Page tree
Skip to end of metadata
Go to start of metadata

When configuring Shibboleth 3.3 to provide authentication for WebEx and CirqLive the following steps need to be followed. 


Step-by-step guide

Shibboleth 3.x configuration steups

  1. Create a secondary private public key pair credential for you shibboleth environment, save these credentials in /opt/shibboleth-idp/credentials/

    cd /tmp/
    openssl req -x509 -newkey rsa:2048 -nodes -days 1095 -keyout idp.new.key -out idp.new.crt
    mv idp.new.key /opt/shibbooleth-idp/credentials/idp.webex.key
    mv idp.new.crt /opt/shibbooleth-idp/credentials/idp.webex.crt

  2. Request the Saml authentication be enabled on your WebEx

  3. In the WebEx administrator site navigate to Configuration → Common Site Settings → SSO Configuration
  4. Set the following parameters (these will vary by site)
    1. Federation Protocol: SAML 2.0 
    2. SSO: SP Initiated
    3. Click Import SAML Metadata and upload your IDP's metadata (this imports the certificate), the metadata you upload must contain the public key generated in step 1.
    4. WebEx SAML Issuer: http://www.webex.com/
      1. Note our site runes multiple webex sites so we have custsomized this to http://www.webex.com/{site}
    5. Issuer for SAML (IdP ID:): Your IDP's EntityId
    6. Customer SSO Service: https://sso.example.com/idp/profile/SAML2/Redirect/SSO
      1. This is the url to your Redirect lister. 
    7. Now Export the WebEx SP metadata.
    8. NameID Format: Email address
    9. AuthenContextClassRef: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport;urn:oasis:names:tc:SAML:2.0:ac:classes:Password;urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified
      1. This should be all authncontexts you will return, if you have a custom two factor or other context you must list it here. 
    10. Single Logout: https://sso.example.com/idp/profile/Logout
      1. This should be the url to your logout profile. 
    11. Auto Account Creation: Checked
    12. Auto Account Update: Checked
    13. Remove uid Domain Suffix for Active Directory UPN: Checked
    14. SSO authentication for attendees: Unchecked
      1. Site Specific option but I included it because it could mess with CirqLive
  5. In your Shibboleth 3.3 instance

    1. Add a new Relaying party definition for 

  6. To credentials.xml add the following

        <bean id="shibboleth.WebexSigningCredential"
            class="net.shibboleth.idp.profile.spring.factory.BasicX509CredentialFactoryBean"
            p:privateKeyResource="%{idp.signing.webex.key}"
            p:certificateResource="%{idp.signing.webex.cert}"
            p:entityId-ref="entityID" />
    
    
    
  7. To idp.properties add the following

    idp.signing.webex.key=${idp.home}/credentials/idp.webex.key
    idp.signing.webex.cert=${idp.home}/credentials/idp.webex.crt
  8. To relaying-party.xml add the following:

    		 <!-- Configure WebEx key -->
    		 <bean id="webexObnoxiousSecurityConfig" parent="shibboleth.DefaultSecurityConfiguration">
    		    <property name="signatureSigningConfiguration">
    		        <bean parent="shibboleth.SigningConfiguration.SHA256" p:signingCredentials-ref="shibboleth.WebexSigningCredential" />
    		    </property>
    		</bean>
    
            <!-- WebEx http://www.webex.com, remember to change this if you customized the webex entityid above -->
            <bean parent="RelyingPartyByName" c:relyingPartyIds="#{{ 'http://www.webex.com' }}">
                <property name="profileConfigurations">
                    <list>
                <bean parent="SAML2.SSO" p:encryptAssertions="false" p:signResponses="false" p:signAssertions="true" p:nameIDFormatPrecedence="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" p:securityConfiguration-ref="webexObnoxiousSecurityConfig"  />
                    </list>
                </property>
            </bean>
    
    
    
  9. Add the needed attributes for auto create to work.

        <!-- WebEx ATTRIBUTES -->
        <resolver:AttributeDefinition xsi:type="ad:Simple" id="firstname" sourceAttributeID="givenName">
            <resolver:Dependency ref="myLDAP" />
            <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="firstname" />
        </resolver:AttributeDefinition>
        <resolver:AttributeDefinition xsi:type="ad:Simple" id="lastname" sourceAttributeID="sn">
        <resolver:Dependency ref="myLDAP" />
            <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="lastname" />
        </resolver:AttributeDefinition>
        <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexEmail" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
            <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="email" />
            <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
        </resolver:AttributeDefinition>
        <resolver:AttributeDefinition xsi:type="ad:Simple" id="webexUid" sourceAttributeID="uid">
            <resolver:Dependency ref="myLDAP" />
            <resolver:AttributeEncoder xsi:type="enc:SAML2String" nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" name="uid" />
            <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
        </resolver:AttributeDefinition>
    
  10. Add the configuration to attribute-filter.xml to release the attributes, note you need to prevent any other attributes from being sent to WebEx. I have inclded some example denies. 

    <!-- Attribute Filter Policy for WebEx. Don't forget to update the requester string if you modified the WebEx entityId above.
     <afp:AttributeFilterPolicy>
                    <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://www.webex.com/" />
    				<!-- Example Denies, you may wish to remove them -->
                    <afp:AttributeRule attributeID="eduPersonPrincipalName">
                       <afp:DenyValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
    
                    <afp:AttributeRule attributeID="sn">
                       <afp:DenyValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
    
                    <afp:AttributeRule attributeID="transientId">
                       <afp:DenyValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
    
                    <afp:AttributeRule attributeID="givenName">
                       <afp:DenyValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
    
                    <afp:AttributeRule attributeID="eduPersonTargetedID">
                       <afp:DenyValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
                    <afp:AttributeRule attributeID="eduPersonEntitlement">
                       <afp:DenyValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
                    <afp:AttributeRule attributeID="email">
                       <afp:DenyValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
    
                    <!-- WebEx Attributes that must be released -->
                    <afp:AttributeRule attributeID="firstname">
                       <afp:PermitValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
    
                    <afp:AttributeRule attributeID="lastname">
                       <afp:PermitValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
                    <afp:AttributeRule attributeID="webexEmail">
                       <afp:PermitValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
    
                    <afp:AttributeRule attributeID="webexUid">
                       <afp:PermitValueRule xsi:type="basic:ANY"/>
                    </afp:AttributeRule>
             </afp:AttributeFilterPolicy>
    
  11. Configure CirqLive Meets 
    1. Open the CirqLive Meets administrative panel.
    2. Click Conferencing Accounts
    3. Select Sitewide settings
    4. Click Edit Configuration
    5. Enter your WebEx Administrator username and password
    6. Select If you have Saml SSO eanbled on your WebEx site. (Check this)
    7. Paste in the SAMLPrivate key
    8. Dupliate the value for WebEx SAML Issuer (SP ID)
    9. Duplate the value for Issuer for SAML (IdP ID)
    10. Specify the NameID as email address.
    11. Specify the authentication context urn:oasis:names:tc:SAML:2.0:ac:classes:Password 
    12. Click Submit to commit the changes.

Thats it you should be up and running.


Remember using this configuration allows CirqLive to impersonate your users in Webex!

Make sure to get the applicable organizational approvals before sending CirqLive your private public key pair. (CIO, CSO, legal etc...)