10-19-2015 05:53 AM - edited 03-17-2019 05:36 PM
Hello,
We have two webex sites A and B, and one cluster of two federation servers using ADFS.
Its possible to sync these the users like this:
User A can logs at site A but cannot logs at site B
User B can logs at site B but cannot logs at site A
Other thing on ADFS its possible to have two URLs of webex site.
Regards
Leonardo Santana
10-19-2015 12:27 PM
Leonardo,
I found some information online that may help answer your questions:
Single Sign-on Configuration | Cisco WebEx Help Central
https://communities.cisco.com/servlet/JiveServlet/previewBody/38292-102-1-70817/WebEx_SSO_ADFS%20_2
I recommend you also post this to the Cisco Support Community for additional feedback and information:
Thank you for participating in the community.
Kelli Glass
Moderator for Cisco Customer Communities
10-20-2015 05:43 AM
Hello Kelli,
I have these docs and none of them answers my question.
I will post this at CSC.
Thanks.
Leonardo Santana
10-20-2015 06:05 AM
Leonardo,
If Auto Account Creation is not enabled on your site, then you can log in by SSO only if you have a valid account on the site. If user A has an account on site A but does not have an account on site B then he will be able to log in to site A but not to site B - in lack of an account on site B. S
It is possible to serve two different WebEx sites with one ADFS.
Note, it is recommended to involve Advanced Services when you plan any non-usual SSO setup.
Thanks,
Lajos Demeter
10-20-2015 06:23 AM
Hello Lajos,
But how we will do this?
If the account is auto created how this police works? and where we do? In ADFS or Wbex Admin Page?
Cisco does not have a documentation with this?
Regards
Leonardo Santana
10-20-2015 06:35 AM
Leonardo,
Cisco WebEx responsibility ends at the Cloud interface it supports; in this case at the SAML protocol interworking, which is well documented on the links referred. The second link contains a step-by-step guide how to use ADFS with WebEx.
To your question: If AAC is enabled on the WebEx site admin pages, you can still apply constraints at the ADFS side, in the Claim Rule settings for that particular site as SP.
Regards,
Lajos
10-20-2015 09:07 AM
So i can do this on ADFS Claim rules?
Regards
Leonardo Santana
10-20-2015 09:56 AM
Yes, in the ADFS you can apply restriction which AD user group can access which SP (called Relying Party in ADFS terminology). Each site should be configured as a separate Relying Party.
Regards,
Lajos Demeter
10-20-2015 10:28 AM
Lajos,
I will give a example i dont know if you understood me.
We have sitea.webex.com and siteb.webex.com
User A can logs at site A but cannot logs at site B
User B can logs at site B but cannot logs at site A
At webex admin page there is now way to restrict this?
Sorry to ask this a lot of times
Regards
Thanks for your time
Leonardo Santana
10-20-2015 10:47 AM
Yes, there is a way: Do not enable Auto Account Creation on the site, then create user A only on siteA, user B only on siteB and only those user will be able to log in to any of the sites, who already has an account on that particular site. Please see #3 above.
10-20-2015 10:49 AM
But we have 1200 users at site A and 600 at site B.
We have to create manually?
Regards
Leonardo Santana
10-20-2015 10:53 AM
You can create users by uploading a csv file, in the same structure as the user export file is downloaded from the Webex site. Just leave the first column empty, as that indicates that a new user is created (no Webex side ID yet).
10-20-2015 10:54 AM
If a disable the AAC what is the purpose of ADFS?
Regards
Leonardo Santana
10-20-2015 11:06 AM
To ensure that your users can log in by their AD username/PW.
But if you want to have no restriction on the Webex side, (saying anyone authenticated by ADFS shall be auto-provisioned on the site,) but do want to have login restriction, then apply the restriction on the ADFS side, in the Claim Rules. That's it.
There is no way to restrict login if you have no restriction on ADFS, nor on Webex. If you are asking if there is a way to make a user unable to log in by SSO to an AAC enabled site, then you may create the restricted users in disabled state or disable them after AAC provisioning. Disabled user will not be able to log in, not even by SSO, not even with AAC. Sounds very weird, but if this is what you need, it will work and prevent those users from logging in.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide