When configuring Shibboleth 3.3 to provide authentication for WebEx and CirqLive the following steps need to be followed.
Vendor Documentation Links: CirqLive: https://documentation.cirqlive.com/manuals/Admin%20Panels/Admin_Panel_for_MEETS_for_WebEx.pdf WebEx: WebEx SSO Failures: https://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/1_1/b_troubleshootingGuide/b_troubleshootingGuide_chapter_01001.html |
Shibboleth 3.x configuration steups
Create a secondary private public key pair credential for you shibboleth environment, save these credentials in /opt/shibboleth-idp/credentials/
cd /tmp/
openssl req -x509 -newkey rsa:2048 -nodes -days 1095 -keyout idp.new.key -out idp.new.crt
mv idp.new.key /opt/shibbooleth-idp/credentials/idp.webex.key
mv idp.new.crt /opt/shibbooleth-idp/credentials/idp.webex.crt
Request the Saml authentication be enabled on your WebEx
In your Shibboleth 3.3 instance
Add a new Relaying party definition for
To credentials.xml add the following
<bean id="shibboleth.WebexSigningCredential" class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.signing.webex.key}" p:certificateResource="%{idp.signing.webex.cert}" p:entityId-ref="entityID" /> |
To idp.properties add the following
idp.signing.webex.key=${idp.home}/credentials/idp.webex.key idp.signing.webex.cert=${idp.home}/credentials/idp.webex.crt |
To relaying-party.xml add the following:
<!-- Configure WebEx key --> <bean id="webexObnoxiousSecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"> <property name="signatureSigningConfiguration"> <bean parent="shibboleth.SigningConfiguration.SHA256" p:signingCredentials-ref="shibboleth.WebexSigningCredential" /> </property> </bean> <!-- WebEx http://www.webex.com, remember to change this if you customized the webex entityid above --> <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{ 'http://www.webex.com' }}"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:securityConfiguration-ref="webexObnoxiousSecurityConfig" /> </list> </property> </bean> |
Add the needed attributes for auto create to work.
<!-- WebEx ATTRIBUTES --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="firstname" sourceAttributeID="givenName"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="firstname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="lastname" sourceAttributeID="sn"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="lastname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexEmail" sourceAttributeID="mail"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="email" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexUid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="uid" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> </resolver:AttributeDefinition> |
Add the configuration to attribute-filter.xml to release the attributes, note you need to prevent any other attributes from being sent to WebEx. I have inclded some example denies.
<!-- Attribute Filter Policy for WebEx. Don't forget to update the requester string if you modified the WebEx entityId above. <afp:AttributeFilterPolicy> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://www.webex.com/" /> <!-- Example Denies, you may wish to remove them --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="sn"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="transientId"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonEntitlement"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- WebEx Attributes that must be released --> <afp:AttributeRule attributeID="firstname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="lastname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexEmail"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexUid"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy> |
Thats it you should be up and running.
Remember using this configuration allows CirqLive to impersonate your users in Webex! Make sure to get the applicable organizational approvals before sending CirqLive your private public key pair. (CIO, CSO, legal etc...) |
Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.
|