PDF(116.0 KB) View with Adobe Reader on a variety of devices
Updated:January 23, 2015
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure Cisco Jabber clients and the Infrastructure servers for Security Assertion Markup Language (SAML) Single Sign-on (SSO).
Infrastructure servers like Cisco Unified Communications Manager (CUCM) IM and Presence, Cisco Unity Connection (UCXN), and CUCM must be provisioned for Jabber users and the basic Jabber client configuration must be in place.
Cisco recommends that you have knowledge of these topics:
CUCM IM and Presence Version 10.5(1) or later
UCXN Version 10.5(1) or later
CUCM 10.5(1) or later
Cisco Jabber Client Version 10.5
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Deploy certificates on all servers so that the certificate can be validated by a web browser; otherwise users receive warning messages about invalid certificates. For more information about certificate validation, refer to Certificate Validation.
Ensure Service Discovery of SAML SSO in the client. The client uses standard Service Discovery in order to enable SAML SSO in the client. Enable Service Discovery with these configuration parameters: ServicesDomain, VoiceServicesDomain, and ServiceDiscoveryExcludedServices.
After SSO is enabled on CUCM and IMP, by default all Jabber users sign in with SSO. Administrators can change this on a per user basis so that certain users do not use SSO and instead sign in with their Jabber usernames and passwords. In order to disable SSO for a Jabber user, set the value of the SSO_Enabled parameter to FALSE.
If you have configured Jabber not to ask users for their email addresses, their first sign in to Jabber might be non-SSO. In some deployments, the ServicesDomainSsoEmailPrompt parameter must be set to ON. This ensures that Jabber has the information required to perform a first-time SSO sign in. If users signed in to Jabber previously, this prompt is not needed because the required information is available.
When Jabber for Windows is started, it should automatically log in without prompting for any credentials or inputs. For other Jabber clients, you will be prompted for credentials only once.
If you encounter an issue, collect a Jabber Problem report and contact Cisco Technical Assistance Center (TAC).