10-02-2013 07:35 PM - edited 03-17-2019 03:36 PM
Hello. I'm currently trying to set up SSO for WebEx and used the documentation provided by Kinglsey Lewis. I do get to the point of receiving a login prompt for a user ID and password, but it doesn't seem to authenticate. I'm not sure what I'm missing with this and it's making me crazy!! Does anyone have any possible thoughts? Any help would be greatly appreciated!!
10-03-2013 01:03 PM
Raymond,
Sorry to hear you are having trouble with your WebEx SSO. I recommend you also post this to Webex Support at https://support.webex.com/MyAccountWeb/supporthome.do for more feedback and information. Technical experts are available 24/7 for assistance.
Thank you for participating in the community.
Kelli Glass
Moderator for the Cisco Collaboration Community
10-05-2013 03:38 PM
What SSO provider are you using?
10-05-2013 03:40 PM
I'm currently using ADFS 2.0 for the setup.
10-06-2013 09:37 AM
Now I get "User authentication failed,
Reason: Invalid Response message (29)"
Thoughts???
10-07-2013 09:40 AM
Raymond,
We also use ADFS 2.0 - perhaps you would want to PM me screenshots of your WebEx SSO config and ADFS config and I can take a look? Is your WebEx org setup for auto-account creation via SSO, and also is this just WebEx Meetings or WebEx Connect as well?
10-07-2013 09:52 AM
Hi James!
Thanks for reaching out. Here's some screenshots to hopefully help a bit. If you need others please let me know. To answer your questions, I haven't gone as far as doing the auto-account creation yet or for WebEx Connect/Jabber. Just focusing on the Meeting Center right now.
Ray
06-28-2016 06:22 PM
Hi. If you enable SSO for WebEx Meeting Center, how does that affect the Meetings integration within Jabber? Can you still enter the credentials in that tab, per normal, or does SSO on Meeting Center REQUIRE that the IM cloud (Messenger) also be configured for SSO?
Did you have any significant issues with your implementation? Thank you.
10-07-2013 09:52 AM
Also to add, you'll notice I'm trying to do SSO for Yammer as well. Having a similar issue with authentication.
10-08-2013 12:48 PM
Hi James,
Did you have a chance to take a look at these images? Please let me know.
Thanks.
10-09-2013 02:14 PM
Before trying anything else - make sure you can actually authenticate to the ADFS service. Visit the following URL (adjusted for your domain) and enter your AD creds. If this URL isn't there, than your customer SSO service login URL isn't working or is in a different location than you have configured in the WebEx SSO config. Also, make sure this URL is externally accessible so WebEx can reach it.
https://fullyqualified.servername/adfs/ls/IdpInitiatedSignon.aspx
You should get a page like this:
If you choose "Sign Into this Site" you will be authenticated to ADFS (may automatically happen depending on your browser settings and authentication modes enabled in ADFS, such as NTLM vs Digest for Firefox support, and your security zones in IE etc.)
Assuming that you are presented with the option here, this should work. This is also a good place to use for debugging, as it verifies whether ADFS is authenticating you, and where claims are failing. If you install fiddler on ADFS (or wireshark) you can track as you send SAML requests initiated by this page while logged in. Clicking "go" to login to your WebEx environment should get you right there once its working. Since you mentioned other services also aren't working, I'm wondering if you have a more core issue in ADFS going on.
But if you can authenticate to ADFS, its just a discrepancy in claims rules, so try the following.
On the WebEx Side:
The default webex target page URL can be blank. Your current webex.sitename.com format probably doesn't work, as it should be sitename.webex.com
I notice your WebEx SAML Issuer ID is still the default - we use Connect so have changed it to http://sitename.webex.com - make sure this issuer ID matches your settings in ADFS.
I know Kingsley recommends not setting a userid format, but we couldn't get around it.
On the ADFS Side:
1.) Your LDAP attribute mapping to WebEx Name ID is sAMAccountName. You have user account creation off, so you have to have an account in WebEx matching the username of your sAMAccount name. Do you already have that?
I see no other claims being passed - that may be fine for just basic auth, but if you want account creation & update, you'll need to continue with Kingsley's guide.
If all of that looks good and you're still getting issues, I'd start to look at the certificate exchange, but since you're having issues with other services through ADFS as well, I'd then guess its somewhere in ADFS's claims provider trusts, or the Issuance Authorization rules on a specific relying party trust. If the latter, you should be able to login to ADFS's web page, but not get into any services (although that could also be claims or cert exchange issues).
The ADFS debugging logs in Windows are actually also pretty powerful as well, so if you're getting authentication failures right to ADFS, I'd start there.
Hopefully that gets you going in the right direction!
10-09-2013 05:49 PM
Hi James,
Thanks for this great post! For starters though let me explain what's happening right off the bat. I do get to that web page and choose "Sign in to this site" and get prompted for credentials but they don't take. Just keep prompting over and over again, which is the same result on WebEx. Clearly it seems it's not authenticating internally to ADFS itself. Would you have any ideas why this would occur? It sounds like I should be able to authenticate to myself (ADFS) with no problem correct?
Thanks!
10-11-2013 06:50 AM
Hi Everyone,
I've made some solid progress here and have gotten SSO working, but it seems to only work for FireFox and does NOT work in IE or Chrome. Any ideas on that?
Thanks!
10-11-2013 06:54 AM
Raymond,
You'll want to look at the authentication types in ADFS. This is all outside of the scope of UC, and would definitely be on the AD side, so you'll find more help on Microsoft's websites.
Are these logon attempts coming from the proxy or internal? The article above clarifies much of that, and you'll also want to verify your browser security settings. Regardless, you should at least be prompted for credentials in any browser if IWA/NTLM fails if the environment is build to Microsoft's best practices, so you may want to go back through their implementation guides.
Glad to hear you were able to narrow it down to ADFS and make some solid progress - I know this integration can be daunting for us UC folks!
10-11-2013 07:30 AM
Hi James,
These prompts to come internally on the browsers. I do get prompted in both Chrome and IE for credentials (like I do in FireFox) but they don't authenticate through. It seems to get stuck in a loop and keeps prompting over and over again.
Thanks,
Ray
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide