Apologies for the delay. For some reason, your original post did not send a notification and it doesn't show up on the forum. Posts don't normally need a moderator to approve them, so we'll look into what's going on with this post. We did get a notification for your comment on it, so we can see it now.
OAuth is specific to Common Identity (SparkMeet) sites, though you can get one time use login tickets for standard WebEx sites. I've included links to authentication specific calls in our documentation:
getSiteType will tell you if a site is Common Identity or otherwise: Cisco DevNet: WebEx Conferencing - XML API - Release Notes
Audience is required for SP initiated. The "WebEx SAML Issuer (SP ID)" field in WebEx Site Admin must match the audience in the assertion exactly.
For IdP Initiated, the "Issuer for SAML (IdP ID)" field in WebEx Site Admin must match the issuer in the assertion exactly.
NotBefore and NotOnOrAfter are required.
IdMS should manage IssueInstant/AuthnInstant, but we do check those values.
The Assertion must be signed.
NameID can be username or email.
NameID Format: format of the NameID (username) specified in customer IdMS. If the value in WebEx is set to Unspecified, we would not check the Format in NameID and will accept all formats. However if it's set to anything other than Unspecified, the Format attribute in <NameID> has to match the values below.
|NameID Formats |
|Name || Value |
| Unspecified || urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified |
| Email address || urn:oasis:names:tc:SAML:1.1:nameid- format:emailAddress |
| X509 Subject Name || urn:oasis:names:tc:SAML:1.1:nameid- format:X509SubjectName |
| Entity Identifier || urn:oasis:names:tc:SAML:2.0:nameid- format:entity |
| Persistent Identifier || urn:oasis:names:tc:SAML:2.0:nameid- format:persistent |