Can we include WEBEX-TOKEN sasl patch from upstream?

Bug #1737212 reported by Ralf
This bug affects 2 people
Affects Status Importance Assigned to Milestone
pidgin (Debian)
pidgin (Ubuntu)

Bug Description

The following patch:

is providing CISCO Jabber Webex SASL auth via corporate SSO as used in many corporates.

Can we include this into the pidgin Ubuntu package, as of now (1:2.12.0-1ubuntu2 in 17.10) it is not included.

Problem signature in debug due to the missing sasl mech:

(17:52:26) sasl: Mechs found: WEBEX-TOKEN
(17:52:26) sasl: No worthy mechs found

The patch is not very user friendly as of now and would require the use of external (browser based) token exchange, but that's better than not being able to use it at all. Generally the patch would not change existing functionality, so it would allow to use WEBEX-TOKEN for experienced users with the method stated in pidgin tikcet 17070 (see link above) but not impact any current functionality, so risk is low in my opinion.

Revision history for this message
Ralf (ralf-kaestner) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "webex.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Ralf (ralf-kaestner) wrote :

additionally to applying the above patch it is required to add "--enable-webex-token" to DEB_CONFIGURE_EXTRA_FLAGS before build.

I have tested the build on top of artful universe pidgin-src 2.12.0-1ubuntu2_amd64 and the patch works for me in regards that I can use my corporate SingleSignOn to connect to Cisco WebEx XMPP.

additional infos from original patch related to be able to use the provided SSO Method:

From a Cisco Jabber Client install, look for a SSOAuthInfoStore.xml file. In my example on my Windows Cisco Jabber install I used C:\Users\<myusername>\AppData\Roaming\Cisco\Unified Communications\Jabber\CSF\Config\SSOAuthInfoStore.xml

This should contain a URL on (or the like) specifying a SSO login url for your corporate SSO. It should look similar to:<your_corp_domain>&type=connect2

Once you open that URL with a browser and complete whatever authentication workflow is needed, you will get an XML stanza back called FederatedSSO. If you already have an SSO cookie set in your Browser, because you already authenticated your Corp SSO for another service, you'll just get an XML response with the required token data.

In the returned stanza, you will need to copy the <jabbertoken> element, and use that as your password. Returned <screenname> should match your user and domain elements in your account configuration in Pidgin, regardless of your usual corporate username and domain name. Finally, you will want to use the server in the <xmppjabbercluster> element as your target server to connect to (note there is also a <jabbercluster> element, do not use that). Port 5222 should work for Cisco Jabber via WebEx.

Note that the token will expire (the XML will tell you when) and after that when you restart pidgin you'll need to get a new token and update your config with the new token as password.

Revision history for this message
Paul (bratstejskal) wrote :

Agreed. I would love to get away from a Windows VM just for Jabber. Please port to Ubuntu.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pidgin (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers