Thanks for your feedback.
Feedback?Suppose you're troubleshooting a single sign-on deployment and authentication has failed. In that case, you can leverage your Identity Provider logging or the service provider (Webex) application error for possible clues to remediate the problem.
When you expect your Identity Provider to pass the correct details in the SAML assertion yet authentication is still failing, you may need to inspect the content in the SAML assertion with a tool like SAML Tracer. If the SAML assertion you inspect is encrypted, you may configure the Identity Provider to decrypt the assertions. This allows you to explicitly identify the attributes and values passed to Webex. Each Identity Provider has different ways to handle the control of encrypted SAML assertions and you must follow the vendor documentation for the required steps to decrypt them.
Since Active Directory Federation Service (ADFS) is a widely used Identity Provider within Webex deployments, we've documented the steps to temporarily disable encryption for SAML assertions used for the Webex application on an ADFS server.
Follow these steps to do so:
- Log in to your Active Directory Federation Service (ADFS).
- Launch Windows PowerShell.
- Enter the following command to decrypt SAML assertions for the Webex application (replace %ORG_ID% with your actual Webex organization ID): Set-ADFSRelyingPartyTrust -TargetIdentifier https://idbroker.webex.com/%ORG_ID% -EncryptClaims $False.
- Reproduce the authentication issue and capture a SAML tracer.
- Re-enable encryption by entering the same command in step 3 but changing the -EncryptClaims $True flag.
Note: The TargetIdentifier value can be obtained from the Webex metadata file downloaded from Control Hub. The TargetIdentifier value maps to the entityID value that is found on the first line of the Webex metadata file.
