04-29-2011 08:42 AM - edited 03-17-2019 02:09 PM
WebEx SSO with Microsoft AD FS 2.0
Hello All,
We are looking forsome guidance to setup AD FS 2.0 with WebEx Online meetings and WebEx Connect,We have our AD FS 2.0 Server setup but seem to be having issues getting the SAMLAssertion to work correctly. I am hoping that someone has run across thisbefore or someone from Cisco can help as tech support doesn’t support SSO.
So far we have installed AD FS 2.0, ran the setup wizard,exported the cert, up loaded it to WebEx, edited the federation Serviceproperties name and identifier. Added that info to WebEx. Once that was done wedownloaded the xml file from WebEx and imported that info AD FS 2.0. Once therewe added the Claim rules.
Now are suck, WebEx rejects the login with the error Reason: InvalidSAML Assertion (13)
Please see attached screen shots.
Thanks
Chris
Solved! Go to Solution.
08-29-2012 04:31 PM
In order for Jabber for Windows to work inside your netowrk you need the Windows authenication and for to work on the out side, you need page form authenicaiton, you can add two or more authenication options together in the WebEx SSO configuration. It is easier to get the WebEx Web working first because you have a web page you can test from. Once you get this working, then you can duplicate the settings to the Connect Admin SSO config. All the switches for Jabber for Windows are in the install guide. If you want smart devices to work with SSO, you must use page form authenicaiton, they do not support Windows authenication. I have also seen plenty of jabber client issues if the client was installed and used without SSO then SSO was turned on. There are hidden registry and system files that have ot be removed when the uninstall is done. Most of the issues are desktop client related.
08-30-2012 03:47 AM
Roy,
Check this article and verify that integrated is the second choice in the web.config. I think it should fix your problem.
http://social.technet.microsoft.com/wiki/contents/articles/1600.aspx
08-30-2012 06:10 AM
Olivier,
I checked it and it was actually the first in line, followed by the Forms. I changed it just to see, but it changed it to the Forms based and it made me actually have to include the domain name as well, so I changed it back.
I have noticed for WebEx that you need to make sure Integrated Authentication has to be on in IE for that to work, but since this is the stand alone client, I am not sure what else to check.
I appreciate the suggestion...I would have never thought to check that!
Any other thoughts?
Thanks!
Roy
11-19-2015 09:14 PM
Why oh why are the images missing? It makes this useful post, a useless one.
07-14-2016 07:52 AM
Are you able to provide those Screenshots from ADFS? i am using it with ADFS 3.0 but my guess it its the same.
07-28-2016 10:52 PM
I didn't need the screenshots in the end because the link I supplied in the previous post helped me through it. Check it out
11-23-2011 01:46 PM
Hi Christopher,
Would it be possible to throw your screenshots somewhere they can be downloaded? They aren't coming up for me and I'd LOVE to get this working over the long weekend!
Thanks!
Tom
11-23-2011 02:05 PM
Here are the images in a zip file
www.infiniteit.ca/files/ADFS.zip
12-11-2011 10:11 AM
Thanks!
Tom
05-30-2012 01:36 PM
Sorry to ressurect an older thread, but I'm curious if any of you were able to get this working using an ADFS 2.0 Proxy server. It works great while on the internal LAN, but externally, when going through the proxy server, I'm stilling getting the invalid SAML assertion error from WebEx. My understanding is that the proxy server simply forwards and does not modify the claim, but I'm wondering if I might have to set up an additional claim rule for the proxy server.
06-05-2012 11:07 AM
I have this working with ADFS 2.0. My ADFS install is a single server with 80/443 open to the internet and a self-signed certificate used to communicate with WebEx. I called WebEx about this a while back and it started working. I don't honestly remember if I had to change anything on my end, I had it all set up based on this thread and the pictures from above. Once I threw our ADFS server name into a GP for local intranet sites we could log in without issue from inside and outside the network.
Tom
07-25-2012 12:42 PM
I am unable to pull up the screen shots. The ones I can see look similar to what I have been using, but I cannot see all of them.
Does anyone have the screen shots they can share?
Thanks!
06-05-2012 10:42 AM
I have a similar setup. I have tried following both the ADFS 2.0 WebEx guide and the directions provided on this thread without any luck. I am receiving a "SSO protocol error. (1)" when trying to log in to the Web test as indicated in the doc.
https://loginp.webexconnect.com/cas/sso/{ORG}/webim.app (replacing my org domain in {ORG}
Anyone have any ideas?
07-02-2012 09:53 AM
Make sure you setup your claim rules and map "SAM-Account-Name" to "Name ID"
08-08-2012 02:12 PM
Hi Christopher.
We are trying to get this same scenario working here but we´re failing to get the authentication using the WebexConnect/Jabber client working.
We are trying to get the Connect feature working first and then extend this to the Meeting Center.
I´ve followed the ADFS 2.0 Guide provided by Kingsley Lewis, and checked your configuration, but can´t get this working.
Could you please send me how you get this configured in your ADFS, in Webex Connect/Site and your clients?
Any help will be appreciated!
Thanks!
Daniel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide