Single Sign-on Configuration

Document created by liwise on Jan 27, 2015Last modified by rruman on Jun 25, 2015
Version 8Show Document
  • View in full screen mode


Overview

When Cisco WebEx single sign-on is enabled, customers have to remember only one unique identifier to access all of their enterprise applications, such as WebEx Meeting Center and Jabber. As an administrator, you will use WebEx Site Administration to configure single sign-on for Cisco WebEx Messenger and Cisco WebEx meeting applications.

 

Back to top


Before You Begin

Because the information used during configuration must be exact, you should review this entire guide and familiarize yourself with the terms below before beginning. If you find you need additional information, contact your identity provider.

 

Back to top


Terms and Definitions

Terms you will encounter during set-up are listed in the table below, along with their definitions. Also provided are initial steps for accessing the configuration page, as well as definitions and guidelines for completing the page.

 

Term

Definition

SSOSingle sign-on.
SAMLSecurity Assertion Markup Language used to exchange authentication and authorization between entities.
WS FederateAllows employees and affiliates of a WebEx customer organization to authenticate with a WebEx site using SAML.
X.509 CertificateCustomers need to acquire an X.509 digital certificate from a trusted Certificate Authority, including some government agencies and companies such as Verisign and Thawte. (SAML assertions sent to the Cisco WebEx system are signed with the private key.)
IAMIdentity and Access Management systems such as CA SiteMinder, ADFS, Ping Identity.
IdPIdentity provider, which is the authority for user access and password management.

 

Back to top


Prepare for the Set-up

Make sure that you have the following before starting the set-up process to ensure that it goes smoothly.

  • SSO has been enabled
  • A standard SAML 2.0 or WS Federate 1.0 compliant IAM
  • A corporate X.509 public key certificate
  • An IAM configured to provide SAML assertions with the user account information and SAML system IDs
  • An IdP XML file
  • A URL for the corporate IAM service

 

Back to top


Use the SSO Administration Page

Nearly all of the SAML configuration is performed on a single page in WebEx Site Administration. From here you will do the following:

  • Specify the site certificate manager
  • Select the Federation Protocol
  • Import the site certificate
  • Specify the information used in customer setup

 

Back to top


Log in to SSO Configuration

Follow the steps below to log in to SSO Configuration. If you do not have the necessary privileges, you will not have the SSO option.

  1. Log in to Site Administration with your username and password.
  2. Click SSO Configuration on the left-hand menu bar. The SSO Configuration page appears.

 

Back to top


Start the SSO Configuration

Follow the steps below to configure for SAML 2.0.

Note: If you need clarification about what information is required for configuration, contact your identity provider.

1. Select SAML 2.0 from the Federation Protocol dropdown to display the Federated Web SSO Configuration page.

Note: Some fields might be pre-populated to reflect an existing configuration.

2. Click on the Site Certificate Manager link. The Site Certificate Manager window appears.

3. Click Browse to select the.CER file for your C.509 certificate. Locate the file, and then click OK. The Site Certificate Manager page will populate with the data from your certificate.

4. Scroll to the bottom of the Site Certificate Manager window, and click Close. The Federated Web SSO Configuration screen appears.

 

Back to top


Configure for SAML

The table below provides descriptions of the fields that make up the SSO Configuration page.

Note: If you need clarification about what information is required for configuration, contact your identity provider.

 

Field/SelectionGuidelines and Recommendations
SSO ProfileSelect SP Initiated if users will start at the WebEx meeting site and be redirected to their corporate IdP system for authentication. Select IdP Initiated if users will access WebEx through their corporate IAM system.
Import SAML Metadata (link)

Click to open the Federated Web SSO Configuration – SAML Metadata dialog box. Imported metadata fields include the following:

  • AuthnRequestSigned Destination
  • Issuer for SAML (IdP ID)
  • Customer SSO Service Login URL
WebEx SAML Issuer (SP ID)

The URI identifies the Cisco WebEx Messenger service as an SP. The configuration must match the settings in the customer Identity Access Management system.

Recommended naming conventions: For Meeting Center, enter the Meeting Center site URL. For the WebEx Messenger service, use the format “client-domain-name” (example: IM-Client-ADFS-WebExEagle-Com).

Issuer for SAML (IdP ID)

A URI uniquely identifies the IdP. The configuration must match the setting in the Customer IAM.

Located in the IdP XML file

(example: entityID=http://adfs20-fed-srv.adfs.webexeagle.com/adfs/services/trust”)

Customer SSO Service Login URL

URL for your enterprise’s single sign-on services. Users will typically sign in via this URL.

Located in the IdP XML file (example: <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs20-fed-srv.adfs.webexeagle.com/adfs/ls/" index="0" isDefault="true" />)

You can export a SAML metadata WebEx configuration file

You can export some metadata, which can then be imported in the future. Exported metadata fields include the following:

  • AuthnRequestSigned Destination
  • Issuer for SAML (IdP ID)
  • Customer SO Service Login URL
NameID Format

Must match the IAM configuration, with the following formats being supported:

  • Unspecified
  • Email address
  • X509 Subject Name
  • Entity Identifier
  • Persistent Identifier
AuthnContextClassRef

The SAML statement that describes the authentication at the IdP. This must match the IAM configuration.

 

ADFS examples:

urn:federation:authentication:windows

                                             or

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

 

Ping example:

urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

 

Note: To use more than one AuthnContextClassRef value add a “;”. For example:

urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Default WebEx Target page URL (optional)Upon authentication, displays a target page assigned for the web application only.
Customer SSO Error URL (optional)In the event of an error, redirects to this URL with the error code appended in the URL.
Single Logout (optional)Check to require a sign out and set the logout URL.
Auto Account Creation (optional)Select to create a user account. UID, email, and first and last name fields must be present in the SAML assertion.
Auto Account Update (optional)Accounts in WebEx can be updated with the presence of an updateTimeStamp attribute in the SAML assertion. When modifications are made in the IAM, the new timestamp will be sent to Webex. Webex will update the account with any attribute sent in the SAML assertion.
Remove uid Domain Suffix for Active Directory UPNRemoves the Active Directory domain from the User Principal Name (UPN) when selected.

 

 

Back to top

Attachments

    Outcomes