Hi kinglewi - Sounds like I need to step back and reassess my approach.  I am a developer supporting Moodle customization and integration.  We have tested our Moodle integration with webex using an admin username/password, but that is not acceptable to the business.  My task is to use some other form of API authentication so that Moodle can call the webex API on behalf of users. If the question in your first paragraph is whether Moodle can somehow get the same assertion from the IdP that the IdP sent to webex, I am pretty sure the answer is "No".  Even if our Identity Management team was willing to do that, I guess it would require a new custom web service and would have significant security implications.  Or, do you mean something else? In your third paragraph, you mention partner delegated authentication.  I looked it up in the documentation after reading your response, but I don't quite understand how that would work to support my use case.  I would appreciate any information you could send on that approach.  Would it interfere with our ability to use our central IdP for users' web authentication to webex?  If partner delegated authentication is an viable solution, I am familiar enough with SAML that I could create and sign SAML assertions.  Since Moodle is written in PHP, I would probably use the SimpleSAML saml2 library for that.  Thanks for any help you can provide. ... View more

Hi kinglewi - I researched this Recipient problem further.  The parent element looks like this: <saml2:SubjectConfirmationData Address="m.y.i.p" InResponseTo="_e511a355c86199a1c8b460267093de55" NotOnOrAfter="2016-01-08T19:53:07.509Z" Recipient=" https://myserver.umn.edu/Shibboleth.sso/SAML2/POST "/> Our IdP is Shibboleth.  It has no switches that we can find for NOT sending the SubjectConfirmationData or any of its attributes.  Do you know if anybody getting their assertions from a Shibboleth IdP has successfully used SAML2 assertions to authenticate with the XML API? ... View more

Hi kinglewi - Yes.  I realized that the signature was broken because of the way I copied and pasted the assertion.  The extra whitespace messed it up. You say that I shouldn't modify the response, but isn't it just the assertion that I should not modify.  If I don't modify the response, I get errors related to InResponseTo and the Destination. Now I have come across an error that make me think this way of getting the assertion is wrong from the start.  I get "Recipient unmatched".  The recipient matches my local SP, not webex.  I don't believe I can get the IdP to send my local SP an assertion for a different Recipient in the assertion.  Is this whole approach wrong? ... View more

Hi kinglewi - This is for an integration that allows our local application (the Moodle LMS) to use the webex XML API for certain functions on behalf of the application users.  I work for a university. Now,I can pass in a Response containing an assertion and I get back a "signature is invalid" error message.  Do you know if webex is picky about the kinds of signatures it accepts in the SAML assertion? Also, your example has an InResponseTo attribute.  I found that I had to remove the one in my message because webex throws an error on it.  That makes sense because webex has not sent anything to respond to. ... View more

Hi kinglewi - That seems to help.  I now get a different error, at least: "response message is incorrect" The documentation says to pass an assertion, so that is all I am passing.  Do I need to wrap the assertion in a <Response> element?  If so, do you know what is the minimum I can get by with?  In other words, do I need only provide the SAML2 REQUIRED attributes? After many hours of struggling with this, I feel as though I getting close to something that works.  Thanks! ... View more

Hi Jacob - Yes.  I posted this in the wrong place.  It's my first attempt to post an item and I messed up, so I re-posted in the correct area with an apology for the duplicate post.  I am not using the sandbox for this because I understand that, because it's a shared environment, it does not support SAML authentication.  Is that correct? ... View more