Hello Kelli,

I have these docs and none of them answers my question.

I will post this at CSC.

Thanks.

Leonardo Santana

Leonardo,

If Auto Account Creation is not enabled on your site, then you can log in by SSO only if you have a valid account on the site. If user A has an account on site A but does not have an account on site B then he will be able to log in to site A but not to site B - in lack of an account on site B. S

It is possible to serve two different WebEx sites with one ADFS.

Note, it is recommended to involve Advanced Services when you plan any non-usual SSO setup.

Thanks,

    Lajos Demeter

Hello Lajos,

But how we will do this?

If the account is auto created how this police works? and where we do? In ADFS or Wbex Admin Page?

Cisco does not have a documentation with this?

Regards

Leonardo Santana

Leonardo,

Cisco WebEx responsibility ends at the Cloud interface it supports; in this case at the SAML protocol interworking, which is well documented on the links referred. The second link contains a step-by-step guide how to use ADFS with WebEx.

To your question: If AAC is enabled on the WebEx site admin pages, you can still apply constraints at the ADFS side, in the Claim Rule settings for that particular site as SP.

Regards,

    Lajos

So i can do this on ADFS Claim rules?

Regards

Leonardo Santana

Yes, in the ADFS you can apply restriction which AD user group can access which SP (called Relying Party in ADFS terminology). Each site should be configured as a separate Relying Party.

Regards,

    Lajos Demeter

Lajos,

I will give a example i dont know if you understood me.

We have sitea.webex.com and siteb.webex.com

User A can logs at site A but cannot logs at site B

User B can logs at site B but cannot logs at site A

At webex admin page there is now way to restrict this?

Sorry to ask this a lot of times

Regards

Thanks for your time

Leonardo Santana

Yes, there is a way: Do not enable Auto Account Creation on the site, then create user A only on siteA, user B only on siteB and only those user will be able to log in to any of the sites, who already has an account on that particular site. Please see #3 above.

But we have 1200 users at site A and 600 at site B.

We have to create manually?

Regards

Leonardo Santana

You can create users by uploading a csv file, in the same structure as the user export file is downloaded from the Webex site. Just leave the first column empty, as that indicates that a new user is created (no Webex side ID yet).

If a disable the AAC what is the purpose of ADFS?

Regards

Leonardo Santana

To ensure that your users can log in by their AD username/PW.

But if you want to have no restriction on the Webex side, (saying anyone authenticated by ADFS shall be auto-provisioned on the site,) but do want to have login restriction, then apply the restriction on the ADFS side, in the Claim Rules. That's it.

There is no way to restrict login if you have no restriction on ADFS, nor on Webex. If you are asking if there is a way to make a user unable to log in by SSO to an AAC enabled site, then you may create the restricted users in disabled state or disable them after AAC provisioning. Disabled user will not be able to log in, not even by SSO, not even with AAC. Sounds very weird, but if this is what you need, it will work and prevent those users from logging in.