Page Comparison

When configuring Shibboleth 3.3 to provide authentication for Webex WebEx and CirqLive the following steps need to be followed. 

Step-by-step guide

Shibboleth 3.x configuration steups

1. Create a secondary private public key pair credential for you shibboleth environment, save these credentials in /opt/shibboleth-idp/credentials/

   Wiki Markup
   cd /tmp/ openssl req -x509 -newkey rsa:2048 -nodes -days 1095 -keyout idp.new.key -out idp.new.crt mv idp.new.key /opt/shibbooleth-idp/credentials/idp.webex.key mv idp.new.crt /opt/shibbooleth-idp/credentials/idp.webex.crt

2. Request the Saml authentication be enabled on your Webex.WebEx

3. In the Webex administrator WebEx administrator site navigate to Configuration → Common Site Settings → SSO Configuration
4. Set the following parameters (these will vary by site)
   1. Federation Protocol: SAML 2.0 
   2. SSO: SP Initiated
   3. Click Import SAML Metadata and upload your IDP's metadata (this imports the certificate), the metadata you upload must contain the public key generated in step 1.
   4. WebEx SAML Issuer: http://www.webex.com/
      1. Note our site runes multiple webex sites so we have custsomized this to http://www.webex.com/{site}
   5. Issuer for SAML (IdP ID:): Your IDP's EntityId
   6. Customer SSO Service: https://sso.example.com/idp/profile/SAML2/Redirect/SSO
      1. This is the url to your Redirect lister. 
   7. Now Export the WebEx SP metadata.
   8. NameID Format: Email address
   9. AuthenContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport;urn:oasis:names:tc:SAML:2.0:ac:classes:Password;urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
      1. This should be all authncontexts you will return, if you have a custom two factor or other context you must list it here. 
   10. Single Logout: https://sso.example.com/idp/profile/Logout
       1. This should be the url to your logout profile. 
   11. Auto Account Creation: Checked
   12. Auto Account Update: Checked
   13. Remove uid Domain Suffix for Active Directory UPN: Checked
   14. SSO authentication for attendees: Unchecked
       1. Site Specific option but I included it because it could mess with CirqLive

5. In your Shibboleth 3.3 instance

   1. Add a new Relaying party definition for 

6. To credentials.xml add the following

   Code Block
   <bean id="shibboleth.WebexSigningCredential" class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.signing.webex.key}" p:certificateResource="%{idp.signing.webex.cert}" p:entityId-ref="entityID" />

7. To idp.properties add the following

   Code Block
   idp.signing.webex.key=${idp.home}/credentials/idp.webex.key idp.signing.webex.cert=${idp.home}/credentials/idp.webex.crt

8. To relaying-party.xml add the following:

   Code Block

   <!-- Configure webexWebEx key --> <bean id="webexObnoxiousSecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"> <property name="signatureSigningConfiguration"> <bean parent="shibboleth.SigningConfiguration.SHA256" p:signingCredentials-ref="shibboleth.WebexSigningCredential" /> </property> </bean> <!-- WebEx http://www.webex.com, remember to change this if you customized the webex entityid above --> <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{ 'http://www.webex.com' }}"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:securityConfiguration-ref="webexObnoxiousSecurityConfig" /> </list> </property> </bean>

9. Add the needed attributes for auto create to work.

   Code Block

   <!-- WEBEXWebEx ATTRIBUTES --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="firstname" sourceAttributeID="givenName"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="firstname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="lastname" sourceAttributeID="sn"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="lastname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexEmail" sourceAttributeID="mail"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="email" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexUid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="uid" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> </resolver:AttributeDefinition>

10. Add the configuration to attribute-filter.xml to release the attributes, note you need to prevent any other attributes from being sent to webexWebEx. I have inclded some example denies. 

    Code Block

    <!-- Attribute Filter Policy for WebEx. Don't forget to update the requester string if you modified the WebEx entityId above. <afp:AttributeFilterPolicy> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://www.webex.com/" /> <!-- Example Denies, you may wish to remove them --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="sn"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="transientId"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonEntitlement"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- WebexWebEx Attributes that must be released --> <afp:AttributeRule attributeID="firstname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="lastname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexEmail"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexUid"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>

11. Configure CirqLive Meets 
    1. Open the CirqLive Meets administrative panel.
    2. Click Conferencing Accounts
    3. Select Sitewide settings
    4. Click Edit Configuration
    5. Enter your WebEx Administrator username and password
    6. Select If you have Saml SSO eanbled on your WebEx site. (Check this)
    7. Paste in the SAMLPrivate key
    8. Dupliate the value for WebEx SAML Issuer (SP ID)
    9. Duplate the value for Issuer for SAML (IdP ID)
    10. Specify the NameID as email address.
    11. Specify the authentication context urn:oasis:names:tc:SAML:2.0:ac:classes:Password 
    12. Click Submit to commit the changes.
        
        

...