ā04-29-2011 08:42 AM - edited ā03-17-2019 02:09 PM
WebEx SSO with Microsoft AD FS 2.0
Hello All,
We are looking forsome guidance to setup AD FS 2.0 with WebEx Online meetings and WebEx Connect,We have our AD FS 2.0 Server setup but seem to be having issues getting the SAMLAssertion to work correctly. I am hoping that someone has run across thisbefore or someone from Cisco can help as tech support doesnāt support SSO.
So far we have installed AD FS 2.0, ran the setup wizard,exported the cert, up loaded it to WebEx, edited the federation Serviceproperties name and identifier. Added that info to WebEx. Once that was done wedownloaded the xml file from WebEx and imported that info AD FS 2.0. Once therewe added the Claim rules.
Now are suck, WebEx rejects the login with the error Reason: InvalidSAML Assertion (13)
Please see attached screen shots.
Thanks
Chris
Solved! Go to Solution.
ā10-08-2013 03:08 PM
There could be a lot of minor configuration settimgs to check in ADFS to get this working. If you are just doing windows authenication and web page form for smart devices, then you only need the following string on the WebEx site.
urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
The rest are other types of authenication and normally are not needed with ADFS.
ā10-08-2013 03:08 PM
follow these docs, and image
I have updated the ADFS 2.0 document to make it complete, so that you may pass along to other customers who face the same painful issue as we have had. My edits are in red at the top of page 2. Three simple configurations were key to the configuration working. I found my answers on multiple support forums and by process of trial and error with almost every combination, a solution was found. Edits also shown below:
Issuer for SAML (IdP ID): http://[YOUR-ADFS-SERVER-EXTERNAL-IP-NAME]/adfs/services/trust
Customer SSO Service Login URL: http://[YOUR-ADFS-SERVER-EXTERNAL-IP-NAME]/adfs/ls
AuthncontextClassRef: (do not use default value) urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Daniel J Pennington
CCNP + Voice + Security + R&S
www.secrit.com
+1.512.527.4350
ā10-08-2013 03:20 PM
Sorry for all the repost, the web site said it did not post correctly, so I reposted several times.
ā10-08-2013 05:55 PM
Hey Pennington,
I gave this another try exactly as you had instructed and I still get this attached error. It seems to re-direct properly and shows the server it's trying to contact, but when I try my credentials it just keeps prompting. Definitely seems like it's just not authenticating but I'm not sure where that issue would lie.
ā09-18-2014 06:47 AM
@ Velocity2089: I know this is a very old POST. But im in the process of setting up Webex SSO with ADFS. I'm getting the same authentication error as you had shown above. Can you please send me in the right direction or you remember what you had changed in order to be able to successfully logon and authenticate properly. I keep getting username password prompts. Thanks
-TR
ā10-08-2013 05:55 PM
Hey Pennington,
I gave this another try exactly as you had instructed and I still get this attached error. It seems to re-direct properly and shows the server it's trying to contact, but when I try my credentials it just keeps prompting. Definitely seems like it's just not authenticating but I'm not sure where that issue would lie.
ā10-08-2013 06:19 PM
Raymond,
Since this is a conversation between you and another user, I recommend you use the private message feature available through the Community. When you click on the User's name, you will link to their profile. You can find "send private message" in the tool bar on the right side of the page under "Actions."
Thank you for your participation in the Community, and thanks for all the feedback on this thread. Great community sprit!
Kelli Glass
Moderator for the Cisco Collaboration Community
ā10-09-2013 07:10 AM
Hi Pennington,
I may be asking an obvious question here but the reason I haven't asked until now is there is no mention of this in any documentation I've seen but, should there be firewall rules put in place to allow the authentication? I would assume opening those ports for the server ADFS is on. Please let me know.
Thanks.
ā10-09-2013 07:12 AM
yes, i believe all that is necessary is 443/https to your adfs server
Daniel J Pennington
CCNP + Voice + Security + R&S
www.secrit.com
+1.512.527.4350
ā10-09-2013 07:57 AM
Hi Raymond, You will have to use the MS ADFS deployment doc to configure your firerule correctly. Cisco/WebEx assumes that you already have the Microsoft Product configured correctly in internal and dmz proxy server correctly so it will not give you any info on the actual ADFS networking configuration. Here is the MS ADFS technet: http://technet.microsoft.com/en-us/library/adfs2(v=ws.10).aspx I also believes the ADFS servers requires LDAP port to be open. Do you have a single server or dual server configuration with a ADFS Proxy? This option changes how the firewall is configured. There are several wasy that ADFS can be setup and deployed. Along with that, this is normally a Cisco Advance Service or Cisco Partner deployment and Cisco will not support the SSO with ADFS in anyway.
ā10-11-2013 06:51 AM
Hi Everyone,
I've made some solid progress here and have gotten SSO working, but it seems to only work for FireFox and does NOT work in IE or Chrome. Any ideas on that?
Thanks!
ā11-06-2013 07:02 AM
Hi Everyone!
I did make some solid progress with SSO and was able to get it working. Took some unique configurations here and there but I was able to get it going with all browsers. Now I'm working to have a proper certificate in place so that users are prompted with warning pages when trying to login. In this case I got a Digicert certificate and have uploaded that to my server.
On the WebEx end though, does that Certificate need to get uploaded to the WebEx site??
Thanks!
ā03-28-2014 01:55 PM
I know this thread is super old but I was hoping that some of you can help me out.
I have configured both Webex and ADFS and I can not get it to AutoCreate an account. If I manually create an account in WebEx it will authenticate just fine. So, I assume the issue is on the ADFS side - Claim rules?. Does any one have the screen shots that were mentioned in the thread around page 1? Or can someone provide some additional assistance? We are using our AD userID as our User name.
Thanks
RB
ā06-11-2014 08:25 PM
In the same boat. Anyone have some screen shots for AutoCreate
-Thanks
ā11-19-2015 09:53 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide