[cisco-voip] R: Jabber Mobile 11.7 don't Store SSo User Credential

Alessandro Bertacco bertacco.alessandro at alice.it
Sun Oct 2 03:39:39 EDT 2016 

Thank you Ankur,

   so the only way to make Jabber mobile usable is to disable SSO?

 

Is it possible to disable SSO only for the Jabber Client? Or I’ll need to disable SSO globally?

 

Thank you again.

 

Regards

 

Alessandro

 

 

Da: Ankur Srivastava [mailto:ansrivastava at linkedin.com] 
Inviato: domenica 2 ottobre 2016 05:54
A: Alessandro Bertacco <bertacco.alessandro at alice.it>
Cc: voip puck <cisco-voip at puck.nether.net>
Oggetto: Re: [cisco-voip] Jabber Mobile 11.7 don't Store SSo User Credential

 

Also you can't save any credentials because Jabber is not prompting for login it's the ADFS which prompts for it. Jabber just opens a web-wrapper and loads a http link for ADFS. 

So there is no way for the Jabber client to know what credentials you entered in that pop-up. 

Regards,
Ankur

 

On Oct 2, 2016 09:19, "Ankur Srivastava" <ansrivastava at linkedin.com <mailto:ansrivastava at linkedin.com> > wrote:

Hi Alessandro,

When you enable SSO then CUCM does not control the authentication process and at every login Expressway or CUCM will reach out to ADFS to confirm if the user is authorised or not. 

ADFS verifies the last SSO cookie to confirm whether it should allow the request or prompt for login. CUCM or Expressway can't control this behavior.

So your users are being prompted for login because the SSO cookies expire and ADFS requests re-Authentication. You do not have any way to work around this. This is how SSO works. 

If you want less prompts you can increase the SSO timers on ADFS to not to expire for 2-3 days, but that will affect all SSO requests not just UC.

Regards, 
Ankur

 

On Oct 2, 2016 02:37, "Alessandro Bertacco" <bertacco.alessandro at alice.it <mailto:bertacco.alessandro at alice.it> > wrote:

We have UC environment all in version 11.0 (CUCM, CUPS, CUC), and we use Jabber 11.7 on all platform, Windows, MAC, IOS and Android 

 

SSO authentication enabled using Microsoft ADFS 2.0 as IDP.

 

SSO  works fine from all devices, and on Windows Domain computer SSO User Credential are pushed directly from the Operating System to the SSO Infrastructure, so user need only to open Jabber Client and do nothing to login.

 

Instead, from Jabber for mobile device, SSO authentication Works, inside and outside troughs Expressway C/E infrastructure but Users credential aren’t stored on mobile devices.

 

So, every day, when user start up their Smartphone, Jabber presents SSo IDp popup that ask Users to authenticate. You understand that this make UnUsable Jabber Mobile, because users don’t want to be bored for Credentials every day.

 

I’ve also opened a TAC but Engineer don’t find the route cause.

 

Someone of you have a working implementations of SSO Authentication Infrastructure with Jabber Mobile clients that store users credential and pass it automatically to IDP during the Jabber Login ?

 

Can you help me or suggest something?

 

This is make me crazy, and customer wants to rollback to SSO disabled. Is that the final solution?

 

Thank you.

 

Regards

 

Alessandro 


_______________________________________________
cisco-voip mailing list
cisco-voip at puck.nether.net <mailto:cisco-voip at puck.nether.net> 
https://puck.nether.net/mailman/listinfo/cisco-voip

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/cisco-voip/attachments/20161002/be9bcba9/attachment.html>

More information about the cisco-voip mailing list