Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
5
Helpful
2
Replies

Webex Meeting SSO: existing usernames in different formats

Teemu Pulliainen
Level 1
Level 1

‎01-09-2015 12:10 AM - edited ‎03-17-2019 04:47 PM

Hello,

 

we currently have a Webex Meeting site with local authentication (i.e. no single sign-on). On the site there are existing usernames in two different formats: "John Doe" and "jane.doe@domain.tld".

 

We'd now like to set up single-sign on. I can successfully set up SSO on a test site using MS ADFS 2.0 so that either "John Doe" or "jane.doe@domain.tld" can log in. This is done in ADFS claim rules by mapping either Display-Name or E-Mail-Addresses to Name ID.

 

Is there any way to make this work for both formats of usernames simultaneously? I have tried creating two mappings to the claim rule (both E-Mail-Addresses and Display-Name mapped to Name ID) and and two different claim rules but both seem to break SSO altogether.

 

-Teemu

Labels:
0 Helpful
2 Replies 2

dpetrovi
Cisco Employee
Cisco Employee

‎01-09-2015 05:26 AM

Hi Teemu,

 

Please review CWMS Singe Sign-On Planning Guide where all the details about CWMS SSO is documented. http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/2_5/Planning_Guide/Planning_Guide/Planning_Guide_chapter_01001.html#reference_9C2B22F088AC419490ABA90B446C1C8D

For NameID mapping, you will see that CWMS requires e-mail address mapping: 

 

  • It is mandatory for the SAML Assertion to carry the email address in the NameID field. Without this step, user authentication and account creation fail because Cisco WebEx Meetings Server does not permit the creation of user accounts without an associated email address.

 

If you by any chance use something else and not e-mail address, CWMS might let you create the account, but you might most likely experience issues with Productivity Tools authentication and other issues. We've seen this happening in the field and there was a defect submitted that was resolved in 2.5 MR1 that will prevent account creation if NameID isn't e-mail address: "CSCus04261 SSO allows for NameID to be content besides email address"

I hope this helps.

-Dejan

 

 

Teemu Pulliainen
Level 1
Level 1
In response to dpetrovi

‎01-09-2015 05:54 AM

It is mandatory for the SAML Assertion to carry the email address in the NameID field.

So if I get this right, I don't really have any other option than changing the "John Doe" usernames to the email format (or letting auto-account-creation create new accounts for them). 

Thank you for the response.

0 Helpful
Customers Also Viewed These Support Documents