<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>do you use a different hostname for the outside idp?</div><div id="AppleMailSignature">to take into account:</div><div id="AppleMailSignature">1) is it kerberos / iwa on the inside?</div><div id="AppleMailSignature">2) outside it will likely be ntlm and you need extra config for IE and hence jabber to automatically send creds to a host</div><div id="AppleMailSignature">cheers</div><div id="AppleMailSignature">bernhard<br><br><span style="color: rgba(0, 0, 0, 0.701961); font-family: UICTFontTextStyleBody; line-height: 22px; -webkit-composition-fill-color: rgba(130, 98, 83, 0.0980392); text-decoration: -webkit-letterpress;">--</span><div><span style="color: rgba(0, 0, 0, 0.701961); font-family: UICTFontTextStyleBody; line-height: 22px; -webkit-composition-fill-color: rgba(130, 98, 83, 0.0980392); text-decoration: -webkit-letterpress;">Sent from a touchscreen device with impossibly small keys, please excuse any typos</span></div></div><div><br>On 08 Oct 2015, at 20:50, Ahmed Abd EL-Rahman <<a href="mailto:Ahmed.Rahman@bmbgroup.com">Ahmed.Rahman@bmbgroup.com</a>> wrote:<br><br></div><blockquote type="cite"><div><span>I use ADFS 2 and I'm exposing the same ADFS to the Internet with real IP through NAT configurations.</span><br><span></span><br><span></span><br><span></span><br><span></span><br><span></span><br><span>Best Regards</span><br><span></span><br><span>Ahmed Abd EL-Rahman</span><br><span>Senior Network Engineer - BMB KSA</span><br><span></span><br><span>On Oct 8, 2015, at 5:01 PM, Bernhard Albler <<a href="mailto:bernhard.albler@gmail.com">bernhard.albler@gmail.com</a><<a href="mailto:bernhard.albler@gmail.com">mailto:bernhard.albler@gmail.com</a>>> wrote:</span><br><span></span><br><span>It's going to depend on the OS platform on the client and on the IDP.</span><br><span>What IDP are you using?</span><br><span>If it is ADFS, do you use an ADFS Proxy or do you expose a normal ADFS server externally as well?</span><br><span></span><br><span>cheers</span><br><span>bernhard</span><br><span></span><br><span>On Thu, Oct 8, 2015 at 3:44 PM, Brian Meade <<a href="mailto:bmeade90@vt.edu">bmeade90@vt.edu</a><<a href="mailto:bmeade90@vt.edu">mailto:bmeade90@vt.edu</a>>> wrote:</span><br><span>Are you using MRA for external logins? If so, you can add the Identity Provider on the Expressway-C and then enable SSO on the Expressway-C and Expressway-E.</span><br><span></span><br><span>The Identity Provider has to be accessible externally though.</span><br><span></span><br><span>On Thu, Oct 8, 2015 at 8:32 AM, Ahmed Abd EL-Rahman <<a href="mailto:Ahmed.Rahman@bmbgroup.com">Ahmed.Rahman@bmbgroup.com</a><<a href="mailto:Ahmed.Rahman@bmbgroup.com">mailto:Ahmed.Rahman@bmbgroup.com</a>>> wrote:</span><br><span>Hi Gents,</span><br><span></span><br><span>I have configured all my UC 10.5 cluster services (including Cisco WebEx Meeting Server 2.5 MR5) for SSO. CUCM, Jabber desktop client, and WebEx access working correctly with SSO from the corporate LAN with PCs joined to the domain, which how it should work without having to re-enter any credentials when accessing these service.</span><br><span></span><br><span>My question is a laptop for example which already joined the domain is trying to access the UC services from outside the network (Jabber Desktop client and webex) as they are both configured with public access, should the SSO works with this laptop from outside exactly the same way as it works from corporate LAN so that the user doesn’t have to enter any credentials manually or it is normal to be prompted for credentials when he access from outside the corporate network ? I’m asking about SSO nature.</span><br><span></span><br><span></span><br><span></span><br><span></span><br><span></span><br><span>Best Regards</span><br><span></span><br><span>Ahmed Abd EL-Rahman</span><br><span>Senior Network Engineer</span><br><span></span><br><span></span><br><span>_______________________________________________</span><br><span>cisco-voip mailing list</span><br><span><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><<a href="mailto:cisco-voip@puck.nether.net">mailto:cisco-voip@puck.nether.net</a>></span><br><span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br><span></span><br><span></span><br><span></span><br><span>_______________________________________________</span><br><span>cisco-voip mailing list</span><br><span><a href="mailto:cisco-voip@puck.nether.net">cisco-voip@puck.nether.net</a><<a href="mailto:cisco-voip@puck.nether.net">mailto:cisco-voip@puck.nether.net</a>></span><br><span><a href="https://puck.nether.net/mailman/listinfo/cisco-voip">https://puck.nether.net/mailman/listinfo/cisco-voip</a></span><br><span></span><br><span></span><br><span></span><br><span></span><br><span>--</span><br><span>Bernhard Albler, +4369917207384</span><br><span>--</span><br><span>"Was Nachwelt! Wie komm' ich dazu was für die Nachwelt zu tun? Was hat denn die Nachwelt für mich getan?"</span><br><span>--Carl Friedrich Zelter</span><br></div></blockquote></body></html>