Product Documentation >   >  WebEx Connector >  Quick Connection Guide >  Connecting to WebEx >  Configuring WebEx for SSO

PingFederate WebEx Connector 1.0
Configuring WebEx for SSO

After initially downloading SAML 2.0 metadata (see Downloading WebEx SAML Metadata), an administrator must return to the WebEx administrative site to complete the setup for SSO using metadata from PingFederate. This section describes the minimum required settings for this configuration and provides additional information on available options.

NOTE
Instructions for this configuration are based on the appearance and operation of the WebEx Meeting Center administrative user interface (UI) at the time of this PingFederate Connector release. The UI may change without notice, potentially making these instructions confusing, or incomplete. If you have any difficulty completing this configuration, please contact Ping Identity Support.

To configure WebEx for SSO:
  1. Ensure that you have downloaded SAML metadata in PingFederate for the WebEx connection (see the previous section, Exporting Connection Metadata).
  2. Log on to the WebEx administrative UI.
  3. Click the SSO-configuration link in the WebEx site-management menu.
  4. On the SSO-configuration screen, choose SAML 2.0 as the federation protocol.
  5. Click the link to import SAML metadata.
  6. In the pop-up window, locate and import the metadata file you exported from PingFederate.
    If you receive a prompt asking whether you want overwrite an existing certificate, click Yes.
  7. On the SSO-configuration screen, click the certificate-manager link near the top of the screen:
    Remove the existing signature-verification certificate and then import the one exported from PingFederate earlier (see Step 19).

    NOTE
    This step may not be required. For more information, please see the Qualification Statement in the WebEx Connector distribution docs/ directory.

  8. Verify (or change) values for required fields, as described in the following table.

    IMPORTANT
    At minimum, you must change the WebEx default AuthnContextClassRef value, as specified in the table. This setting is not contained in the SAML metadata.

    Field

    Description

    SSO Profile:

    Make either selection: SP Initiated or IdP Initiated. To enable both, choose SP Initiated.

    For IdP Initiated, retain the default value for the associated target-parameter text box.

    Note: Use IdP Initiated in cases where you only want pre-authenticated users to be able to access WebEx directly via a company Web portal (for example). Use SP Initiated for cases in which you (also) want users to have the option of clicking a link in WebEx to authenticate via your site.

    WebEx SAML Issuer (SP ID):

    The default is:
    http://www.webex.com

    Note: If you are configuring a second (or greater) WebEx Site for SSO, change this ID to match the Connection ID defined for the corresponding PingFederate SP connection (see Step 10).

    Issuer for SAML (IdP ID):

    The Entity ID for SAML 2.0 at your site, as defined in the PingFederate administrative console (click Server Settings on the Main Menu, then Federation Info).

    Customer SSO Service Login URL:

    Your site’s PingFederate SAML 2.0 SSO endpoint, in the format:
    http[s]://<pf_host>:
    <pf_port>/idp/SSO.saml2

    AuthnContextClassRef:

    Change the default entry to:
    urn:oasis:names:tc:SAML:
    2.0:ac:classes:unspecified

    Note: This is the default value used by PingFederate. However, several IdP adapters provide the capability of changing the value (which is sent in the SAML assertion). If the IdP adapter instance used for the WebEx connection defines this value differently (under Advanced Settings in the instance configuration), then the value entered here must match the adapter setting.

    (For more information, see Terminology in Getting Started.)

  9. (Optional) Select the Single Logout checkbox and enter the following URL in the associated text box:
    http[s]://<pf_host>:<pf_port>/idp/SLO.saml2

    NOTE
    The quick-connection template preconfigures Single Logout (SLO) in PingFederate, so it can be implemented easily if desired. WebEx does not, however, automatically import the associated metadata for the optional feature (which allows users to choose to log out of both the IdP and SP simultaneously while keeping the Web browser running).

  10. (Optional) For SP-initiated SSO, select the AuthnRequest Signed checkbox and enter the required Destination:
    The Destination URL is identical to that shown on the screen in the text box for the Customer SSO Service Login URL.

    NOTE
    To enable this feature, you must also modify the PingFederate connection to require signed authentication requests (see Enabling Authentication-Request Signatures).

  11. Save the configuration.

    NOTE
    Most other options on this screen may also be configured, depending on your WebEx deployment needs, without requiring any changes to the PingFederate connection configuration. Note, however, that the SP connection created by the Connector template does not support the WebEx Account Creation/Update options. These SAML assertion-based provisioning options conflict with the Connector’s active SaaS Provisioning methodology.