You can set up Cisco Jabber to use the OAuth protocol to authorize users' access rights to services. If the user signs in
to an OAuth-enabled environment, then there is no need to enter the credentials every time the user signs in. However, if
the servers are not OAuth-enabled, then Jabber may not function appropriately.
Prerequisites:
-
OAuth Refresh tokens must be turned on across all of these components if deployed to be functional
-
Cisco Unified
Communication Manager, Cisco Unified Communication Manager Instant Messaging
and Presence, and Cisco Unity Connection must be of version 11.5(SU3) or 12.0
-
Cisco
Expressway for Mobile and Remote Access version X8.10 or later
Before you configure OAuth, check the type of the deployment you have:
-
If you have local authentication deployment, then IdP server is not required, and Cisco Unified Communication Manager is responsible
for authentication.
-
You can set up OAuth with or without SSO configured. If you're using SSO, ensure it is enabled for all services. If you have
an SSO-enabled deployment, then deploy an IdP server, and IdP server is responsible for authentication.
You can enable OAuth on the following services for your users:
By default, OAuth is disabled on these servers. To enable OAuth on these servers:
-
For Cisco Unified Communications Manager and Cisco Unity
Connection Servers, go to
.
-
For Cisco Expressway-C, go to
.
When OAuth is enabled or disabled on any of these servers, Jabber identifies it during configuration re-fetch interval, and
lets the user sign out and sign in to Jabber.
During sign out, Jabber deletes user credentials stored in the cache,
and then lets user sign in with regular sign-in flow, where Jabber fetches all
the configuration information first, and then lets the user access Jabber
services.
To configure OAuth on Cisco Unified Communication Manager:
-
Go to .
-
Set O-Auth Access Token Expiry Timer(minutes) to desired value.
-
Set O-Auth Refresh Token Expiry Timer(days) to desired value.
-
Click Save button.
To configure OAuth on Cisco Expressway:
-
Go to .
-
Set O-Auth local authentication to On.
To configure OAuth on Cisco Unity:
-
Go to AuthZ Servers and select Add New.
-
Enter the details in the all fields and select Ignore Certificate Errors.
-
Click Save.
Limitation
Jabber triggers automated
intrusion protection
Conditions:
Jabber does one
of these:
-
Resumes from
desktop hibernate
-
Recovers
network connection
-
Attempts
fast sign-in after it is signed out for several hours
Behavior:
-
Some Jabber
modules attempt to authorize at Expressway-E using the expired access token.
-
The
Expressway-E (correctly) denies these requests.
-
If there are
more than five such requests from a particular Jabber client, the Expressway-E
blocks that IP address for ten minutes (by default).
Symptoms:
The affected
Jabber clients' IP addresses are added to the blocked addresses list of
Expressway-E, in the HTTP proxy authorization failure category. You can see
these on
.
Workaround:
There are two
ways you can work around this issue; you can increase the detection threshold
for that particular category, or you can create an exemption for the affected
clients. We describe the threshold option here because the exemptions may be
impractical in your environment.
- Go to
.
-
Click
HTTP proxy authorization failure.
-
Change the
Trigger level from 5 to 10. 10 must be enough to
tolerate the Jabber modules that present expired tokens.
-
Save the
configuration, which takes effect immediately.
-
Unblock any
affected clients.