cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
53527
Views
12
Helpful
59
Replies

WebEx SSO with Microsoft AD FS 2.0

WebEx SSO with Microsoft AD FS 2.0

Hello All,

We are  looking forsome guidance to setup AD FS 2.0 with WebEx Online meetings and WebEx Connect,We have our AD FS 2.0 Server setup but seem to be having issues getting the SAMLAssertion to work correctly. I am hoping that someone has run across thisbefore or someone from Cisco can help as tech support doesn’t support SSO.

So far we have installed AD FS 2.0, ran the setup wizard,exported the cert, up loaded it to WebEx, edited the federation Serviceproperties name and identifier. Added that info to WebEx. Once that was done wedownloaded the xml file from WebEx and imported that info AD FS 2.0. Once therewe added the Claim rules.

Now are suck, WebEx rejects the login with the error Reason: InvalidSAML Assertion (13)

Please see attached screen shots.

Thanks

Chris

59 Replies 59

There could be a lot of minor configuration settimgs to check in ADFS to get this working. If you are just doing windows authenication and web page form for smart devices, then you only need the following string on the WebEx site. 

urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

The rest are other types of authenication and normally are not needed with ADFS.

follow these docs, and image

I have updated the ADFS 2.0 document to make it complete, so that you may pass along to other customers who face the same painful issue as we have had.  My edits are in red at the top of page 2.  Three simple configurations were key to the configuration working.  I found my answers on multiple support forums and by process of trial and error with almost every combination, a solution was found.  Edits also shown below:

Issuer for SAML (IdP ID): http://[YOUR-ADFS-SERVER-EXTERNAL-IP-NAME]/adfs/services/trust

Customer SSO Service Login URL: http://[YOUR-ADFS-SERVER-EXTERNAL-IP-NAME]/adfs/ls

AuthncontextClassRef: (do not use default value) urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:Password

 

Daniel J Pennington 

CCNP + Voice + Security + R&S

www.secrit.com 

+1.512.527.4350

Sorry for all the repost, the web site said it did not post correctly, so I reposted several times.

Hey Pennington,


I gave this another try exactly as you had instructed and I still get this attached error. It seems to re-direct properly and shows the server it's trying to contact, but when I try my credentials it just keeps prompting. Definitely seems like it's just not authenticating but I'm not sure where that issue would lie.

Capture.PNG

@ Velocity2089: I know this is a very old POST. But im in the process of setting up Webex SSO with ADFS. I'm getting the same authentication error as you had shown above. Can you please send me in the right direction or you remember what you had changed in order to be able to successfully logon and authenticate properly. I keep getting username password prompts. Thanks

-TR

Hey Pennington,


I gave this another try exactly as you had instructed and I still get this attached error. It seems to re-direct properly and shows the server it's trying to contact, but when I try my credentials it just keeps prompting. Definitely seems like it's just not authenticating but I'm not sure where that issue would lie.

Capture.PNG

Raymond,

Since this is a conversation between you and another user, I recommend you use the private message feature available through the Community. When you click on the User's name, you will link to their profile. You can find "send private message" in the tool bar on the right side of the page under "Actions."

Thank you for your participation in the Community, and thanks for all the feedback on this thread. Great community sprit!

Kelli Glass

Moderator for the Cisco Collaboration Community

Hi Pennington,

I may be asking an obvious question here but the reason I haven't asked until now is there is no mention of this in any documentation I've seen but, should there be firewall rules put in place to allow the authentication? I would assume opening those ports for the server ADFS is on. Please let me know.

Thanks.

yes, i believe all that is necessary is 443/https to your adfs server

 

Daniel J Pennington 

CCNP + Voice + Security + R&S

www.secrit.com 

+1.512.527.4350

Hi Raymond, You will have to use the MS ADFS deployment doc to configure your firerule correctly.  Cisco/WebEx assumes that you already have the Microsoft Product configured correctly in internal and dmz proxy server correctly so it will not give you any info on the actual ADFS networking configuration.  Here is the MS ADFS technet: http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx  I also believes the ADFS servers requires LDAP port to be open.  Do you have a single server or dual server configuration with a ADFS Proxy?  This option changes how the firewall is configured.  There are several wasy that ADFS can be setup and deployed.  Along with that, this is normally a Cisco Advance Service or Cisco Partner deployment and Cisco will not support the SSO with ADFS in anyway.

Velocity2089
Level 1
Level 1

Hi Everyone,

I've made some solid progress here and have gotten SSO working, but it seems to only work for FireFox and does NOT work in IE or Chrome. Any ideas on that?

Thanks!

Velocity2089
Level 1
Level 1

Hi Everyone!

I did make some solid progress with SSO and was able to get it working. Took some unique configurations here and there but I was able to get it going with all browsers. Now I'm working to have a proper certificate in place so that users are prompted with warning pages when trying to login. In this case I got a Digicert certificate and have uploaded that to my server.

On the WebEx end though, does that Certificate need to get uploaded to the WebEx site??

Thanks!

I know this thread is super old but I was hoping that some of you can help me out.

I have configured both Webex and ADFS and I can not get it to AutoCreate an account. If I manually create an account in WebEx it will authenticate just fine. So, I assume the issue is on the ADFS side - Claim rules?. Does any one have the screen shots that were mentioned in the thread around page 1? Or can someone provide some additional assistance? We are using our AD userID as our User name.

Thanks

RB

In the same boat.  Anyone have some screen shots for AutoCreate

-Thanks