Has anyone integrated Cisco Jabber with OKTA? Skip to main content
https://support.okta.com/help/answers?id=906f0000000i03liac&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
Wayne KalseyWayne Kalsey 

Has anyone integrated Cisco Jabber with OKTA?

Hello,

Wanting to know if anyone has successfully integrated Cisco Jabber for use with Okta?  It is not part of the Okta Application Network, but we confirmed Jabber supports SSO.

Any guidance on the how to go about configuring this would be greatly appreciated.
Best Answer chosen by Wayne Kalsey

All Answers

Chris DoddsChris Dodds
We have it working. It's pretty clean on the user side, but a bit messy otherwise. Honestly, Cisco's SAML support sucks and we could never find anyone @ Cisco or Webex Connect that knew how it worked.

A few issues w/ workarounds:

1. You can't edit attributes on the Cisco side if SAML is enabled. Which is fine, except you can't set the user cluster via SAML. So users have to click the Jabber chiclet in Okta for their account to be created and then we have to go in after the fact and assign their cluster.

2. We also had to push a custom attribute for "last_updated" (or something similar) or SAML provisioning would fail. Easy fix, but not documented anywhere that we could find.

Otherwise, it's a standard SAML config.
 
Wayne KalseyWayne Kalsey
Chris, I appreciate the response.  If you don’t mind, I would like to ask you a few questions on how you went about configuring your Jabber to integrate with Okta.
 
First question:
Because Jabber is not part of the Okta Application Network, we used the Create New App wizard.
Is that how you set yours up?

I noticed that you mention SAML provisioning fails.  When using the Create New App wizard, we do not see the Provisioning tab as available.  Did you take another approach?
 
Chris DoddsChris Dodds
This was selected as the best answer
Chris DoddsChris Dodds
The provisioning is done through the SAML assertion.
Wayne KalseyWayne Kalsey
Thank you very much for your sharing this configuration information.  We are looking at it now to see if we can get our Jabber working.
Wayne KalseyWayne Kalsey
Thanks again Chris.  We got it working with your help.
Javier MontesJavier Montes
Did you get the Jabber Call Working (P2P)? we got Jabber working with Okta but Jabber call is not working.
Christopher NeelyChristopher Neely
For future reference the custom 'updateTimeStamp' attribute is required for auto update to work with Jabber user profiles.  We created a custom attribute on the Okta profile for this and push it dynamically whenever a user profile is updated from our external data source.  We spoke with Okta to see if we could use the 'lastUpdated' value from their API but it is not able to be mapped in a SAML assertion.

More info:

http://www.cisco.com/c/en/us/td/docs/collaboration/webex-connect/Messenger_Administration_Guide/WebEx_BK_C9864D4C_00_cisco-webex-messenger-administration-guide_chapter_011.html#ID-2140-00000a53

Specify the “updateTimeStamp” attribute in the SAML assertion and check this field to update an existing user account.
The “updateTimeStamp” value is the last update time of a user’s profile in the customer’s Identity store. For example, in Active Directory, the “whenChanged” attribute has this value. If “updateTimeStamp” is not in the attribute, the user profile would not be updated since the last update. It updates the first time when the user profile is updated via Auto Account Update or Auto Account Creation.
Unchecked indicates no updates will occur.