You can set up Cisco Jabber to use the OAuth protocol to authorize users' access rights to services. If the user signs in
to an OAuth-enabled environment, then there is no need to enter the credentials every time the user signs in. However, if
the servers are not OAuth-enabled, then Jabber may not function appropriately.
If you're using Cisco Unified Communication Manager 12.5 or later, you can also enable SIP OAuth. It allows Jabber to authorize
itself to SIP, which allows Jabber to connect to SIP service over TLS. It also allows Jabber to send media over a secure connection
(sRTP). SIP OAuth means that CAPF enrollment is no longer necessary to enable secure SIP and media.
Before you configure OAuth, check the type of the deployment you have:
OAuth Refresh tokens must be turned on across all of these components if deployed to be functional
Communication Manager, Cisco Unified Communication Manager Instant Messaging
and Presence, and Cisco Unity Connection must be of version 11.5(SU3) or 12.0
Expressway for Mobile and Remote Access version X8.10 or later
For SIP OAuth: Cisco Unified Communication Manager 12.5 or later, Cisco Expressway for Mobile and Remote Access version X12.5
You can enable OAuth on the following services for your users:
If you have local authentication deployment, then IdP server is not required, and Cisco Unified Communication Manager is responsible
You can set up OAuth with or without SSO configured. If you're using SSO, ensure it is enabled for all services. If you have
an SSO-enabled deployment, then deploy an IdP server, and IdP server is responsible for authentication.
By default, OAuth is disabled on these servers. To enable OAuth on these servers:
For Cisco Unified Communications Manager and Cisco Unity
Connection Servers, go to
For Cisco Expressway-C, go to
When OAuth is enabled or disabled on any of these servers, Jabber identifies it during configuration re-fetch interval, and
lets the user sign out and sign in to Jabber.
During sign out, Jabber deletes user credentials stored in the cache,
and then lets user sign in with regular sign-in flow, where Jabber fetches all
the configuration information first, and then lets the user access Jabber
To configure OAuth on Cisco Unified Communication Manager:
To configure OAuth on Cisco Expressway:
Go to .
Set O-Auth Access Token Expiry Timer(minutes) to desired value.
Set O-Auth Refresh Token Expiry Timer(days) to desired value.
Click Save button.
To configure OAuth on Cisco Unity:
Go to .
Set O-Auth local authentication to On.
Go to AuthZ Servers and select Add New.
Enter the details in the all fields and select Ignore Certificate Errors.
Jabber triggers automated
Jabber does one
fast sign-in after it is signed out for several hours
modules attempt to authorize at Expressway-E using the expired access token.
Expressway-E (correctly) denies these requests.
If there are
more than five such requests from a particular Jabber client, the Expressway-E
blocks that IP address for ten minutes (by default).
Jabber clients' IP addresses are added to the blocked addresses list of
Expressway-E, in the HTTP proxy authorization failure category. You can see
There are two
ways you can work around this issue; you can increase the detection threshold
for that particular category, or you can create an exemption for the affected
clients. We describe the threshold option here because the exemptions may be
impractical in your environment.
- Go to
HTTP proxy authorization failure.
Trigger level from 5 to 10. 10 must be enough to
tolerate the Jabber modules that present expired tokens.
configuration, which takes effect immediately.