Print

Previous Topic

Next Topic

Federated Web SSO Configuration

Configuring for SAML:

  1. Select Federated Web SSO Configuration to display the Federated Web SSO Configuration dialog box.

     

     

  2. From the Federation Protocol drop down list, select the federation protocol SAML 2.0 The fields displayed in the Federated Web SSO Configuration dialog box vary based on the selected federation protocol. By default, the configuration fields for SAML 2.0 will be displayed each time the Federated Web SSO Configuration dialog box is opened.
  3. Select Import SAML Metadata to open the Federated Web SSO Configuration - SAML Metadata dialog box.
  4. Perform one of the following:
    • Navigate to and import the SAML Metadata file to autofill the federated Web authentication fields.
    • Select Import, Back to complete the import.

     

    Imported metadata fields include:

    • AuthnRequestSigned Destination
    • Issuer for SAML (Idp ID)
    • Customer SSO Service Login URL

Or

 

Enter the following information:

 

Field

Description

SSO Profile

 

SP Initiated - When a user visits a service provider (SP) site via a browser bookmark and first accessing resources that do not require special authentication or authorization. In an SAML-enabled deployment, when they subsequently attempt to access a protected resource at the SP, the SP will send the user to the IdP with an authentication request in order to permit the user to sign in.

AuthnRequest Signed Destination - When selected, a WebEx certificate and destination must be specified. This destination address must match the authnRequest signed configuration in the IAM.

IdP Initiated Target page URL Parameter - The user will authenticated at the IdP prior to accessing a protected resource at the Cisco WebEx service (SP).

WebEx SAML Issuer (SP ID)

The URI identifies the Cisco WebEx Messenger service as an SP. The configuration must match the settings in the customer Identity Access Management.

The default value is http://www.webex.com.

Issuer For SAML (IdP ID)

A URI uniquely identifies the IdP.The configuration must match the settings in the customer IAM.

Customer SSO Service Login URL

URL for your enterprise's single sign-on service. Users in your enterprise will typically sign in via this URL.

You can export an SAML metadata WebEx SP configuration file:

Exported metadata fields include:

  • AuthnRequestSigned Destination
  • Issuer for SAML (Idp ID)
  • Customer SSO Service Login URL

NamedID Format

This field must match the IAM configuration. The following formats are supported:

  • Unspecified (default)
  • Email address
  • X509 Subject Name
  • Entity Identifier
  • Persistent Identifier

AuthnContextClassRef

The SAML statement that describes the act of authentication at the identity provider.This field must match the IAM configuration.

Default WebEx Target page URL

Optional. Upon authentication, displays a target page assigned for the web application only. The request does not contain a RelyState parameter.

Customer SSO Error URL

Optional. In the event of an error, redirects to this URL with the error code appended in the URL.

Single Logout for Web Client

Check to require a sign out and set the log out URL. The IdP does not support SLO and does not participate in the SLO protocol.

Note: This option is only applicable to the web IM application.

Customer SSO Service Logout URL

Enter the url to be redirected to upon sign out. This field is active when Single Logout for web application is set checked. This field must match the IAM configuration.

Auto Account Creation

Select to create a user account. UID, email, and first and last name fields must be present in the SAML assertion.

Auto Account Update

Specify the “updateTimeStamp” attribute in the SAML assertion and check this field to update an existing user account.

The “updateTimeStamp” value is the last update time of a user’s profile in the customer’s Identity store. For example, in Active Directory, the “whenChanged” attribute has this value. If “updateTimeStamp” is not in the attribute, the user profile would not be updated since the last update. It updates the first time when the user profile is updated via Auto Account Update or Auto Account Creation.

Unchecked indicates no updates will occur.

Remove uid Domain Suffix for Active Directory UPN

The Active Directory domain part will be removed from the UPN when selected.

Cisco WebEx Messenger uid’s require the email domain; therefore, when this field is checked, it will cause an error. In this case, use “ssoid” to identify the user.

The default is unchecked for SAML 2.0 and WS-Federation 1.0.

After the SAML Metadata file has been successfully imported, verify the relevant fields in the Federated Web SSO Configuration dialog box have been populated.

Configuring for WS-Federation:

  1. From the Federation Protocol drop down list, select the federation protocol WS-Federation 1.0. The fields displayed in the Federated Web SSO Configuration dialog box vary based on the selected federation protocol.

     

     

  2. Enter the following additional information:

     

    Field

    Description

    WebEx Service URI

    The URI identifies the Cisco WebEx Service relying party.

    Federation Service URI

    The URI identifies the enterprise's single sign-on service (IdP).

    Customer SSO Service Login URL

    URL for your enterprise's single sign-on service. Users in your enterprise will typically sign in via this URL. Depending on the single sign-on Profile, the IdP-Initiated login URL and SP-Initiated sign in URL would be set accordingly to match IdP settings.

  3. Select Save to save the Federated Web single sign-on Configuration details and return to the SSO Related Options screen.

Top of Page   Print