My company has developed an integration with WebEx Training Center. Currently we require users to provide their WebEx username and password, which we then include in each API call.
This does not work for WebEx sites that are configured to use SAML single sign-on however.
We're investigating the possibility of supporting WebEx with SAML, and we have the below technical questions.
- The XML API 9.0 Release Notes refer to “OAuth access tokens” and “one time login tickets.” Are these available on all WebEx sites? How do we tell whether they are available for a specific site? Are they the same thing? Where can we find documentation on how to use them?
- How do we tell whether a specific site is considered to be a “Common Identity site?”
- If we need to pass a SAML assertion to authenticate the API calls, what are the constraints on this?
- Is a specific
Audiencerequired? - Are
NotBeforeand/orNotOnOrAfterconditions required? - Are there any constraints on the
IssueInstantand/orAuthnInstant? - Must the assertion be signed? If so, must the signing key be the same one used for SSO?
- Must the
NameID(or other attribute) match the suppliedwebExID?
- Is a specific
Thanks in advance for any and all help!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What do I need to do to get moderator approval? This was posted 2 days ago!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hi Robert,
Apologies for the delay. For some reason, your original post did not send a notification and it doesn't show up on the forum. Posts don't normally need a moderator to approve them, so we'll look into what's going on with this post. We did get a notification for your comment on it, so we can see it now.
OAuth is specific to Common Identity (SparkMeet) sites, though you can get one time use login tickets for standard WebEx sites. I've included links to authentication specific calls in our documentation:
getSiteType will tell you if a site is Common Identity or otherwise: Cisco DevNet: WebEx Conferencing - XML API - Release Notes
Audience is required for SP initiated. The "WebEx SAML Issuer (SP ID)" field in WebEx Site Admin must match the audience in the assertion exactly.
For IdP Initiated, the "Issuer for SAML (IdP ID)" field in WebEx Site Admin must match the issuer in the assertion exactly.
NotBefore and NotOnOrAfter are required.
IdMS should manage IssueInstant/AuthnInstant, but we do check those values.
The Assertion must be signed.
NameID can be username or email.
NameID Format: format of the NameID (username) specified in customer IdMS. If the value in WebEx is set to Unspecified, we would not check the Format in NameID and will accept all formats. However if it's set to anything other than Unspecified, the Format attribute in <NameID> has to match the values below.
| NameID Formats | ||||||
|---|---|---|---|---|---|---|
| Name | Value | |||||
| Unspecified | urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified | |||||
| Email address | urn:oasis:names:tc:SAML:1.1:nameid- format:emailAddress or http://schemas.xmlsoap.org/claims/EmailAddress | |||||
| X509 Subject Name | urn:oasis:names:tc:SAML:1.1:nameid- format:X509SubjectName | |||||
| Entity Identifier | urn:oasis:names:tc:SAML:2.0:nameid- format:entity | |||||
| Persistent Identifier | urn:oasis:names:tc:SAML:2.0:nameid- format:persistent | |||||
Kasey
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Comments
0 comments
Please sign in to leave a comment.