pingfederate box connector

WebEx Connector Version 2.0

User Guide

© 2016 Ping Identity® Corporation. All rights reserved.

PingFederate WebEx Connector User Guide Version 2.0 May, 2016

Ping Identity Corporation 1001 17th Street, Suite 100 Denver, CO 80202 U.S.A.

Phone: 877.898.2905 (+1 303.468.2882 outside North America) Fax: 303.468.2909 Web Site: www.pingidentity.com

Trademarks

Ping Identity, the Ping Identity logo, PingFederate, PingOne, PingConnect, and PingEnable are registered trademarks of Ping Identity Corporation ("Ping Identity"). All other trademarks or registered trademarks are the property of their respective owners.

Disclaimer

The information provided in this document is provided "as is" without warranty of any kind. Ping Identity disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Ping Identity or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Ping Identity or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Document Lifetime

Ping Identity may occasionally update online documentation between releases of the related software. Consequently, if this PDF was not downloaded recently, it may not contain the most up-to-date information. Please refer to docs.pingidentity.com for the most current information.

From the Web site, you may also download and refresh this PDF if it has been updated, as indicated by a change in this date: May 19, 2016.

PingFederate WebEx Connector 2 Quick Connection Guide

http://www.pingidentity.com/

http://docs.pingidentity.com/

Contents

Introduction ............................................................................................................................... 4 Supported Features .............................................................................................................. 4 System Requirements ........................................................................................................... 4 ZIP Manifest.......................................................................................................................... 4

Installation and Setup ............................................................................................................... 4 Getting Started ...................................................................................................................... 4 Upgrading Existing WebEx Connectors ................................................................................. 5 Installing the Connector......................................................................................................... 6 Configuring Server Settings ................................................................................................... 6 Configuring a Connection ...................................................................................................... 7 Exporting Connection Metadata .......................................................................................... 13 Complete Setup of SAML SSO to WebEx............................................................................ 13 Enabling Authentication-Request Signatures ....................................................................... 15 Attribute Index ..................................................................................................................... 16

PingFederate WebEx Connector 3 User Guide

Introduction This document assumes you have read the Introduction section of the SaaS Connector User Guide.

Supported Features • Outbound User Provisioning

• Browser-based SP and IdP-initiated SSO

System Requirements

The WebEx Connector requires installation of PingFederate 7.2.1 or higher.

The WebEx Connector may require the following endpoints to be whitelisted on the firewall to allow outbound connections:

• https://{subdomain}.webex.com

ZIP Manifest

The distribution ZIP file for the Connector contains the following:

• ReadMeFirst.pdf – contains links to this online documentation.

• /legal:

– Legal.pdf – copyright and license information.

• /dist – contains libraries needed for the Connector:

– pf-webex-quickconnection-2.0.jar – PingFederate WebEx Connector

Installation and Setup The following sections explain how to obtain the necessary information required for installing and configuring this SaaS Connector. Please follow these sections completely and in order.

Getting Started

Before you can configure this Connector, you will need to complete the following steps.

Tip: Some of the following steps result in information to be used at a later time in this User Guide. It is recommended that you copy this information to a secure location to reference in later steps.


http://documentation.pingidentity.com/display/SaaSQCG/Introduction

Downloading WebEx SAML 2.0 Metadata

This Connector’s quick-connection template uses a SAML 2.0 metadata XML file to assist in configuring many SSO endpoints and settings in the SP Connection. Download the WebEx metadata XML file before creating the WebEx connection in PingFederate.

To download SAML 2.0 Metadata for WebEx:

1. Log on to the WebEx administrative site.

2. In the site-management menu click “Configuration”.

3. Click “Common Site Settings”.

4. Click “SSO Configuration”.

5. On the SSO configuration screen, choose SAML 2.0 as the federation protocol.

6. Click the Export button and save the saml-metadata.xml file.

Note: Because the WebEx SSO configuration is not yet complete, you cannot save it. You will be completing this configuration later by importing PingFederate metadata describing the SP connection.

Synchronizing Existing WebEx Users

Important: If your WebEx account already has Users you wish to provision with the WebEx connector, this is possible by following the steps below.

To provision existing User accounts on WebEx:

Ensure that the value mapped to the email attribute, (when configuring the connector) matches the existing WebEx Users Email exactly as it appears in WebEx.

For example, if on the Attribute Mapping screen, the User email attribute is mapped to the User mail attribute in your LDAP. This will synchronize a User that already exists on WebEx with an Email in WebEx of [email protected] to the User in your LDAP who has a mail attribute value of [email protected].

When the WebEx connector provisions for the first time, this address will be used to synchronize the User in your LDAP data store with the User in WebEx.

Upgrading Existing WebEx Connectors

1. Before stopping the PingFederate server to upgrade the WebEx Connector, access the Attribute Mapping screen for existing channel configurations and note the current configuration.

Warning: The upgrade process may remove existing mappings and defaults on the Attribute Mapping screen. These may need to be reconfigured again before activating the channel configuration.

2. Disable the existing SP Connection where the WebEx Connector is configured.


3. Delete the existing WebEx Connector SP Connection and save.

4. Stop the PingFederate server if it is running.

5. Unzip the WebEx Connector distribution ZIP file into a holding directory.

6. Remove any versions of pf-webex-quickconnection-.x.jar from:

<pf_install>/pingfederate/server/default/deploy

7. Also remove the following files from the same directory if they are present:

webex-api-4.8.1.jar

8. From the dist directory of the new version of the connector, copy the files:

pf-webex-quickconnection-2.0.jar

into the directory:

<pf_install>/pingfederate/server/default/deploy

Important: Make sure to remove existing versions of WebEx Connector files.

9. Start the PingFederate server.

10. Create a new SP Connection, using WebEx as the Connection Template.

11. Follow the instructions in the Configuring a Connection section below in order to obtain the SAML Metadata.

12. Access the Attribute Mapping for existing channel configurations and click Refresh Fields.

13. Ensure all new required fields (if any), are mapped appropriately or have a default value.

14. Once completed with the attribute configuration, click Done, Done, and Save.

15. Activate the SP Connection to resume Outbound Provisioning.

Installing the Connector

To install the WebEx Connector, please follow the instructions in the Installing the Connector section of the SaaS Connector User Guide.

Note: Do not delete any versions of the Common Provisioning Layer (prov-cpl-x.x.x.jar) from the deploy folder that are required for other SaaS Connectors.

Configuring Server Settings

To configure Server Settings in preparation of configuring the WebEx Connector, please follow the instructions in the Configuring Server Settings section of the SaaS Connector Guide)


http://documentation.pingidentity.com/display/SaaSQCG/Installation+and+Setup%23InstallationandSetup-pID0E0SC0HA

http://documentation.pingidentity.com/display/SaaSQCG/Configuring+Server+Settings%23ConfiguringServerSettings-pID0E0FC0HA

Configuring a Connection

Important: This section directs you to the SaaS Connector User Guide for most of the steps to configure this Connector but contains additional steps that need to be followed to successfully configure this Connector. Ensure you follow the additional steps below as directed.

To Configure a Connection using the WebEx Connector, please follow the instructions in the Configuring a Connection section of the SaaS Connector User Guide, making the adjustments listed in the following section.

Additional Steps

• On the Connection Template screen, select WebEx Connector as the Connection Template to use for this SP Connection. You will be asked to provide the saml-metadata.xml file you obtained earlier in the Getting Started section of this User Guide.

• On the General Info screen, the default values are taken from the metadata file you selected in an earlier step. We recommend using these default values. If your organization supports more than one WebEx site and you are configuring a connection to the secondary (or greater) site, then you must modify the Connection ID to make it unique.


http://documentation.pingidentity.com/display/SaaSQCG/Configuring+a+Connection%23ConfiguringaConnection-pID0E0VB0HA

• (SSO Configuration) On the SAML Profiles screen, ensure that the IdP-Initiated SSO and SP-Initiated SSO profiles are selected and click Next.


• (SSO Configuration) On the Attribute Contract screen, leave the default settings for SAML_SUBJECT name format. WebEx provides support for the following formats: unspecified, email address, x509 subject name, entity identifier and persistent identifier.

Tip: You can add a special attribute, SAML_AUTHN_CTX, to indicate to the SP (if required) the type of credentials used to authenticate to the IdP application—authentication context. Map a value for the authentication context on the attribute-mapping screen later in the configuration, from any available attribute source (see Attribute Contract Fulfillment).

• (SSO Configuration) On the Attribute Contract Fulfillment screen, complete the required mappings from any of the available attribute sources. If you use the SAML_AUTHN_CTX attribute, you can map it to a text value such as: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified


• (SSO Configuration) On the Allowable SAML Bindings screen, ensure that the POST and Redirect profiles are selected (de-select Artifact and SOAP) and click Next.

• (SSO Configuration) On the Signature Policy screen, you may be required to select the Always sign the SAML Assertion or the AuthN request to be signed if configured in WebEx.

• (SSO Configuration) Under the Credentials section do the following:

Click Configure Credentials


On the Digital Signature Settings screen, select a Signing Certificate for SAML assertions.

Note: If you have not yet exported the public portion of the signing certificate, click Manage Certificates and do so now. You will need access to the public certificate during configuration of the WebEx administrator’s setup for SSO.

• On the Target screen when configuring provisioning, fill in the following fields:

Field Name Value

WebEx Id The WebEx Id (User Name) of the WebEx Admin User.

Password The WebEx Admin User’s password.

Site Name The Site Name (Subdomain) for your WebEx Account.


Site Id The Site ID for your WebEx Account. This value can be foind on the WebEx Administration Tool Site Information Page.

Partner Id The Partner ID for your WebEx Account. This value can be found on the WebEx Administration Tool Site Information Page.

User Create Enabled

True (default) – Enables the ability to create users in WebEx via PingFederate. False - When disabled, the ability to create users in WebEx will be disabled. The provisioner.log will display a warning within the create user workflow that the user was not created in WebEx.

User Update Enabled

True (default) – Enables the ability to update users in WebEx via PingFederate. False - When disabled, the ability to update users in WebEx will be disabled. The provisioner.log will display a warning within the update user workflow that the user was not updated in WebEx.


Exporting Connection Metadata

For SAML deployments PingFederate supports the export and import of metadata files, which federation partners can use to expedite their configuration. Once your WebEx Connection is configured, the metadata needs to be exported and used to configure SSO on the WebEx administrative site.

For more information, see Exporting Metadata in the System Administration chapter of the PingFederate Administrator’s Manual (or click Help).

Complete Setup of SAML SSO to WebEx

After initially downloading SAML 2.0 metadata, an administrator must return to the WebEx administrative site to complete the setup for SSO using metadata from PingFederate. This section describes the minimum required settings for this configuration and provides additional information on available options.

Note: Instructions for this configuration are based on the appearance and operation of the WebEx Meeting Center administrative user interface (UI) at the time of this PingFederate Connector release. The UI may change without notice, potentially making these instructions confusing or incomplete. If you have any difficulty completing this configuration, please contact Ping Identity Support (http://www.ping.force.com/Support).

To configure WebEx for SSO:

1. Ensure that you have downloaded SAML metadata in PingFederate for the WebEx connection (see Exporting Connection Metadata).

2. Log on to the WebEx administrative site.

3. Click on Configuration in the WebEx Site Management Menu.

4. Click on Common Site Settings.

5. Click the SSO Configuration.

6. On the SSO Configuration screen, choose SAML 2.0 as the federation protocol.

7. Click the link to import SAML metadata.

Tip: If the import function does not appear to be functioning properly, try another supported browser.

8. In the pop-up window, locate and import the metadata file you exported from PingFederate.

Note: If you receive a prompt asking whether you want to overwrite an existing certificate, click Yes.

9. On the SSO-configuration screen, click the certificate manager link near the top of the screen. Remove the existing signature-verification certificate and then import the one exported from PingFederate.


http://www.ping.force.com/Support

Tip: The exported metadata from PingFederate used in Step 8, would already include the signature-verification certificate from the connector setup. If already imported this step can be skipped.

10. Verify (or change) values for the required fields, as described in the following table:

Important: At a minimum, you must change the WebEx default AuthnContextClassRef value, as specified in the table. This setting is not contained in the SAML metadata.

Field Description

SSO Profile: Make either selection: SP Initiated or IdP Initiated. To enable both, choose SP Initiated. For IdP Initiated, retain the default value for the associated target-parameter text box.

Note: Use IdP Initiated in cases where you only want pre-authenticated users to be able to access WebEx directly via a company Web portal (for example). Use SP Initiated for cases in which you (also) want users to have the option of clicking a link in WebEx to authenticate via your site.

WebEx SAML Issuer (SP ID):

The default is http://www.webex.com

Note: If you are configuring a second (or greater) WebEx Site for SSO, change this ID to match the Connection ID defined for the corresponding PingFederate SP connection.

Issuer for SAML (IdP ID):

The Entity ID for SAML 2.0 at your site, as defined in the PingFederate administrative console (click Server Settings on the Main Menu, then Federation Info).

Customer SSO Service Login URL:

Your site’s PingFederate SAML 2.0 endpoint in the format:

http[s]://<pf host>:<pf port>/idp/SSO.saml2

AuthnContextClassRef: Change the default entry to:

urn:oasis:names:tc:SAML:2.0:ac:classes:Password

Note: This is the default value used by PingFederate. However, several IdP adapters provide the capability of changing the value (which is sent in the SAML assertion). If the IdP adapter instance used for the WebEx connection defines this value differently (under Advanced Settings in the instance configuration), then the value entered here must match the adapter setting.

Refer to the PingFederate steps on adding the attribute SAML_AUTHN_CTX, if you would like PingFederate to send a different AuthnContextClassRef such as: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

For more information, see Terminology in Getting Started.


http://www.webex.com/

Default WebEx Target page URL

https://subdomain.webex.com

11. (Optional) Select the Single Log-Out (SLO) checkbox and enter the following URL in the associated text box: http[s]://<pf_host>:<pf_port>/idp/SLO.saml2

Note: The quick-connection template does not preconfigure SLO in PingFederate, so this will have to be setup manually if desired. In addition, WebEx does not automatically import the associated metadata for the optional feature (which allows users to choose to log out of both IdP and SP simultaneously while keeping the Web browser running).

12. (Optional) For SP Initiated SSO, select the AuthnRequest Signed checkbox and enter the required Destination. The Destination URL is identical to that shown on the screen in the text box for the Customer SSO Service Login URL.

Note: To enable this feature, you must also modify the PingFederate connection to require signed authentication requests (see Enabling Authentication-Request Signatures).

13. Save the configuration.

Note: Most other options on this screen may also be configured, depending on your WebEx deployment needs, without requiring any changes to the PingFederate connection configuration. Note, however, that the SP connection created by the Connector template does not support the WebEx Account Creation/Update options. These SAML assertion-based provisioning options conflict with the Connector’s active Outbound Provisioning methodology.

Note: See this WebEx help article for more information on how to setup SSO for WebEx.

Enabling Authentication-Request Signatures

To allow for SP-initiated SSO using signed authentication requests, make the connection changed indicated in the following procedure and select the authentication-request signing option in the WebEx administrative UI (see Complete Setup of SAML SSO to WebEx).

Note: The signature-verification certificate from WebEx, which is required for this configuration, is already imported into PingFederate from the metadata.

1. On the Signature Policy screen, under Protocol Settings, select the checkbox to Require AuthN requests to be signed.

Tip: To reach this screen, first access the connection from the Main Menu. Click Browser SSO in the task bar and then click the Configure Browser SSO. On the Browser Summary screen, click the heading Signature Policy near the bottom of the screen.

2. Click Done and Save on the Protocol Settings or the Browser SSO Summary Screen.


https://help.webex.com/docs/DOC-1067

Attribute Index

The following table consists of the attributes that can be mapped on a User during provisioning.

Important: Many fields are required based on your WebEx account’s configuration. Please ensure that you are sending data for all user fields that are required based on your configuration.

Attribute Description

Email The email address of the user. Must be a valid email address.

WebEx ID A reference to the WebEx user account.

First Name The user’s first name.

Last Name The user’s last name.

Password User’s password. A user password will be validated against the password security options enabled in the WebEx Site Administration tool. If any of the security rules are violated, an exception will occur.

Address 1 The first line of the user’s street address.

Address 2 The second line of the user’s street address.

City The user’s city.

Company The user’s company name.

Country The user’s country. Must be a valid Country name as listed in WebEx’s Appendix A: Time Zone, Language Encoding, and Country Codes.

Fax The user’s fax number.

Language The user’s preferred language. Must be among those listed in WebEx’s Appendix A, Time Zone, Language Encoding, and Country Codes.

Meeting Type The user’s meeting type IDs.

Mobile Phone The user’s mobile phone number.

Pager The user’s pager number.

Phone The user’s phone number.

Pin The user’s PIN number. Secondary level of authentication for PCN and when host is using the phone and inviting additional attendees. Single number values and simple sequences, like 1111 or 1234, are not allowed.

State The user’s state.


https://developer.cisco.com/media/webex-xml-api/A3TelephoneCountryCodes.html

https://developer.cisco.com/media/webex-xml-api/A2LanguageMatrix.html

Timezone The user’s time zone. Must be among those listed in WebEx’s Appendix A, Time Zone, Language Encoding, and Country Codes.

Title The user’s title.

Zip Code The user’s zip code (postal code).


https://developer.cisco.com/media/webex-xml-api/A1TimeZoneEncoding.html

https://developer.cisco.com/media/webex-xml-api/A1TimeZoneEncoding.html

pingfederate box connector

Documents