Hi Dejan,

thanks for the answer , 

the current setup now is CUCM is integrated with LDAP but using SSO for authentication

If I enabled Directory integration  via CUCM/AXL/LDAP  option 

1-Will the CWMS import all users in CUCM? if yes how I can assign only few users with host account on CWMS ?

2- What will be the behavior of authenticating host users and guest users imported on CWMS ?

Best regards,

Ahmed Mohammedy 

Hi Ahmed,

You have an option to create CUCM groups and filters, and then you can import just specific users in the group. (Documentation for Directory Integration) You need to prepare that before you enable directory integration to avoid import of all the users from CUCM to CWMS. As you know, you can't delete user profiles from CWMS, you can just make them INACTIVE.

If you don't feel like creating CUCM groups, you could import all the profiles, but then deactivate them. You can deactivate them in a bulk by importing csv file (Useful documentation)

As for the behavior when you have Directory Integration enabled via CUCM/AXL/LDAP is the following:

1. User profiles are imported to CWMS.

2. Passwords are not imported to CWMS and are preserved on LDAP side.

3. When a user goes to WebEx Site URL and enters the e-mail address associated to an active profile on CWMS, the user will be required to enter the password (all this is done on CWMS WebEx Site interface; there is no redirection to CUCM/LDAP). 

4. Once the user enters the password, CWMS sends user ID and password to CUCM via AXL for validation.

5. After CUCM/LDAP validate the user ID and password, it responds to CWMS with authentication successful (or failed if password is wrong and similar), and CWMS grants access. 

I hope this clarifies the behavior. Do let me know of any additional questions.

-Dejan

Hi Dejan,

in step 4 and 5:  if I have disabled LDAP authentication on CUCM and enabled SSO authentication:  I suppose that CUCM will redirect "the CWMS AXL validation request"  to IDP ?  Is it right ? 

What about guest users ? when a guest user joins a WebEx meeting,  he will enter his email;

Will the CWMS recognize that this is an email of a deactivated user and not allowing him to join the meeting?

Thanks and best regards,

Ahmed 

Hi Ahmed,

I am not sure how CUCM integrates with LDAP using SSO. Not familiar with that setup, so I can't really tell you how that would work and what expected behavior would be. We don't have that listed as part of a supported setup for Directory Integration.

As for guest users, they are not asked to authenticate. Any user that enters an e-mail address that is not associated to ACTIVE user profile on CWMS, won't be asked to authenticate and will be placed into the meeting as a guest.

In CWMS 2.5, deactivated users can join meetings as guests using the same e-mail address associated to their profile. Only ACTIVE user profiles are required to authenticate. 

-Dejan

Hi Dejan,

Sorry for coming with a question again , 

Is there anyway to Integrate CWMS directly with LDAP without having CUCM in the middle . because CUCM in my case will use SSO 

I want to have CWMS send authentication requests directly to LDAP, is it possible?

best regards,

Ahmed 

HI Ahmed,

CWMS has three different types of user management/authentication:

1. Local user profiles - profiles created manually/locally on CWMS and passwords created/stored on CWMS.

2. Directory Integration (via CUCM/AXL to LDAP) - user profiles are imported from CUCM which is or isn't integrated with LDAP. User passwords are stored on CUCM/LDAP and are managed on that end.

3. Single Sign-On (SAML2.0) - CWMS is using SAML provider to authenticate users against their LDAP accounts on LDAP server. For this type of authentication, if you have Public Access, you have to ensure that profiled users have access to SAML provider server (either SAML provided server is accessible from the internet, or users have VPN to internal network). 

Unfortunately, there is no possible way to connect CWMS directly to LDAP.

Kind regards,

-Dejan