Webex and CirqLive Implementation
- Rhian Resnick
When configuring Shibboleth 3.3 to provide authentication for WebEx and CirqLive the following steps need to be followed.
Vendor Documentation Links:
CirqLive:
https://documentation.cirqlive.com/manuals/Admin%20Panels/Admin_Panel_for_MEETS_for_WebEx.pdf
WebEx:
WebEx SSO Failures: https://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/1_1/b_troubleshootingGuide/b_troubleshootingGuide_chapter_01001.html
Step-by-step guide
Shibboleth 3.x configuration steups
Create a secondary private public key pair credential for you shibboleth environment, save these credentials in /opt/shibboleth-idp/credentials/
cd /tmp/
openssl req -x509 -newkey rsa:2048 -nodes -days 1095 -keyout idp.new.key -out idp.new.crt
mv idp.new.key /opt/shibbooleth-idp/credentials/idp.webex.key
mv idp.new.crt /opt/shibbooleth-idp/credentials/idp.webex.crtRequest the Saml authentication be enabled on your WebEx
- In the WebEx administrator site navigate to Configuration → Common Site Settings → SSO Configuration
- Set the following parameters (these will vary by site)
- Federation Protocol: SAML 2.0
- SSO: SP Initiated
- Click Import SAML Metadata and upload your IDP's metadata (this imports the certificate), the metadata you upload must contain the public key generated in step 1.
- WebEx SAML Issuer: http://www.webex.com/
- Note our site runes multiple webex sites so we have custsomized this to http://www.webex.com/{site}
- Issuer for SAML (IdP ID:): Your IDP's EntityId
- Customer SSO Service: https://sso.example.com/idp/profile/SAML2/Redirect/SSO
- This is the url to your Redirect lister.
- Now Export the WebEx SP metadata.
- NameID Format: Email address
- AuthenContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport;urn:oasis:names:tc:SAML:2.0:ac:classes:Password;urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
- This should be all authncontexts you will return, if you have a custom two factor or other context you must list it here.
- Single Logout: https://sso.example.com/idp/profile/Logout
- This should be the url to your logout profile.
- Auto Account Creation: Checked
- Auto Account Update: Checked
- Remove uid Domain Suffix for Active Directory UPN: Checked
- SSO authentication for attendees: Unchecked
- Site Specific option but I included it because it could mess with CirqLive
In your Shibboleth 3.3 instance
Add a new Relaying party definition for
To credentials.xml add the following
<bean id="shibboleth.WebexSigningCredential" class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean" p:privateKeyResource="%{idp.signing.webex.key}" p:certificateResource="%{idp.signing.webex.cert}" p:entityId-ref="entityID" />To idp.properties add the following
idp.signing.webex.key=${idp.home}/credentials/idp.webex.key idp.signing.webex.cert=${idp.home}/credentials/idp.webex.crtTo relaying-party.xml add the following:
<!-- Configure WebEx key --> <bean id="webexObnoxiousSecurityConfig" parent="shibboleth.DefaultSecurityConfiguration"> <property name="signatureSigningConfiguration"> <bean parent="shibboleth.SigningConfiguration.SHA256" p:signingCredentials-ref="shibboleth.WebexSigningCredential" /> </property> </bean> <!-- WebEx http://www.webex.com, remember to change this if you customized the webex entityid above --> <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{ 'http://www.webex.com' }}"> <property name="profileConfigurations"> <list> <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:securityConfiguration-ref="webexObnoxiousSecurityConfig" /> </list> </property> </bean>Add the needed attributes for auto create to work.
<!-- WebEx ATTRIBUTES --> <resolver:AttributeDefinition xsi:type="ad:Simple" id="firstname" sourceAttributeID="givenName"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="firstname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="lastname" sourceAttributeID="sn"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="lastname" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexEmail" sourceAttributeID="mail"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="email" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexUid" sourceAttributeID="uid"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="uid" /> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/> </resolver:AttributeDefinition>Add the configuration to attribute-filter.xml to release the attributes, note you need to prevent any other attributes from being sent to WebEx. I have inclded some example denies.
<!-- Attribute Filter Policy for WebEx. Don't forget to update the requester string if you modified the WebEx entityId above. <afp:AttributeFilterPolicy> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://www.webex.com/" /> <!-- Example Denies, you may wish to remove them --> <afp:AttributeRule attributeID="eduPersonPrincipalName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="sn"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="transientId"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="givenName"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonTargetedID"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="eduPersonEntitlement"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="email"> <afp:DenyValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <!-- WebEx Attributes that must be released --> <afp:AttributeRule attributeID="firstname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="lastname"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexEmail"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> <afp:AttributeRule attributeID="webexUid"> <afp:PermitValueRule xsi:type="basic:ANY"/> </afp:AttributeRule> </afp:AttributeFilterPolicy>- Configure CirqLive Meets
- Open the CirqLive Meets administrative panel.
- Click Conferencing Accounts
- Select Sitewide settings
- Click Edit Configuration
- Enter your WebEx Administrator username and password
- Select If you have Saml SSO eanbled on your WebEx site. (Check this)
- Paste in the SAMLPrivate key
- Dupliate the value for WebEx SAML Issuer (SP ID)
- Duplate the value for Issuer for SAML (IdP ID)
- Specify the NameID as email address.
- Specify the authentication context urn:oasis:names:tc:SAML:2.0:ac:classes:Password
- Click Submit to commit the changes.
Thats it you should be up and running.
Remember using this configuration allows CirqLive to impersonate your users in Webex!
Make sure to get the applicable organizational approvals before sending CirqLive your private public key pair. (CIO, CSO, legal etc...)
Related articles
Filter by label
There are no items with the selected labels at this time.