...
Create a secondary private public key pair credential for you shibboleth environment, save these credentials in /opt/shibboleth-idp/credentials/
Wiki Markup cd
/tmp/
opensslreq
-x509
-newkey
rsa:2048
-nodes
-days
1095
-keyout
idp.new.key
-out
idp.new.crt
mvidp.new.key
/opt/shibbooleth-idp/credentials/idp.webex.key
mvidp.new.crt
/opt/shibbooleth-idp/credentials/idp.webex.crt
Request the Saml authentication be enabled on your WebEx
- In the WebEx administrator site navigate to Configuration → Common Site Settings → SSO Configuration
- Set the following parameters (these will vary by site)
- Federation Protocol: SAML 2.0
- SSO: SP Initiated
- Click Import SAML Metadata and upload your IDP's metadata (this imports the certificate), the metadata you upload must contain the public key generated in step 1.
- WebEx SAML Issuer: http://www.webex.com/
- Note our site runes multiple webex sites so we have custsomized this to http://www.webex.com/{site}
- Issuer for SAML (IdP ID:): Your IDP's EntityId
- Customer SSO Service: https://sso.example.com/idp/profile/SAML2/Redirect/SSO
- This is the url to your Redirect lister.
- Now Export the WebEx SP metadata.
- NameID Format: Email address
- AuthenContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport;urn:oasis:names:tc:SAML:2.0:ac:classes:Password;urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
- This should be all authncontexts you will return, if you have a custom two factor or other context you must list it here.
- Single Logout: https://sso.example.com/idp/profile/Logout
- This should be the url to your logout profile.
- Auto Account Creation: Checked
- Auto Account Update: Checked
- Remove uid Domain Suffix for Active Directory UPN: Checked
- SSO authentication for attendees: Unchecked
- Site Specific option but I included it because it could mess with CirqLive
In your Shibboleth 3.3 instance
Add a new Relaying party definition for
To credentials.xml add the following
Code Block <bean id="shibboleth.WebexSigningCredential" class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.signing.webex.key}" p:certificateResource="%{idp.signing.webex.cert}" p:entityId-ref="entityID" />
To idp.properties add the following
Code Block idp.signing.webex.key=${idp.home}/credentials/idp.webex.key idp.signing.webex.cert=${idp.home}/credentials/idp.webex.crt
To relaying-party.xml add the following:
Code Block <!-- Configure WebEx key --> <bean id="webexObnoxiousSecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"> <property name="signatureSigningConfiguration"> <bean parent="shibboleth.SigningConfiguration.SHA256" p:signingCredentials-ref="shibboleth.WebexSigningCredential" /> </property> </bean> <!-- WebEx http://www.webex.com, remember to change this if you customized the webex entityid above --> <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{ 'http://www.webex.com' }}"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:securityConfiguration-ref="webexObnoxiousSecurityConfig" /> </list> </property> </bean>
Add the needed attributes for auto create to work.
Code Block <!-- WebEx ATTRIBUTES --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="firstname" sourceAttributeID="givenName"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="firstname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="lastname" sourceAttributeID="sn"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="lastname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexEmail" sourceAttributeID="mail"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="email" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexUid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="uid" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> </resolver:AttributeDefinition>
Add the configuration to attribute-filter.xml to release the attributes, note you need to prevent any other attributes from being sent to WebEx. I have inclded some example denies.
Code Block <!-- Attribute Filter Policy for WebEx. Don't forget to update the requester string if you modified the WebEx entityId above. <afp:AttributeFilterPolicy> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://www.webex.com/" /> <!-- Example Denies, you may wish to remove them --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="sn"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="transientId"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonEntitlement"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- WebEx Attributes that must be released --> <afp:AttributeRule attributeID="firstname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="lastname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexEmail"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexUid"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>
- Configure CirqLive Meets
- Open the CirqLive Meets administrative panel.
- Click Conferencing Accounts
- Select Sitewide settings
- Click Edit Configuration
- Enter your WebEx Administrator username and password
- Select If you have Saml SSO eanbled on your WebEx site. (Check this)
- Paste in the SAMLPrivate key
- Dupliate the value for WebEx SAML Issuer (SP ID)
- Duplate the value for Issuer for SAML (IdP ID)
- Specify the NameID as email address.
- Specify the authentication context urn:oasis:names:tc:SAML:2.0:ac:classes:Password
- Click Submit to commit the changes.
...