WebEx Connector. Version 2.0. User Guide

Similar documents
Quick Connection Guide

Dropbox Connector. Version 2.0. User Guide

Zendesk Connector. Version 2.0. User Guide

Quick Connection Guide

Box Connector. Version 2.0. User Guide

Slack Connector. Version 2.0. User Guide

Quick Connection Guide

Quick Connection Guide

CoreBlox Token Translator. Version 1.0. User Guide

CoreBlox Integration Kit. Version 2.2. User Guide

WebSphere Integration Kit. Version User Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

OAM Integration Kit. Version 3.0. User Guide

Web Access Management Token Translator. Version 2.0. User Guide

SSO Integration Overview

.NET Integration Kit. Version User Guide

Version 7.x. Quick-Start Guide

Upgrade Utility. Version 7.3. User Guide

Google Apps Connector. Version User Guide

IWA Integration Kit. Version 3.1. User Guide

Google Apps Connector

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

Office 365 Connector 2.1

PingFederate 6.6. Upgrade Utility. User Guide

PingFederate Upgrade Utility. User Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

PingFederate 6.3. Upgrade Utility. User Guide

SDK Developer s Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

April Understanding Federated Single Sign-On (SSO) Process

RSA SecurID Access SAML Configuration for Datadog

SAML-Based SSO Solution

Five9 Plus Adapter for Agent Desktop Toolkit

SafeNet Authentication Manager

X.509 Certificate Integration Kit 1.2

SAML-Based SSO Configuration

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

SAML-Based SSO Solution

SafeNet Authentication Service

SDK Developer s Guide

SafeNet Authentication Service

SafeNet Authentication Service

SAML-Based SSO Configuration

SafeNet Authentication Manager

Novell Access Manager

SafeNet Authentication Service

One Identity Active Roles 7.2. Azure AD and Office 365 Management Administrator Guide

Partner Center: Secure application model

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

Release 3.0. Delegated Admin Application Guide

SAML SSO Okta Identity Provider 2

SafeNet Authentication Service

Tanium Network Quarantine User Guide

McAfee Cloud Identity Manager

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

PingFederate 5.0. Release Notes

Oracle Utilities Opower Solution Extension Partner SSO

Configure Unsanctioned Device Access Control

SafeNet Authentication Service

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Add OKTA as an Identity Provider in EAA

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Server 8.3. PingFederate CORS Support

RSA SecurID Access SAML Configuration for Kanban Tool

October 14, SAML 2 Quick Start Guide

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Rapid Recovery License Portal Version User Guide

Quick Start Guide for SAML SSO Access

CA SiteMinder Federation

Cloud Access Manager Configuration Guide

Setting Up the Server

CA SiteMinder Federation

Morningstar ByAllAccounts SAML Connectivity Guide

McAfee Cloud Identity Manager

Server Clustering Guide

CSP PARTNER APPLICATION OVERVIEW Multi-tenant application model

SafeNet Authentication Service

Introduction to application management

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Quest Collaboration Services 3.6. Installation Guide

CA CloudMinder. SSO Partnership Federation Guide 1.51

SonicWall Mobile Connect for Chrome OS

Custom Location Extension

Configuring Alfresco Cloud with ADFS 3.0

Single Sign-On Administrator Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

SonicWall Global VPN Client Getting Started Guide

Polycom RealPresence Media Manager

This section includes troubleshooting topics about single sign-on (SSO) issues.

SafeNet Authentication Client

Five9 Plus Adapter for Microsoft Dynamics CRM

Okta Integration Guide for Web Access Management with F5 BIG-IP

Transcription:

WebEx Connector Version 2.0 User Guide

2016 Ping Identity Corporation. All rights reserved. PingFederate WebEx Connector User Guide Version 2.0 May, 2016 Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A. Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com Trademarks Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners. Disclaimer The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Document Lifetime Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to docs.pingidentity.com for the most current information. From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: May 19, 2016. PingFederate WebEx Connector 2 Quick Connection Guide

Contents Introduction... 4 Supported Features... 4 System Requirements... 4 ZIP Manifest... 4 Installation and Setup... 4 Getting Started... 4 Upgrading Existing WebEx Connectors... 5 Installing the Connector... 6 Configuring Server Settings... 6 Configuring a Connection... 7 Exporting Connection Metadata... 13 Complete Setup of SAML SSO to WebEx... 13 Enabling Authentication-Request Signatures... 15 Attribute Index... 16 PingFederate WebEx Connector 3 User Guide

Introduction This document assumes you have read the Introduction section of the SaaS Connector User Guide. Supported Features Outbound User Provisioning Browser-based SP and IdP-initiated SSO System Requirements The WebEx Connector requires installation of PingFederate 7.2.1 or higher. The WebEx Connector may require the following endpoints to be whitelisted on the firewall to allow outbound connections: https://{subdomain}.webex.com ZIP Manifest The distribution ZIP file for the Connector contains the following: ReadMeFirst.pdf contains links to this online documentation. /legal: Legal.pdf copyright and license information. /dist contains libraries needed for the Connector: pf-webex-quickconnection-2.0.jar PingFederate WebEx Connector Installation and Setup The following sections explain how to obtain the necessary information required for installing and configuring this SaaS Connector. Please follow these sections completely and in order. Getting Started Before you can configure this Connector, you will need to complete the following steps. Tip: Some of the following steps result in information to be used at a later time in this User Guide. It is recommended that you copy this information to a secure location to reference in later steps. PingFederate WebEx Connector 4 Quick Connection Guide

Downloading WebEx SAML 2.0 Metadata This Connector s quick-connection template uses a SAML 2.0 metadata XML file to assist in configuring many SSO endpoints and settings in the SP Connection. Download the WebEx metadata XML file before creating the WebEx connection in PingFederate. To download SAML 2.0 Metadata for WebEx: 1. Log on to the WebEx administrative site. 2. In the site-management menu click Configuration. 3. Click Common Site Settings. 4. Click SSO Configuration. 5. On the SSO configuration screen, choose SAML 2.0 as the federation protocol. 6. Click the Export button and save the saml-metadata.xml file. Note: Because the WebEx SSO configuration is not yet complete, you cannot save it. You will be completing this configuration later by importing PingFederate metadata describing the SP connection. Synchronizing Existing WebEx Users Important: If your WebEx account already has Users you wish to provision with the WebEx connector, this is possible by following the steps below. To provision existing User accounts on WebEx: Ensure that the value mapped to the email attribute, (when configuring the connector) matches the existing WebEx Users Email exactly as it appears in WebEx. For example, if on the Attribute Mapping screen, the User email attribute is mapped to the User mail attribute in your LDAP. This will synchronize a User that already exists on WebEx with an Email in WebEx of jsmith@domain.com to the User in your LDAP who has a mail attribute value of jsmith@domain.com. When the WebEx connector provisions for the first time, this address will be used to synchronize the User in your LDAP data store with the User in WebEx. Upgrading Existing WebEx Connectors 1. Before stopping the PingFederate server to upgrade the WebEx Connector, access the Attribute Mapping screen for existing channel configurations and note the current configuration. Warning: The upgrade process may remove existing mappings and defaults on the Attribute Mapping screen. These may need to be reconfigured again before activating the channel configuration. 2. Disable the existing SP Connection where the WebEx Connector is configured. PingFederate WebEx Connector 5 User Guide

3. Delete the existing WebEx Connector SP Connection and save. 4. Stop the PingFederate server if it is running. 5. Unzip the WebEx Connector distribution ZIP file into a holding directory. 6. Remove any versions of pf-webex-quickconnection-.x.jar from: <pf_install>/pingfederate/server/default/deploy 7. Also remove the following files from the same directory if they are present: webex-api-4.8.1.jar 8. From the dist directory of the new version of the connector, copy the files: pf-webex-quickconnection-2.0.jar into the directory: <pf_install>/pingfederate/server/default/deploy Important: Make sure to remove existing versions of WebEx Connector files. 9. Start the PingFederate server. 10. Create a new SP Connection, using WebEx as the Connection Template. 11. Follow the instructions in the Configuring a Connection section below in order to obtain the SAML Metadata. 12. Access the Attribute Mapping for existing channel configurations and click Refresh Fields. 13. Ensure all new required fields (if any), are mapped appropriately or have a default value. 14. Once completed with the attribute configuration, click Done, Done, and Save. 15. Activate the SP Connection to resume Outbound Provisioning. Installing the Connector To install the WebEx Connector, please follow the instructions in the Installing the Connector section of the SaaS Connector User Guide. Note: Do not delete any versions of the Common Provisioning Layer (prov-cplx.x.x.jar) from the deploy folder that are required for other SaaS Connectors. Configuring Server Settings To configure Server Settings in preparation of configuring the WebEx Connector, please follow the instructions in the Configuring Server Settings section of the SaaS Connector Guide) PingFederate WebEx Connector 6 Quick Connection Guide

Configuring a Connection Important: This section directs you to the SaaS Connector User Guide for most of the steps to configure this Connector but contains additional steps that need to be followed to successfully configure this Connector. Ensure you follow the additional steps below as directed. To Configure a Connection using the WebEx Connector, please follow the instructions in the Configuring a Connection section of the SaaS Connector User Guide, making the adjustments listed in the following section. Additional Steps On the Connection Template screen, select WebEx Connector as the Connection Template to use for this SP Connection. You will be asked to provide the saml-metadata.xml file you obtained earlier in the Getting Started section of this User Guide. On the General Info screen, the default values are taken from the metadata file you selected in an earlier step. We recommend using these default values. If your organization supports more than one WebEx site and you are configuring a connection to the secondary (or greater) site, then you must modify the Connection ID to make it unique. PingFederate WebEx Connector 7 User Guide

(SSO Configuration) On the SAML Profiles screen, ensure that the IdP-Initiated SSO and SP- Initiated SSO profiles are selected and click Next. PingFederate WebEx Connector 8 Quick Connection Guide

(SSO Configuration) On the Attribute Contract screen, leave the default settings for SAML_SUBJECT name format. WebEx provides support for the following formats: unspecified, email address, x509 subject name, entity identifier and persistent identifier. Tip: You can add a special attribute, SAML_AUTHN_CTX, to indicate to the SP (if required) the type of credentials used to authenticate to the IdP application authentication context. Map a value for the authentication context on the attribute-mapping screen later in the configuration, from any available attribute source (see Attribute Contract Fulfillment). (SSO Configuration) On the Attribute Contract Fulfillment screen, complete the required mappings from any of the available attribute sources. If you use the SAML_AUTHN_CTX attribute, you can map it to a text value such as: urn:oasis:names:tc:saml:2.0:ac:classes:unspecified PingFederate WebEx Connector 9 User Guide

(SSO Configuration) On the Allowable SAML Bindings screen, ensure that the POST and Redirect profiles are selected (de-select Artifact and SOAP) and click Next. (SSO Configuration) On the Signature Policy screen, you may be required to select the Always sign the SAML Assertion or the AuthN request to be signed if configured in WebEx. (SSO Configuration) Under the Credentials section do the following: Click Configure Credentials PingFederate WebEx Connector 10 Quick Connection Guide

On the Digital Signature Settings screen, select a Signing Certificate for SAML assertions. Note: If you have not yet exported the public portion of the signing certificate, click Manage Certificates and do so now. You will need access to the public certificate during configuration of the WebEx administrator s setup for SSO. On the Target screen when configuring provisioning, fill in the following fields: Field Name WebEx Id Password Site Name Value The WebEx Id (User Name) of the WebEx Admin User. The WebEx Admin User s password. The Site Name (Subdomain) for your WebEx Account. PingFederate WebEx Connector 11 User Guide

Site Id Partner Id User Create Enabled User Update Enabled The Site ID for your WebEx Account. This value can be foind on the WebEx Administration Tool Site Information Page. The Partner ID for your WebEx Account. This value can be found on the WebEx Administration Tool Site Information Page. True (default) Enables the ability to create users in WebEx via PingFederate. False - When disabled, the ability to create users in WebEx will be disabled. The provisioner.log will display a warning within the create user workflow that the user was not created in WebEx. True (default) Enables the ability to update users in WebEx via PingFederate. False - When disabled, the ability to update users in WebEx will be disabled. The provisioner.log will display a warning within the update user workflow that the user was not updated in WebEx. PingFederate WebEx Connector 12 Quick Connection Guide

Exporting Connection Metadata For SAML deployments PingFederate supports the export and import of metadata files, which federation partners can use to expedite their configuration. Once your WebEx Connection is configured, the metadata needs to be exported and used to configure SSO on the WebEx administrative site. For more information, see Exporting Metadata in the System Administration chapter of the PingFederate Administrator s Manual (or click Help). Complete Setup of SAML SSO to WebEx After initially downloading SAML 2.0 metadata, an administrator must return to the WebEx administrative site to complete the setup for SSO using metadata from PingFederate. This section describes the minimum required settings for this configuration and provides additional information on available options. Note: Instructions for this configuration are based on the appearance and operation of the WebEx Meeting Center administrative user interface (UI) at the time of this PingFederate Connector release. The UI may change without notice, potentially making these instructions confusing or incomplete. If you have any difficulty completing this configuration, please contact Ping Identity Support (http://www.ping.force.com/support). To configure WebEx for SSO: 1. Ensure that you have downloaded SAML metadata in PingFederate for the WebEx connection (see Exporting Connection Metadata). 2. Log on to the WebEx administrative site. 3. Click on Configuration in the WebEx Site Management Menu. 4. Click on Common Site Settings. 5. Click the SSO Configuration. 6. On the SSO Configuration screen, choose SAML 2.0 as the federation protocol. 7. Click the link to import SAML metadata. Tip: If the import function does not appear to be functioning properly, try another supported browser. 8. In the pop-up window, locate and import the metadata file you exported from PingFederate. Note: If you receive a prompt asking whether you want to overwrite an existing certificate, click Yes. 9. On the SSO-configuration screen, click the certificate manager link near the top of the screen. Remove the existing signature-verification certificate and then import the one exported from PingFederate. PingFederate WebEx Connector 13 User Guide

Tip: The exported metadata from PingFederate used in Step 8, would already include the signature-verification certificate from the connector setup. If already imported this step can be skipped. 10. Verify (or change) values for the required fields, as described in the following table: Important: At a minimum, you must change the WebEx default AuthnContextClassRef value, as specified in the table. This setting is not contained in the SAML metadata. Field SSO Profile: Description Make either selection: SP Initiated or IdP Initiated. To enable both, choose SP Initiated. For IdP Initiated, retain the default value for the associated target-parameter text box. Note: Use IdP Initiated in cases where you only want preauthenticated users to be able to access WebEx directly via a company Web portal (for example). Use SP Initiated for cases in which you (also) want users to have the option of clicking a link in WebEx to authenticate via your site. WebEx SAML Issuer (SP ID): Issuer for SAML (IdP ID): Customer SSO Service Login URL: The default is http://www.webex.com Note: If you are configuring a second (or greater) WebEx Site for SSO, change this ID to match the Connection ID defined for the corresponding PingFederate SP connection. The Entity ID for SAML 2.0 at your site, as defined in the PingFederate administrative console (click Server Settings on the Main Menu, then Federation Info). Your site s PingFederate SAML 2.0 endpoint in the format: http[s]://<pf host>:<pf port>/idp/sso.saml2 AuthnContextClassRef: Change the default entry to: urn:oasis:names:tc:saml:2.0:ac:classes:password Note: This is the default value used by PingFederate. However, several IdP adapters provide the capability of changing the value (which is sent in the SAML assertion). If the IdP adapter instance used for the WebEx connection defines this value differently (under Advanced Settings in the instance configuration), then the value entered here must match the adapter setting. Refer to the PingFederate steps on adding the attribute SAML_AUTHN_CTX, if you would like PingFederate to send a different AuthnContextClassRef such as: urn:oasis:names:tc:saml:2.0:ac:classes:unspecified For more information, see Terminology in Getting Started. PingFederate WebEx Connector 14 Quick Connection Guide

Default WebEx Target page URL https://subdomain.webex.com 11. (Optional) Select the Single Log-Out (SLO) checkbox and enter the following URL in the associated text box: http[s]://<pf_host>:<pf_port>/idp/slo.saml2 Note: The quick-connection template does not preconfigure SLO in PingFederate, so this will have to be setup manually if desired. In addition, WebEx does not automatically import the associated metadata for the optional feature (which allows users to choose to log out of both IdP and SP simultaneously while keeping the Web browser running). 12. (Optional) For SP Initiated SSO, select the AuthnRequest Signed checkbox and enter the required Destination. The Destination URL is identical to that shown on the screen in the text box for the Customer SSO Service Login URL. Note: To enable this feature, you must also modify the PingFederate connection to require signed authentication requests (see Enabling Authentication-Request Signatures). 13. Save the configuration. Note: Most other options on this screen may also be configured, depending on your WebEx deployment needs, without requiring any changes to the PingFederate connection configuration. Note, however, that the SP connection created by the Connector template does not support the WebEx Account Creation/Update options. These SAML assertion-based provisioning options conflict with the Connector s active Outbound Provisioning methodology. Note: See this WebEx help article for more information on how to setup SSO for WebEx. Enabling Authentication-Request Signatures To allow for SP-initiated SSO using signed authentication requests, make the connection changed indicated in the following procedure and select the authentication-request signing option in the WebEx administrative UI (see Complete Setup of SAML SSO to WebEx). Note: The signature-verification certificate from WebEx, which is required for this configuration, is already imported into PingFederate from the metadata. 1. On the Signature Policy screen, under Protocol Settings, select the checkbox to Require AuthN requests to be signed. Tip: To reach this screen, first access the connection from the Main Menu. Click Browser SSO in the task bar and then click the Configure Browser SSO. On the Browser Summary screen, click the heading Signature Policy near the bottom of the screen. 2. Click Done and Save on the Protocol Settings or the Browser SSO Summary Screen. PingFederate WebEx Connector 15 User Guide

Attribute Index The following table consists of the attributes that can be mapped on a User during provisioning. Important: Many fields are required based on your WebEx account s configuration. Please ensure that you are sending data for all user fields that are required based on your configuration. Attribute Email WebEx ID First Name Last Name Password Address 1 Address 2 City Company Country Fax Language Meeting Type Mobile Phone Pager Phone Pin State Description The email address of the user. Must be a valid email address. A reference to the WebEx user account. The user s first name. The user s last name. User s password. A user password will be validated against the password security options enabled in the WebEx Site Administration tool. If any of the security rules are violated, an exception will occur. The first line of the user s street address. The second line of the user s street address. The user s city. The user s company name. The user s country. Must be a valid Country name as listed in WebEx s Appendix A: Time Zone, Language Encoding, and Country Codes. The user s fax number. The user s preferred language. Must be among those listed in WebEx s Appendix A, Time Zone, Language Encoding, and Country Codes. The user s meeting type IDs. The user s mobile phone number. The user s pager number. The user s phone number. The user s PIN number. Secondary level of authentication for PCN and when host is using the phone and inviting additional attendees. Single number values and simple sequences, like 1111 or 1234, are not allowed. The user s state. PingFederate WebEx Connector 16 Quick Connection Guide

Timezone Title Zip Code The user s time zone. Must be among those listed in WebEx s Appendix A, Time Zone, Language Encoding, and Country Codes. The user s title. The user s zip code (postal code). PingFederate WebEx Connector 17 User Guide

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback