Cisco Support issue with SAML SSO

[Dieselboy]

I'll try and keep this concise and brief.
I have Cisco Jabber on premise, fully working and no issues.
I have Windows Server 2012 domain controllers, all working, no issues.

I want to align all of our applications with the same authentication mechanism, both internal and external (we use webex in the cloud, and a bunch of other apps.) So I have enabled SAML SSO with Windows 2012 server which is ADFS 3.0.

As far as I can gather, ADFS is essentially ADFS 2.0 with some extra features. And ADFS 3.0 is backwards compatible with ADFS 2.0.

I have an issue with Jabber clients. For the most part everything works fine, people can sign in and use jabber. The problem comes about when the session expires. Rather than renewing the session, Jabber (on Windows) does not renew the session. An error message is displayed in Jabber "could not open page" and it does not sign in. However, Jabber for Mac, Android, IOS are all fine.

Cisco TAC has stated that Jabber does not receive a token from ADFS but from what I can tell it looks like it does not request one, or request it correctly. TAC escalated the problem but the "BU" wont look into it at all since their documentation states Windows Server 2008 / ADFS 2.0 is the only supported ADFS SAML SSO system. Windows Server 2008 is going EOL. Cisco have requested I bring up a 2008 server.

I'm going to work on bringing up a temp. 2008 server which will take some time. The reason I'm doing this is because I'm confident the issue lies with jabber and not ADFS. But in my opinion, Cisco should be on top of this already and be supporting 2012 server. It's 2016 now...

I feel this is just another excuse for their already busy support teams, to dismiss this issue without resolve.

Your thoughts? Am I right, or wrong?

[wintermute000]

Cisco's SP video / collaboration has been an unholy mess for some time now. Your position makes perfect sense with 2008 going EOL. Won't be the first time Cisco's dropped the ball on software....

I so do not envy the poor b@stards that had to support meetingplace then cloud webex and then all singing all dancing integration into CUCM XYZ and/or VCS videoconferencing.
I recall when my old SP wanted to run up a conference bridging product hosted on our then current CUCM. None of us senior techs could understand the white paper, and that's before the ridiculous 3 pages of licensing description and something like half a dozen servers involved. WHat happened? We ran a SIP trunk to an Asterisk then built a web UI front end for customer self service. LOL

Compare and contrast your dramas with how say skype or google hangouts work. Install client, log in via internet connection, bam all working.

[Dieselboy]

As silly as it may be, I've used examples such as Skype and Hangouts in arguments with Cisco and their devs.

One argument is that Jabber doesn't store any message history between clients. Example, if I'm signed in on a Android phone and my laptop. And I go out of the office for lunch and have a conversation with someone. When I get back to my desk it's as though the conversation didn't happen. I've been pushing for something like this for a couple years now. I think I read somewhere that CUCM/IMP 11.5 will be looking to implement something like this. Skype and hangouts already do it, I understand they are different platforms (that's not the argument)

Another is that, they have Jabber clients for iOS and Android, and they have Jabber access available over wifi/4G across the internet via the Cisco Expressway servers but they didn't support a codec that could cope with the odd bit of packet loss.... Like skype / hangouts. Recently Jabber implemented Opus codec which is nice.

[Dieselboy]

I just finished setting up ADFS 2.0 and moving over our cucm/imp/cuc/MRA setup over to it.. Now just need to wait for the issue to happen again.