cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
46341
Views
12
Helpful
59
Replies

WebEx SSO with Microsoft AD FS 2.0

WebEx SSO with Microsoft AD FS 2.0

Hello All,

We are  looking forsome guidance to setup AD FS 2.0 with WebEx Online meetings and WebEx Connect,We have our AD FS 2.0 Server setup but seem to be having issues getting the SAMLAssertion to work correctly. I am hoping that someone has run across thisbefore or someone from Cisco can help as tech support doesn’t support SSO.

So far we have installed AD FS 2.0, ran the setup wizard,exported the cert, up loaded it to WebEx, edited the federation Serviceproperties name and identifier. Added that info to WebEx. Once that was done wedownloaded the xml file from WebEx and imported that info AD FS 2.0. Once therewe added the Claim rules.

Now are suck, WebEx rejects the login with the error Reason: InvalidSAML Assertion (13)

Please see attached screen shots.

Thanks

Chris

59 Replies 59

In order for Jabber for Windows to work inside your netowrk you need the Windows authenication and for to work on the out side, you need page form authenicaiton, you can add two or more authenication options together in the WebEx SSO configuration.  It is easier to get the WebEx Web working first because you have a web page you can test from.  Once you get this working, then you can duplicate the settings to the Connect Admin SSO config.  All the switches for Jabber for Windows are in the install guide.  If you want smart devices to work with SSO, you must use page form authenicaiton, they do not support Windows authenication.  I have also seen plenty of jabber client issues if the client was installed and used without SSO then SSO was turned on.  There are hidden registry and system files that have ot be removed when the uninstall is done.  Most of the issues are desktop client related.

Roy,

Check this article and verify that integrated is the second choice in the web.config. I think it should fix your problem.

http://social.technet.microsoft.com/wiki/contents/articles/1600.aspx

Olivier,

I checked it and it was actually the first in line, followed by the Forms. I changed it just to see, but it changed it to the Forms based and it made me actually have to include the domain name as well, so I changed it back.

I have noticed for WebEx that you need to make sure Integrated Authentication has to be on in IE for that to work, but since this is the stand alone client, I am not sure what else to check.

I appreciate the suggestion...I would have never thought to check that!

Any other thoughts?

Thanks!

Roy

Why oh why are the images missing? It makes this useful post, a useless one.

Are you able to provide those Screenshots from ADFS? i am using it with ADFS 3.0 but my guess it its the same.

I didn't need the screenshots in the end because the link I supplied in the previous post helped me through it. Check it out

twyant
Level 1
Level 1

Hi Christopher,

Would it be possible to throw your screenshots somewhere they can be downloaded?  They aren't coming up for me and I'd LOVE to get this working over the long weekend!

Thanks!

Tom

Here are the images in a zip file

www.infiniteit.ca/files/ADFS.zip

Thanks!

Tom

xpriceja1
Level 1
Level 1

Sorry to ressurect an older thread, but I'm curious if any of you were able to get this working using an ADFS 2.0 Proxy server. It works great while on the internal LAN, but externally, when going through the proxy server, I'm stilling getting the invalid SAML assertion error from WebEx. My understanding is that the proxy server simply forwards and does not modify the claim, but I'm wondering if I might have to set up an additional claim rule for the proxy server.

I have this working with ADFS 2.0.  My ADFS install is a single server with 80/443 open to the internet and a self-signed certificate used to communicate with WebEx.  I called WebEx about this a while back and it started working.  I don't honestly remember if I had to change anything on my end, I had it all set up based on this thread and the pictures from above.  Once I threw our ADFS server name into a GP for local intranet sites we could log in without issue from inside and outside the network. 

Tom

I am unable to pull up the screen shots. The ones I can see look similar to what I have been using, but I cannot see all of them.

Does anyone have the screen shots they can share?

Thanks!

Ethan Haberman
Level 1
Level 1

I have a similar setup. I have tried following both the ADFS 2.0 WebEx guide and the directions provided on this thread without any luck. I am receiving a "SSO protocol error.  (1)" when trying to log in to the Web test as indicated in the doc.

https://loginp.webexconnect.com/cas/sso/{ORG}/webim.app (replacing my org domain in {ORG}

Anyone have any ideas?

Make sure you setup your claim rules and map "SAM-Account-Name" to "Name ID"

Hi Christopher.

We are trying to get this same scenario working here but we´re failing to get the authentication using the WebexConnect/Jabber client working.

We are trying to get the Connect feature working first and then extend this to the Meeting Center.

I´ve followed the ADFS 2.0 Guide provided by Kingsley Lewis, and checked your configuration, but can´t get this working.

Could you please send me how you get this configured in your ADFS, in Webex Connect/Site and your clients?

Any help will be appreciated!

Thanks!

Daniel

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: