO authentication Works, inside
and outside troughs Expressway C/E infrastructure but Users credential
aren’t stored on mobile devices.



So, every day, when user start up their Smartphone, Jabber presents SSo IDp
popup that ask Users to authenticate. You understand that this make
UnUsable Jabber Mobile, because users don’t want to be bored for
Credentials every day.



I’ve also opened a TAC but Engineer don’t find the route cause.



Someone of you have a working implementations of SSO Authentication
Infrastructure with Jabber Mobile clients that store users credential and
pass it automatically to IDP during the Jabber Login ?



Can you help me or suggest something?



This is make me crazy, and customer wants to rollback to SSO disabled. Is
that the final solution?



Thank you.



Regards



Alessandro

_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-voip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161002/20db69e4/attachment.html>

More information about the cisco-voip mailing list