WebEx Connector Version 1.0.1 Quick Connection Guide
2014 Ping Identity Corporation. All rights reserved. PingFederate WebEx Connector Quick Connection Guide Version 1.0.1 March, 2014 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners. The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to documentation.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: March 5, 2014. PingFederate WebEx Connector 2 Quick Connection Guide
Introduction... 4 Connector Overview... 4 System Requirements... 4 ZIP Manifest... 4 Installation and Setup... 4 Connector Installation... 5 Downloading WebEx SAML Metadata... 5 Configure Server Settings... 6 Configure a Connection... 7 Exporting Connection Metadata... 13 Configure WebEx for SSO... 13 Enabling Authentication-Request Signatures... 15 PingFederate WebEx Connector 3 Quick Connection Guide
The PingFederate WebEx Connector extends PingFederate capabilities, enabling enterprises to provision its users to WebEx. This WebEx Connector includes a quick connection template to easily set up a Single Sign-on (SSO) connection and WebEx provisioning. The PingFederate administrative console uses a quick-connection template to configure most of the settings needed to use the WebEx Connector for SSO and provisioning. Choose the WebEx template on the initial Connection Template screen during configuration of a Service Provider (SP) connection. This document provides instructions for entering site-specific connection settings. Once the settings are complete, you can configure provisioning settings according to your deployment needs. Before configuring an SSO connection to WebEx, you must configure (or verify) several system settings in PingFederate. You must also download SAML 2.0 metadata from the WebEx administrative site. Tip: This document is intended only to provide configuration instructions associated with using the quick-connection template for SSO to WebEx. After completing the SSO configuration, if you are including provisioning for the connection, see Configuring Outbound Provisioning in the Identity Provider SSO Configuration chapter of the PingFederate Administrator s Manual (or see the associated Help pages during the configuration). The WebEx Connector requires installation of PingFederate 7.0.1 or higher. The distribution ZIP file for the Connector contains the following: contains links to this online documentation. contains libraries needed for the Connector: PingFederate WebEx Connector WebEx API The WebEx Connector setup takes advantage of SAML 2.0 metadata exchange to configure many settings in both the PingFederate administrative console and the WebEx administrative site automatically. The general steps involved in this process are outlined below, with references to applicable sections of this Guide: 1. Install the Connector see Connector Installation. PingFederate WebEx Connector 4 Quick Connection Guide
2. Obtaining SAML 2.0 metadata from the WebEx Administrator s site see Downloading WebEx SAML Metadata. 3. Complete initial setup procedures, including verifying or changing system settings in PingFederate see Configure Server Settings. 4. Use the WebEx metadata with the quick connection template configure an SSO connection to WebEx see Configure a Connection. 5. After saving the connection, export the PingFederate SP connection metadata for use in configuring the WebEx administrative site see Exporting Connection Metadata. 6. Import the PingFederate metadata into the WebEx administrative site and make minor adjustments to complete the end-to-end connection see Configuring WebEx for SSO. 7. Stop the PingFederate server if it is running. 8. Unzip the WebEx Connector distribution ZIP file into a holding directory. 9. From the directory, copy the following files into the directory: 10. Edit the file located in, changing the property to for example: Note: For information about using the PingFederate Server Clustering Guide. setting for runtime deployment, see the 11. Start the PingFederate server. The WebEx quick-connection template uses SAML 2.0 metadata from WebEx to configure SSO endpoints and other information. Download the WebEx metadata XML file before creating the WebEx connection in PingFederate. Note: SAML metadata export and import are features added to the WebEx administrative site in June, 2010. If you do not find these features, please contact your WebEx representative to upgrade your site. To download SAML 2.0 Metadata for WebEx: 12. Log on to the WebEx administrative site. 13. Click the SSO-configuration link in the site-management menu. PingFederate WebEx Connector 5 Quick Connection Guide
14. On the SSO configuration screen, choose SAML 2.0 as the federation protocol. 15. Click the Export button and save the XML file. Note: Because the WebEx SSO configuration is not yet complete, you cannot save it. You will be completing this configuration later by importing PingFederate metadata describing the SP connection (see Configure a Connection). Before configuring an SSO connection to WebEx, you must configure (or verify) several system settings in PingFederate. You must also download SAML 2.0 metadata from the WebEx administrative site. Note: Additionally, you need to determine the PingFederate IdP adapter necessary to retrieve authentication information at your site and then identify or configure an instance of the adapter. This configuration is part of the core PingFederate distribution; for more information, please see Configuring IdP Adapters in the PingFederate Administrator s Manual. If you have already configured an adapter instance for other identity-federation partners, you may use the same instance for WebEx. If you have not yet used PingFederate, follow the instructions under Running PingFederate for the First Time in Getting Started. To enable quick connections to WebEx, several selections (described in the following procedure) are required when you reach Roles and Protocols in the Configuring My Server screen sequence. If you have already run and configured the PingFederate server, you may need to verify or change settings on the Roles and Protocols screen, as well as enable Outbound Provisioning (formerly Saas Provisioning), as described in the following procedure. To enable SSO quick connections to WebEx: 16. On the Roles and Protocols screen, ensure that the IdP role is enabled and SAML 2.0 is selected for that role. (Click Server Settings on the Main Menu to locate this screen after initial installation.) PingFederate WebEx Connector 6 Quick Connection Guide
17. Select Outbound Provisioning (formerly Saas Provisioning) for the IdP role. Tip: This setting enables provisioning globally for all connections to supported SaaS providers. However, you have a choice of including proisioning or not during the configuration of specific connections. 18. Click Next to continue the Configure My Server task (or Save for an existing configuration). Note: Enabling Outbound Provisioning adds a new screen to the task flow, requiring selection of a database used to monitor provisioning status. For more information, see Configuring Outbound Provisioning in the PingFederate Administrator s Manual (or click Help from the configuration screen). Use the following procedure to configure SSO to WebEx. Tip: This procedure provides instructions for configuring minimum required connection settings; the instructions skip setup screens in which all necessary information is automatically configured (or in which standard defaults are used). The administrative console guides you to required configuration steps automatically by displaying prompts at entry points for the task flows (see About Tasks and Steps in Getting Started). In General, you may add or change settings on all screens to suit any special requirements. Modifications of specific connection endpoints, SAML profiles and bindings, or security PingFederate WebEx Connector 7 Quick Connection Guide
(message-encryption) settings may require consultation with WebEx and changes in the default WebEx administrative configuration. To Configure a connection to WebEx: 19. If you have not already done so, follow the instructions under Configure Server Settings. 20. If you have not already done so, configure the IdP Adapter you are using with PingFederate. For more information, see Configuring IdP Adapters in the PingFederate Administrator s Manual. 21. On the Main Menu, click Create New under SP Connections in the IdP Configuration section. 22. On the Connection Template screen, select WebEx in the Connection Template drop-down list. Tip: If this selection is not present, verify the Connector installation and restart PingFederate. 23. Click Choose File to locate the and select the WebEx metadata XML you downloaded from the WebEx administrative site. 24. Tip: If you did not download the WebEx SAML metadata, see Downloading WebEx SAML Metadata. 25. Click Next. 26. On the Connection Type screen, click Next. 27. (Optional) On the Connection Options screen, if you are not using provisioning for this connection, clear the Outbound Provisioning checkbox. PingFederate WebEx Connector 8 Quick Connection Guide
This feature is enabled by default for Saas-provider connection types (assuming it is also enabled in System Settings see Configure Server Settings). 28. Click Next. 29. (Optional) On the Genarl Info screen, if your organization supports more than one WebEx site and you are configuring a connection to the secondary (or greater) site, then you must modify the Connection ID to make it unique. 30. Click Next. 31. On the Browser SSO screen, click Configure Browser SSO. 32. On the Assertion Creation screen, click Configure Assertion Creation. 33. On the IdP Adapter Mapping screen, click Map New Adapter Instance and map the IdP Adapter Instance you defined earlier in this procedure. This configuration is site-dependant and thus cannot be preconfigured. For detailed information and instructions, see IdP Adapter Mapping in the PingFederate Administrator s Manual (or refer to the Help pages). PingFederate WebEx Connector 9 Quick Connection Guide
34. When you return to the Assertion Creation screen, click Next. 35. On the Protocol Settings screen, click Done. Tip: Except for the optional settings described above, this central task is compltely configured for you, but click Configure Protocol Settings if you want to review the setup or make changes according to any special WebEx requirements or options (see Configure WebEx for SSO). For configuration information, see sections under Configuring Protocol Settings in the PingFederate Administrator s Manual (or use the context-sensative Help). 36. On the Browser SSO screen, click Next. 37. On the Credentials screen, click Configure Credentials. PingFederate WebEx Connector 10 Quick Connection Guide
38. On the Digital Signature Settings screen, select a signing certificate for SAML assertions. For more information, see Configuring Digital Signature Settings in the PingFederate Administrator s Manual (or click Help). If you have not yet created or imported a signing certificate, click Manage Certificates and do so now (see Digital Signing and Decryption Keys and Certificates in the PingFederate Administrator s Manual). Note: If you have not yet exported the public portion of the signing certificate, click Manage Certificates and do so now. You will need access to the public certificate during configuration of the WebEx administrator s setup for SSO (see Configure WebEx for SSO). 39. On the Credentials screen, click Next. Note: At this point, the connection for SSO to WebEx is complete. If you are also configuring Outbound Provisioning for this connection, go to the next step. If you are not using provisioning for this connection, go to step 25. PingFederate WebEx Connector 11 Quick Connection Guide
40. On the Outbound Provisioning screen (if presented), click Configure Provisioning. 41. On the Target screen, enter the Admin Id and Password for your WebEx site. 42. Click Next to verify connectivity and then continue the provisioning configuration. For more information and instructions, see sections contained under Configuring Outbound Provisioning in the PingFederate Administrator s Manual (or click Help). Tip: If you are not ready to complete the provisioning configuration, you can click Save Draft and return to the configuration later (from the Manage Connections screen click Manage All SP on the Main Menu). 43. When you return to the Outbound Provisioning screen, click Next. 44. On the Activation and Summary screen, click Save. PingFederate WebEx Connector 12 Quick Connection Guide
45. Export the metadata for the connection (see Exporting Connection Metadata). For SAML deployments PingFederate supports the export and import of metadata files, which federation partners can use to expedite their configuration. Once your WebEx Connection is configured, the metadata needs to be exported and used to configure SSO on the WebEx administrative site. For more information, see Exporting Metadata in the System Administration chapter of the PingFederate Administrator s Manual (or click Help). After initially downloading SAML 2.0 metadata (see Downloading WebEx SAML Metadata), an administrator must return to the WebEx administrative site to complete the setup for SSO using metadata from PingFederate. This section describes the minimum required settings for this configuration and provides additional information on available options. Note: Instructions for this configuration are based on the appearance and operation of the WebEx Meeting Center administrative user interface (UI) at the time of this PingFederate Connector release. The UI may change without notice, potentially making these instructions confusing or incomplete. If you have any difficulty completing this configuration, please contact Ping Identity Support ( ). To configure WebEx for SSO: 46. Ensure that you have downloaded SAML metadata in PingFederate for the WebEx connection (see Exporting Connection Metadata). 47. Log on to the WebEx administrative site. 48. Click the SSO-configuration link in the WebEx site-management menu. 49. On the SSO configuration screen, choose SAML 2.0 as the federation protocol. 50. Click the link to import SAML metadata. Tip: If the import function does not appear to be functioning properly, try another supported browser. 51. In the pop-up window, locate and import the metadata file you exported from PingFederate. Note: If you receive a prompt asking whether you want to overwrite an existing certificate, click Yes. 52. On the SSO-configuration screen, click the certificate manager link near the top of the screen. Remove the existing signature-verification certificate and then import the one exported from PingFederate. 53. Verify (or change) values for the required fields, as described in the following table: PingFederate WebEx Connector 13 Quick Connection Guide
Important: At a minimum, you must change the WebEx default AuthnContextClassRef value, as specified in the table. This setting is not contained in the SAML metadata. 54. 55. Field 56. Description 57. SSO Profile: 58. Make either selection: SP Initiated or IdP Initiated. To enable both, choose SP Initiated. 59. For IdP Initiated, retain the default value for the associated targetparameter text box. 60. Note: Use IdP Initiated in cases where you only want preauthenticated users to be able to access WebEx directly via a company Web portal (for example). Use SP Initiated for cases in which you (also) want users to have the option of clicking a link in WebEx to authenticate via your site. 61. WebEx SAML Issuer (SP ID): 62. The default is: 64. Note: If you are configuring a second (or greater) WebEx Site for SSO, change this ID to match the Connection ID defined for the corresponding PingFederate SP connection (see Step 10). 65. Issuer for SAML (IdP ID): 67. Customer SSO Service Login URL: 70. A uthncontextclassref : 66. The Entity ID for SAML 2.0 at your site, as defined in the PingFederate administrative console (click Server Settings on the Main Menu, then Federation Info). 68. Your site s PingFederate SAML 2.0 endpoint in the format: 69. 71. Change the default entry to: 73. Note: This is the default value used by PingFederate. However, several IdP adapters provide the capability of changing the value (which is sent in the SAML assertion). If the IdP adapter instance used for the WebEx connection defines this value differently (under Advanced Settings in the instance configuration), then the value entered here must match the adapter setting. 74. (For more information, see Terminology in Getting Started). 75. 76. (Optional) Select the Single Log-Out (SLO) checkbox and enter the following URL in the associated text box: http[s]://<pf_host>:<pf_port>/idp/slo.saml2 PingFederate WebEx Connector 14 Quick Connection Guide
Note: The quick-connection template preconfigures SLO in PingFederate, so it can be implmeneted easily if desired. WebEx does not, however, automatically import the associated metadata for the optional feature (which allows users to choose to log out of both IdP and SP simultaneously while keeping the Web browser running). 77. (Optional) For SP Initiated SSO, select the AuthnRequest Signed checkbox and enter the required Destination. The Destination URL is identicle to that shown on the screen in the tex box for the Customer SSO Service Login URL. Note: To enable this feature, you must also modify the PingFederate connection to require signed authentication requests (see Enabling Authentication-Request Signatures). 78. Save the configuration. Note: Most other options on this screen may also be configured, depending on your WebEx deployment needs, without requiring any changes to the PingFederate connection configuration. Note, however, that the SP connection created by the Connector template does not support the WebEx Account Creation/Update options. These SAML assertion-based provisioning options conflict with the Connector s active Outbound Provisioning methodology. To allow for SP-initiated SSO using signed authentication requests, make the connection changed indicated in the following procedure and select the authentication-request signing option in the WebEx administrative UI (see Configure WebEx for SSO). Note: The signature-verification certificate from WebEx, which is required for this configuration, is already imported into PingFederate from the metadata. 79. On the Signature Policy screen, under Protocol Settings, select the checkbox to Require AuthN requests to be signed. Tip: To reach this screen, first access the connection from the Main Menu. Click Browser SSO in the task bar and then click the Configure Browser SSO. On the Browser Summary screen, click the heading Signature Policy near the bottom of the screen. 80. Click Done and Save on the Protocol Settings or the Browser SSO Summary Screen. PingFederate WebEx Connector 15 Quick Connection Guide