Configure Single Sign-On for WebEx

Document created by Cisco Documentation Team on Apr 22, 2016Last modified by Cisco Documentation Team on Jul 5, 2017
Version 3Show Document
  • View in full screen mode
 

Single Sign-On

Single sign-on is an optional feature that must be provisioned for your site.

Enable Cisco WebEx single sign-on (SSO) to make it easier for users to manage their credentials. With SSO, one unique identifier provides access all enterprise applications, such as WebEx Meeting Center and Jabber. As an administrator, you use WebEx Site Administration to configure single sign-on for Cisco WebEx Messenger and Cisco WebEx meeting applications.

Terms and Definitions

The following table lists and defines important terms that are related to SSO configuration.

 
                      
Table 1 Terms Related to SSO Configuration

Term

Definition

IAM

Identity and Access Management systems such as CA SiteMinder, ADFS, Ping Identity.

IdP

Identity provider—The authority for user access and password management.

SAML

Security Assertion Markup Language—Used to exchange authentication and authorization between entities.

SSO

Single sign-on.

WS Federate

Allows employees and affiliates of a WebEx customer organization to authenticate with a WebEx site using SAML.

X.509 Certificate

The SAML assertions sent to the Cisco WebEx system are signed with the private key. Obtain an X.509 digital certificate from a trusted Certificate Authority, including some government agencies and companies such as VeriSign and Thawte.

Configure SSO

Use the following procedure to configure SSO and SAML 2.0.

Before You Begin

Obtain and set up the following requirements before you begin this procedure.

  • A standard SAML 2.0 or WS Federate 1.0 compliant IAM

     

  • A corporate X.509 public key certificate

     

  • An IAM configured to provide SAML assertions with the user account information and SAML system IDs

     

  • An IdP XML file

     

  • A URL for the corporate IAM service

     

           
1    Select SSO Configuration.
2    From the Federation Protocol drop-down menu, select SAML 2.0.

If there is an existing configuration, some fields may already be populated.

3    Select the Site Certificate Manager link.
4    In the Site Certificate Manager window, select Browse, and then navigate to the location of the .CER file for your X.509 certificate.
5    Select the .CER file, and then select OK.
6    Select Close.
7    On the SSO Configuration page, enter the required information into the fields and select the options that you want to enable.
8    Select Update.

SSO Configuration Page

The following table lists and describes the fields and options on the SSO Configuration page.

Important:

The information that you use during configuration must be exact. If you require further clarification about the information required to configure SSO for your site, contact your identity provider.

 
                                              
Table 2 SSO Configuration Page Fields and Options

Field or Option

Description

SSO Profile

Specify how users access WebEx. Select SP Initiated if users start at the WebEx meeting site and are redirected to the corporate IdP system for authentication. Select IdP Initiated if users access WebEx through the corporate IAM system.

Import SAML Metadata (link)

Click to open the Federated Web SSO Configuration - SAML Metadata dialog box. Imported metadata fields include the following:

  • AuthnRequestSigned Destination
  • Issuer for SAML (IdP ID)
  • Customer SSO Service Login URL

WebEx SAML Issuer (SP ID)

The URI identifies the Cisco WebEx Messenger service as an SP. The configuration must match the settings in the customer Identity Access Management system. Recommended naming conventions: For Meeting Center, enter the Meeting Center site URL. For the WebEx Messenger service, use the format "client-domain-name" (example: IM-Client-ADFS-WebExEagle-Com).

Issuer for SAML (IdP ID)

A URI uniquely identifies the IdP. The configuration must match the setting in the Customer IAM. Located in the IdP XML file (example: entityID=" http://adfs20-fed-srv.adfs.webexeagle.com/adfs/services/trust")

Customer SSO Service Login URL

URL for your enterprise's single sign-on services. Users typically sign in with this URL. Located in the IdP XML file (example: <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://adfs20-fed-srv.adfs.webexeagle.com/adfs/ls/ " index="0" isDefault="true" />)

You can export a SAML metadata WebEx configuration file

You can export some metadata, which can then be imported in the future. Exported metadata fields include the following:

  • AuthnRequestSigned Destination
  • Issuer for SAML (IdP ID)
  • Customer SO Service Login URL

NameID Format

Must match the IAM configuration, with the following formats being supported:

  • Unspecified
  • Email address
  • X509 Subject Name
  • Entity Identifier
  • Persistent Identifier

AuthnContextClassRef

The SAML statement that describes the authentication at the IdP. This must match the IAM configuration. ADFS examples: urn:federation:authentication:windows or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Ping example: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Note: To use more than one AuthnContextClassRef value add a ";".For example: urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Default WebEx Target page URL (optional)

Upon authentication, displays a target page assigned for the web application only.

Customer SSO Error URL (optional)

If an error, redirects to this URL with the error code appended in the URL.

Single Logout (optional)

Check to require a sign-out and set the logout URL.

Auto Account Creation (optional)

Select to create a user account. UID, email, and first and last name fields must be present in the SAML assertion.

Auto Account Update (optional)

Accounts in WebEx can be updated with the presence of an updateTimeStamp attribute in the SAML assertion. When modifications are made in the IAM, the new time stamp is sent to WebEx. WebEx updates the account with any attribute sent in the SAML assertion.

Remove uid Domain Suffix for Active Directory UPN

Removes the Active Directory domain from the User Principal Name (UPN) when selected.

 

Attachments

    Outcomes