Webex Cloud-Connected UC Directory Service support

The Limited Availability release of Webex Cloud-Connected UC Directory Service feature includes support for synchronization and management of users.

You can synchronize and manage users from cloud into on-premises or cloud UC infrastructure like Cisco Unified Communications Manager (Unified Communications Manager) and Cisco Unity Connection (Unity Connection) with the Webex Cloud-Connected UC Directory Service. During synchronization, the system imports a list of users and associated user data from the Azure Active Directory (or a similar Cloud Directory service) that is synchronized into the Webex Common Identity Service. You must select the Unified CM cluster from Control Hub that needs synchronization, select the appropriate Unified CM User ID field mapping, and then select the required synchronization agreement to perform synchronization.

Activate directory service

You must activate Directory Service for each cluster in Webex Cloud-Connected UC to allow synchronization and management of users from cloud into on-premises UC.


By default, Directory Service is not enabled for all the onboarded clusters.

1

From the customer view in Control Hub, go to Services > Connected UC. On the UC Management card, click Inventory.

The list of cluster groups appears with the description, status, clusters, and nodes.
2

Click Details next to the cluster group to which the node belongs.

The Inventory page appears, showing the list of clusters belonging to the selected cluster group.
3

Click Details next to the cluster to which the particular product node belongs.

The Node name with the version, product, and status appears.
4

Click the ellipsis icon next to Event History and choose Service Management.

The Service Management page appears with the list of services.
5

Use the toggle button to enable the Directory Service.

6

Click Submit.

Directory service

Use the Directory Service card to synchronize users from cloud-based directories into on-premises deployments.

1

From the customer view in Control Hub, go to Services > Connected UC.

2

On the Directory Service card, click View clusters. The Directory Service page appears.

You can view the list of cluster details on this page.

View cluster details

From the Cluster selection page in Directory Service, choose a cluster to which you want to synchronize the user data with.

The Cluster selection page also provides the cluster details, status of provisioning, last synchronized state, the associated product, and the reason for failure, if any. You can also select the local time zone. The default browser time zone is selected.

Cluster Details

Description

Cluster Name

The name of the cluster.

Status

Status of synchronization.

Last synced

Date of the last synchronization.

Product

Details of the product.

Configure directory synchronization

Webex Cloud-Connected UC Directory Service synchronization allows you to import end user data from Azure directory into the Unified Communications Manager database to display in the End User Configuration window.


Sometimes, you might experience additional delays in provisioning a cluster as we work on our fault tolerance and auto scaling capabilities. In such scenarios, the provisioning will still happen though this activity incurs considerable time. This issue will be addressed soon.

Do not schedule any telemetry COP file upgrades between 00:00 UTC and 06:00 UTC and avoid telemetry upgrades between any provisioning operations.

1

From the Cluster selection page in Directory Service, choose a cluster that you want to provision for enabling synchronization.
2

Click Start Provisioning.

3

In the Field Mapping configuration window, ensure that the mapping chosen for the Unified CM User ID field uniquely identifies the user within the cluster after you start provisioning.

4

Choose the appropriate Unified CM User ID field mapping for synchronizing the user from Webex:

  • User ID field in Unified CM maps to email ID of the user in Webex.

  • Mail ID field in Unified CM maps to email ID of the user in Webex.

  • User ID field in Unified CM maps to email ID without domain part of the user in Webex.


     
    New user account will be created if the mapping cannot be done successfully for an existing user account in Unified CM. Email ID of the user will be used as the unique identifier for the newly created user account. This note is applicable for options 1 and 2.
5

Click Next.

6

Select an agreement from the drop-down list for creating a new synchronization agreement.

Once the new synchronization agreement is created, all the existing synchronization agreement(s) pointing to the on-premises directory are deleted. You can make changes to the new synchronization agreement after it’s created.

7

In the Agreement Preview section, review the agreement details (existing external LDAP directory details available in the Unified Communications Manager) before you start the synchronization.

You can view the following details:

  • Group information

  • Applied Feature group template with universal line and device templates

  • Line and mask details to synced phone numbers for inserted users

  • Newly provisioned users and their extensions

  • Standard User Fields to be Synchronized section

  • Hostname or IP address of the directory server
8

Click Next to prepare the synchronization process.

9

In the Enable Synchronization window, enable the synchronization once the system successfully copies the user data into a temporary storage space in Unified CM and a new synchronization agreement is created (after steps 1 and 2 as seen in the below screenshot).

10

The Download report download option allows you to view the results partially. To fetch the complete reports for the Unified CM cluster, execute the following CLI command: file get activelog /cm/trace/CIService/log4j/DryRunResults.csv. Here, the dry run result for Unified CM shows the following:

  • New Users—Users aren’t present in Unified CM but present in Webex Identity Service. Users are created in Unified CM after enabling synchronization.

  • Matched Users—Users are present in Unified CM and Webex Identity Service. These users will continue to remain active in Unified CM after synchronization is complete.

  • Mismatched Users—Users are present in Unified CM and Webex Identity Service. These users are marked active in Unified CM after synchronization is complete and will be deleted after 24 hours of inactivity.


 
You can check the report and decide whether you want to retain the same list of users and add or delete users. Based on the decision, you can stop the process and revert the provisioning changes.

 
You will observe 20-hours delay to view the updated information due to caching behavior on Webex Identity Service. This behavior results in a delay in the propagation of the updated user data to the Unified CM database from when changes are made in the cloud directory. We recommend that you wait for the subsequent periodic synchronization to complete to view the updated information.
11

After the synchronization agreement verification, click Preview in Unified CM to sign in to your on-premises infrastructure and make changes to the newly created synchronization agreement.


 

VPN access is required.

You can only edit the Group information for Unified CM. You cannot rename the agreement or modify any of the details.
12

Check the check box to agree to the terms that the synchronization agreement is reviewed and verified in Unified CM.
13

Click Enable Synchronization to proceed with the synchronization.

During synchronization, you won’t be able to perform any action until completion. Once the synchronization is completed for a particular cluster, the Directory Service page lists this cluster with a Provisioned state. At this point, you've successfully authorized Azure AD to provision and synchronize Webex users into UC infrastructure and completed the steps to set up synchronization.

14

After the initial provisioning is completed, periodic synchronization happens every 24 hours. Any changes made in the cloud directory will be propagated to the clusters during this period.


 

You must enable synchronization within 20 hours from the time the new agreement is created. LDAP synchronized users become inactive and removed after 24 hours of inactivity. Users won’t be able to log in and use the Unified CM services.

After the Azure AD provisioning is completed for a certain cluster, you cannot create any new synchronization agreements or modify any configuration settings for the same cluster except for the group settings. If you want to create a new synchronization agreement for the same cluster, you should go to the Service Management page and disable the Directory Service. You can then create a new agreement for provisioning.


 

  • If you are using Azure IdP during SSO authentication after successful provisioning, ensure that you configure the right Claims in the Azure IdP. For example, during provisioning, if option 1 is selected for the userid mapping, ensure that user.userprincipalname is set as the UID in the ‘Additional Claims’ section.

  • You will observe 20-hours delay to view the updated information due to caching behavior on Webex Identity Service. This behavior results in a delay in the propagation of the updated user data to the Unified CM database from when changes are made in the cloud directory. We recommend that you wait for the subsequent periodic synchronization to complete to reprovision a cluster and view the updated information.

Provision status

On the Directory Service dashboard, you can view and track the status of your cluster and review errors.

The following table lists the provision status, description, and the corresponding actions.

Provision Status

Description

Processing

The provisioning is in progress.

Action Required

Take necessary steps if there is any manual intervention required for a particular cluster. For example,

  • If you want to continue or abandon synchronization after dry run.

  • After the new agreement is created, check for any notifications, and take necessary actions as required.

Error

If there is any action required in the 'Enable Synchronization' wizard, check them and if required, take necessary actions.

Provisioned

The cluster provisioning is complete.

Not provisioned

The cluster provisioning hasn’t started yet.

Troubleshooting synchronization issues

This section provides the necessary information and solutions to resolve some of the common issues that you might face during the various stages of synchronizing users from Control Hub into the Unified Communications Manager database.

Mismatched users

Enable synchronization within 20 hours after the new agreement is created. The existing users are marked inactive and are deleted from Unified CM after 24 hours of inactivity.

Error—Data Copy Failed. Please Retry

  • Communication between Cloud-Connected UC and Webex cloud is disrupted or unable to fetch user data from Webex cloud.

  • Communication between Cloud-Connected UC and Unified CM is disrupted or unable to push user data to Unified CM database.

  • User data is not copied to the temporary storage location.

Error—Failed to Create Synchronization Agreement. Please Retry

  • Communication between Cloud-Connected UC and Unified CM is disrupted or unable to push the synchronization agreement data into the Unified CM database.

  • Synchronization agreement was not created successfully.

Unable to get Synchronization agreement details. Please try after some time.

Communication between Cloud-Connected UC and Unified CM is disrupted.

Known issues for Webex Cloud-Connected UC directory service synchronization

If you're experiencing an issue with this feature, check to see if it's something that we already know about and have a recommended workaround.

  • Webex Cloud-Connected UC Directory Service provisioning does not work with LDAP authentication as only the user data is synchronized and not the passwords for the Unified CM server and hence LDAP authentication doesn’t work.

    Workaround: Single sign-on (SSO) must be used for logins. This document only covers single sign-on (SSO) integration.

  • You can disable the Directory Service for a cluster from Control Hub and then re-enable the cluster again. We recommend that you wait for at least 60 seconds before activating the Directory Service for synchronization.

  • After deletion, in case you want to onboard the same Unified CM cluster to the organization again, you must first disable the Directory Service and then re-provision the same cluster.

  • In the synchronization agreement page, the Perform a sync every and Next re-sync time fields appear active. But these fields are grayed out in the Unified CM server when the Perform sync just once option is enabled. Currently, this is a limitation in the Webex Cloud-Connected UC Directory Service provisioning feature which will be fixed in the future release.