<p dir="ltr">You can increase the timer to a really long duration or turn it off globally in cucm. There is no third choice.</p>
<div class="gmail_extra"><br><div class="gmail_quote">On Oct 2, 2016 13:09, "Alessandro Bertacco" <<a href="mailto:bertacco.alessandro@alice.it">bertacco.alessandro@alice.it</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="IT" link="blue" vlink="purple"><div><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thank you Ankur,<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> so the only way to make Jabber mobile usable is to disable SSO?<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Is it possible to disable SSO only for the Jabber Client? Or I’ll need to disable SSO globally?<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Thank you again.<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Regards<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Alessandro<u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Da:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> Ankur Srivastava [mailto:<a href="mailto:ansrivastava@linkedin.com" target="_blank">ansrivastava@linkedin.<wbr>com</a>] <br><b>Inviato:</b> domenica 2 ottobre 2016 05:54<br><b>A:</b> Alessandro Bertacco <<a href="mailto:bertacco.alessandro@alice.it" target="_blank">bertacco.alessandro@alice.it</a>><br><b>Cc:</b> voip puck <<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>><br><b>Oggetto:</b> Re: [cisco-voip] Jabber Mobile 11.7 don't Store SSo User Credential<u></u><u></u></span></p><p class="MsoNormal"><u></u> <u></u></p><p>Also you can't save any credentials because Jabber is not prompting for login it's the ADFS which prompts for it. Jabber just opens a web-wrapper and loads a http link for ADFS. <u></u><u></u></p><p>So there is no way for the Jabber client to know what credentials you entered in that pop-up. <u></u><u></u></p><p>Regards,<br>Ankur<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On Oct 2, 2016 09:19, "Ankur Srivastava" <<a href="mailto:ansrivastava@linkedin.com" target="_blank">ansrivastava@linkedin.com</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><p>Hi Alessandro,<u></u><u></u></p><p>When you enable SSO then CUCM does not control the authentication process and at every login Expressway or CUCM will reach out to ADFS to confirm if the user is authorised or not. <u></u><u></u></p><p>ADFS verifies the last SSO cookie to confirm whether it should allow the request or prompt for login. CUCM or Expressway can't control this behavior.<u></u><u></u></p><p>So your users are being prompted for login because the SSO cookies expire and ADFS requests re-Authentication. You do not have any way to work around this. This is how SSO works. <u></u><u></u></p><p>If you want less prompts you can increase the SSO timers on ADFS to not to expire for 2-3 days, but that will affect all SSO requests not just UC.<u></u><u></u></p><p>Regards, <br>Ankur<u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On Oct 2, 2016 02:37, "Alessandro Bertacco" <<a href="mailto:bertacco.alessandro@alice.it" target="_blank">bertacco.alessandro@alice.it</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><div><div><p class="MsoNormal"><span lang="EN-GB">We have UC environment all in version 11.0 (CUCM, CUPS, CUC), and we use Jabber 11.7 on all platform, Windows, MAC, IOS and Android </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">SSO authentication enabled using Microsoft ADFS 2.0 as IDP.</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">SSO works fine from all devices, and on Windows Domain computer SSO User Credential are pushed directly from the Operating System to the SSO Infrastructure, so user need only to open Jabber Client and do nothing to login.</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">Instead, from Jabber for mobile device, SSO authentication Works, inside and outside troughs Expressway C/E infrastructure but Users credential aren’t stored on mobile devices.</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">So, every day, when user start up their Smartphone, Jabber presents SSo IDp popup that ask Users to authenticate. You understand that this make UnUsable Jabber Mobile, because users don’t want to be bored for Credentials every day.</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">I’ve also opened a TAC but Engineer don’t find the route cause.</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">Someone of you have a working implementations of SSO Authentication Infrastructure with Jabber Mobile clients that store users credential and pass it automatically to IDP during the Jabber Login ?</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">Can you help me or suggest something?</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">This is make me crazy, and customer wants to rollback to SSO disabled. Is that the final solution?</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">Thank you.</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB"> </span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB">Regards</span><u></u><u></u></p><p class="MsoNormal"><span lang="EN-GB" style="color:#888888"> </span><span style="color:#888888"><u></u><u></u></span></p><p class="MsoNormal"><span lang="EN-GB" style="color:#888888">Alessandro </span><span style="color:#888888"><u></u><u></u></span></p></div></div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>______________________________<wbr>_________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/<wbr>mailman/listinfo/cisco-voip</a><u></u><u></u></p></blockquote></div><p class="MsoNormal"><u></u> <u></u></p></div></blockquote></div></div></div></div></blockquote></div></div>