cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2043
Views
1
Helpful
2
Replies

Authenticating WebEx API calls for sites using SAML single sign-on

robert.lowe1
Level 1
Level 1

My company has developed an integration with WebEx Training Center. Currently we require users to provide their WebEx username and password, which we then include in each API call.

This does not work for WebEx sites that are configured to use SAML single sign-on however.

We're investigating the possibility of supporting WebEx with SAML, and we have the below technical questions.

  • The XML API 9.0 Release Notes refer to “OAuth access tokens” and “one time login tickets.” Are these available on all WebEx sites? How do we tell whether they are available for a specific site? Are they the same thing? Where can we find documentation on how to use them?
  • How do we tell whether a specific site is considered to be a “Common Identity site?”
  • If we need to pass a SAML assertion to authenticate the API calls, what are the constraints on this?
    • Is a specific Audience required?
    • Are NotBefore and/or NotOnOrAfter conditions required?
    • Are there any constraints on the IssueInstant and/or AuthnInstant?
    • Must the assertion be signed? If so, must the signing key be the same one used for SSO?
    • Must the NameID (or other attribute) match the supplied webExID?

Thanks in advance for any and all help!

2 Replies 2

robert.lowe1
Level 1
Level 1

What do I need to do to get moderator approval? This was posted 2 days ago!

kasutton
Cisco Employee
Cisco Employee

Hi Robert,

Apologies for the delay. For some reason, your original post did not send a notification and it doesn't show up on the forum. Posts don't normally need a moderator to approve them, so we'll look into what's going on with this post. We did get a notification for your comment on it, so we can see it now.

OAuth is specific to Common Identity (SparkMeet) sites, though you can get one time use login tickets for standard WebEx sites. I've included links to authentication specific calls in our documentation:

https://developer.cisco.com/site/webex-developer/develop-test/xml-api/xml-api-reference/#authenticateuser

https://developer.cisco.com/site/webex-developer/develop-test/xml-api/xml-api-reference/#getloginticket

https://developer.cisco.com/site/webex-developer/develop-test/xml-api/xml-api-reference/#getloginurluser

getSiteType will tell you if a site is Common Identity or otherwise:  Cisco DevNet: WebEx Conferencing - XML API - Release Notes

Audience is required for SP initiated. The "WebEx SAML Issuer (SP ID)" field in WebEx Site Admin must match the audience in the assertion exactly.

For IdP Initiated, the "Issuer for SAML (IdP ID)" field in WebEx Site Admin must match the issuer in the assertion exactly.

NotBefore and NotOnOrAfter are required.

IdMS should manage IssueInstant/AuthnInstant, but we do check those values.

The Assertion must be signed.

NameID can be username or email.

NameID Format: format of the NameID (username) specified in customer IdMS. If the value in WebEx is set to Unspecified, we would not check the Format in NameID and will accept all formats. However if it's set to anything other than Unspecified, the Format attribute in <NameID> has to match the values below.

NameID Formats
Name Value
Unspecified urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Email address urn:oasis:names:tc:SAML:1.1:nameid- format:emailAddress
or http://schemas.xmlsoap.org/claims/EmailAddress
X509 Subject Name urn:oasis:names:tc:SAML:1.1:nameid- format:X509SubjectName
Entity Identifier urn:oasis:names:tc:SAML:2.0:nameid- format:entity
Persistent Identifier urn:oasis:names:tc:SAML:2.0:nameid- format:persistent

Kasey

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: