Solved: Re: WebEx SSO with Microsoft AD FS 2.0 - Page 3

Christopher Stock · ‎04-29-2011

WebEx SSO with Microsoft AD FS 2.0

Hello All,

We are looking forsome guidance to setup AD FS 2.0 with WebEx Online meetings and WebEx Connect,We have our AD FS 2.0 Server setup but seem to be having issues getting the SAMLAssertion to work correctly. I am hoping that someone has run across thisbefore or someone from Cisco can help as tech support doesn’t support SSO.

So far we have installed AD FS 2.0, ran the setup wizard,exported the cert, up loaded it to WebEx, edited the federation Serviceproperties name and identifier. Added that info to WebEx. Once that was done wedownloaded the xml file from WebEx and imported that info AD FS 2.0. Once therewe added the Claim rules.

Now are suck, WebEx rejects the login with the error Reason: InvalidSAML Assertion (13)

Please see attached screen shots.

Thanks

Chris

d.pennington · ‎08-08-2012

Configure WebEx Center/Connect

Import Site Certificate in Site Admin tool or org certificate in Org Admin tool using adfsaccount_ts.cer generated from “Preconfiguration Tasks” and make it the current “Active” one.
In the Federated Web SSO Configuration page
- Choose “SAML 2.0” Protocol
- Choose SP Initiated and disable AuthnRequest Signed
- Set Issuer for SAML (IdP ID) to “adfs_idp”
  1. 1. This should actually be:
  2. 2. http://[YOUR-ADFS-SERVER-EXTERNAL-IP-NAME]/adfs/services/trust
- Set WebEx SAML Issuer (SP ID) to “http://www.webex.com”
- Set Customer SSO Service Login URL to https://<Windows 2008 R2 IIS server>/affwebservices/public/saml2authnrequest?ProviderID=adfs_idp
  1. 1. This should actually be:
  2. 2. http://[YOUR-ADFS-SERVER-EXTERNAL-IP-NAME]/adfs/ls
- Click Export button on You can export a SAML metadata WebEx SP configuration file and save it to your local drive with filename “webex_SP_saml2_metadata.xml”
- Change the default “AuthnContextClassRef” to:
  1. 1. urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:Password
  2. 2. ALTERNATIVELY… allow all of the classreferences if getting SAML (13) error
    1. 1. urn:oasis:names:tc:SAML:2.0:ac:classes:Password;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport;urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient;urn:oasis:names:tc:SAML:2.0:ac:classes:X509;urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos
- Click Save

daniel.ferianzzi · ‎08-09-2012

Hi d.pennington,

Thanks for your reply.

We´ve double checked our configuration using your pointings, but we still not be able to login using the Jabber client.

We are only able to use the Domain credencials when we are inside on the corporate network and logging on the WebIM.

Could you please answer these questions?

Do we need to open specific ports on firewall to send the authentication request outside?

Do we need to open another ports in addition to 80/443 to receive the authentication requests and redirect to the federation server?

Do we need to enter a custom login URL on Jabber client when using Cisco Webex for login?

Thanks in advance.

Rgds,

Daniel

xpriceja1 · ‎08-09-2012

Please review this thread and let me know if it helps you.

http://social.msdn.microsoft.com/Forums/en-US/Geneva/thread/cfb5807d-91e3-4d78-867b-7bb9b3f1de47/#3729d1c0-1a1f-4df5-8f30-1197d555b696

Jason

d.pennington · ‎08-09-2012

when you login to cisco webex it actually redirects you to your internal ADFS server.

so for example if you go to http://company.webex.com, when you login it will redirect you to your http://[external-facing-adfs]/adfs/ls....or something like that.

with this being said, YES your ADFS server must be accessible from the internet

your ADFS server must have a NAT statement giving it an outside IP and also allow traffic from the outside in.

I believe it is only TCP-443 (https) that is required to be allowed from the internet to your ADFS server

daniel.ferianzzi · ‎08-10-2012

Thanks d.pennington and xpriceja1,

I´ve found what I was missing.

In ALL documentations that Cisco and Webex provided, we don´t have any information about the Jabber client.

So, we did not installed the client using the CLI and inserting those DOMAIN parameters. This was the only thing that we did not tested, since the documentations only mentioned the Webex Connect client appears to require that configuration.

After reinstalling the Jabber client using the CLI it started to ask for the SSO credentials...

Here is the CLI that we´ve used:

msiexec.exe /i CiscoJabberSetup.msi TYPE=WEBEX SSO_ORG_DOMAIN=<my domain>

Now we are trying to make the integration with Meeting Center work using the SSO feature also.

Did you have any problem wth this? It´s the same config as Webex Connect??

We´ll try to get this working using almost the same configs and let you know the results.

If you have additional information, please let me know.

Thanks for your help!

Rgds,

Daniel

Jess Probasco · ‎07-24-2013

Does anyone have any information or was anyone able to get auto account update working for WebEx Connect? We were able to get the auto account creation working with the added fields like Title, Company, Phone Number using this documentation. However we are not able to get the auto account update function working.

Thanks,

Jess

keglass · ‎08-29-2013

Jess,

If you are still having trouble with your auto account update, then I recommend you post this and future technical support questions to the Cisco Support Community (https://supportforums.cisco.com/index.jspa) where our Cisco technical support experts provide assistance. Another option is to open a ticket with the Cisco Technical Assistance Center (www.cisco.com/go/support) to get expert debugging assistance.

We hope to hear from you again.

Kelli Glass, Moderator for the Cisco Collaboration Community

Velocity2089 · ‎10-08-2013

Hi Everyone,

This seems to be one of the only threads I can find in regards to WebEx SSO and ADFS 2.0. I'm trying to implement this myself and I seem to be unable to authenticate any accounts for the WebEx. It prompts for a username and password but fails to authenticate. Can anyone possibly point me in the right direction on this and where I can look? Any help would be greatly appreciated!

Thanks.

twyant · ‎10-08-2013

Hi Raymond,

I've got both WebEx Connect and WebEx working via ADFS. Let me get through the CME install I'm doing tomorrow and I'll screenshot everything for you.

Tom

Velocity2089 · ‎10-08-2013

Hey Tom,

That would be awesome! Please keep me posted as I'd greatly appreciate that.

Thanks!

d.pennington · ‎10-08-2013

urn:oasis:names:tc:SAML:2.0:ac:classes:Password;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport;urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient;urn:oasis:names:tc:SAML:2.0:ac:classes:X509;urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

Daniel J Pennington

CCNP + Voice + Security + R&S

www.secrit.com

+1.512.527.4350

d.pennington · ‎10-08-2013

I wrote a doc on how to do this and gave it to cisco and cisco tac

see my screen shot above

urn:oasis:names:tc:SAML:2.0:ac:classes:Password;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport;urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient;urn:oasis:names:tc:SAML:2.0:ac:classes:X509;urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos

Velocity2089 · ‎10-08-2013

Hi Pennington,

I tried adding that string of characters but still saw the same result. Would you be able to provide some screenshots of your claim rules? I'm wondering if that could possibly be the issue?

Thanks.

tellesa · ‎10-08-2013

There could be a lot of minor configuration settimgs to check in ADFS to get this working. If you are just doing windows authenication and web page form for smart devices, then you only need the following string on the WebEx site.

urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

The rest are other types of authenication and normally are not needed with ADFS. What fields are you using in the ADFS claim rules? For basic authenication, you need one rule (NameID), you will need name ID mapping to either SAMAcct name or email address. You can map to other fields, but this is the norm. The acct has to be in WebEx already for basic authenication and it must match the nameID field to either the email address or samacct login info. The AutoAccountCreate functions are a diffierent claim rule, but not required for basic authenication.

Did you import your ADFS token cert to the WebEx site? Did you import the WebEx XML file in the ADFS Relayign Partying Trust?

tellesa · ‎10-08-2013

There could be a lot of minor configuration settimgs to check in ADFS to get this working. If you are just doing windows authenication and web page form for smart devices, then you only need the following string on the WebEx site.

urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

The rest are other types of authenication and normally are not needed with ADFS. What fields are you using in the ADFS claim rules? For basic authenication, you need one rule (NameID), you will need name ID mapping to either SAMAcct name or email address. You can map to other fields, but this is the norm. The acct has to be in WebEx already for basic authenication and it must match the nameID field to either the email address or samacct login info. The AutoAccountCreate functions are a diffierent claim rule, but not required for basic authenication.

Did you import your ADFS token cert to the WebEx site? Did you import the WebEx XML file in the ADFS Relayign Partying Trust? Also DNS has to be done correctly from inside and outside the network for the re-direct to happen correctly.