Active Directory Federation Services

Active Directory Federation Services Installation Instructions for WebEx Messenger and WebEx Centers Single Sign- On for Windows 2008 R2 WBS29

Copyright 1997-2013 Cisco and/or its affiliates. All rights reserved. WEBEX, CISCO, Cisco WebEx, the CISCO logo, and the Cisco WebEx logo are trademarks or registered trademarks of Cisco and/or its affiliated entities in the United States and other countries. Third- party trademarks are the property of their respective owners. U.S. Government End User Purchasers. The Documentation and related Services qualify as "commercial items," as that term is defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101. Consistent with FAR 12.212 and DoD FAR Supp. 227.7202-1 through 227.7202-4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which the Agreement may be incorporated, Customer may provide to Government end user or, if the Agreement is direct, Government end user will acquire, the Services and Documentation with only those rights set forth in the Agreement. Use of either the Services or Documentation or both constitutes agreement by the Government that the Services and Documentation are commercial items and constitutes acceptance of the rights and restrictions herein. Last updated: 10232013 www.webex.com

Table of Contents Introduction and Prerequisites... 1 Introduction... 1 Prerequisites... 1 Downloading and Installing ADFS 2.0... 3 Accessing the ADFS Installation File... 3 Creating a Self- Signed Certificate in IIS... 5 Configuring an ADFS 2.0 First Run... 11 Exporting a Token Signing Certificate... 21 Configuring WebEx Centers... 27 Configuring WebEx Messenger... 45 Configuring ADFS 2.0 for a Relay Party Trust... 63 Edit Claim Rules for Login... 73 Setup Auto Account Creation... 83 Setup Auto Account Update... 95 Testing the Connection in WebEx Centers... 105 Testing the Connection in WebEx Messenger... 107 i

Appendix... 109 Index... 113 ii

Chapter 1 1 Introduction and Prerequisites Introduction Prerequisites This document covers the installation and configuration of the required software components essential for achieving a Single Sign- On (SSO) solution with Active Directory Federation Services (ADFS). The environment of each customer differs and the ability to match each of these environments is not feasible. These instructions are supplied, as a best effort, to match the base installation from Microsoft Windows 2008 R2. ADFS 2.0 is only available on Windows 2008 R2 and above. The instructions listed below should be reviewed by your system administrator. Prerequisites required prior to ADFS installation include the following: Active Directory Domain Services (AD DS) must be configured correctly with at least one user listed. User accounts must have, at a minimum, an email address, SAM- Account- Name or UPN, first name, and last name. Note: The installation and configuration of Active Directory, LDAP, or IWA is outside the scope of this document. 1

Introduction and Prerequisites Verify your WebEx site, or Messenger Organization is setup for SSO by doing one or both of the following: Login to the WebEx site administrator page. On the left navigation menu you should have a link for SSO Configuration. On WebEx Messenger verify you have a Federation Web SSO Configuration link listed under Security Settings. If your WebEx site, or Messenger Organization is not configured for SSO, please contact your WebEx account manager and ask to have it enabled. Note: If your WebEx site or Messenger Organization is not configured for SSO, please contact your WebEx account manager for configuration assistance. 2

Chapter 2 2 Downloading and Installing ADFS 2.0 Accessing the ADFS Installation File The download link for ADFS 2.0 is located at http://www.microsoft.com/download/en/details.aspx?id=10909. However, if this link is no longer active perform a web search to find the most recent download link. To install ADFS: 1. Download the installation file onto your desktop from the Microsoft Download Centre. 2. Double- click the file to start the installation. 3. Select Run. 3

Downloading and Installing ADFS 2.0 4. Select Next to continue. 5. Select the I accept the terms in the License Agreement check box and select Next. 6. In the Server Role screen, ensure the Federation server radio button is selected and select Next. 7. Review the prerequisites and select Next. 8. Once the installation is complete, select the Start the AD FS 2.0 Management snap- in when the wizard closes check box. 9. Select Finish to close the installation wizard. 4

Chapter 3 3 Creating a Self- Signed Certificate in IIS Important: If you are planning on using a CA Certificate you can skip this step. Creating, signing, and importing a CA Certificate is outside the scope of WebEx support for ADFS. Contact your system administrator for help with this process. To create a self- signed certificate in IIS: 1. Select the Start menu > Administrative Tools > Internet Information Services (IIS) Manager. Note: We recommend using a server name the DNS server can resolve. 5

Creating a Self- Signed Certificate in IIS 2. When IIS Manager loads, select the server home icon and the Server Certificates icon. 3. On the Server Certificate screen under Actions, select the Create Self Signed Certificate link. 6

Creating a Self- Signed Certificate in IIS 4. The specify Friendly Name screen is displayed. In the Friendly Name field, type your name or a company name. 7

Creating a Self- Signed Certificate in IIS 5. Select OK. You should now have a new certificate listed for your IIS server. You can close the IIS Manager screen. 6. To enable SSL, select the web- site node on the left panel and select Bindings under Edit Site on the right panel. A list of all the bindings rules is displayed. 7. Select Add. 8. Select the Type https and Port 443 option from the list. 8

Creating a Self- Signed Certificate in IIS 9. Select OK. SSL is now enabled. 9

4 Configuring an ADFS 2.0 First Run To configure an ADFS 2.0 first run: 1. Select the Start menu > Administrative Tools > ADFS 2.0 Management. The ADFS Management console is displayed. 2. Select the AD FS 2.0 Federation Server Configuration Wizard link to begin the setup wizard. 3. Ensure the Create a new Federation Service radio button is selected and select Next. 11

Configuring an ADFS 2.0 First Run 4. Ensure the Stand- alone federation service radio button is selected and select Next. The Specify the Federation Service Name screen is dispalyed. 12

Configuring an ADFS 2.0 First Run Note: If you do not see a certificate listed you must create a self- signed certificate. See Creating a Self- Signed Certificate in IIS. 13

Configuring an ADFS 2.0 First Run 5. Select Next. The Specify a Service Account screen is displayed. 14

Configuring an ADFS 2.0 First Run 6. Select Browse. The Select User screen is displayed. Note: You must assign one of your computer accounts as a service account for ADFS. The exact account varies from customer to customer. If you are not sure what account to use, contact your system administrator. 7. Type the name of the service account in the Enter the object name to select field. 15

Configuring an ADFS 2.0 First Run 8. Select Check Names to validate the name. 9. When the account is validated, select OK. 10. In the Specify a Service Account screen in the Password field, type in a password for the service account. And select Next. 16

Configuring an ADFS 2.0 First Run 11. Review the Ready to Apply Settings, and select Next. Windows applies the settings. This process may take a few minutes. 17

Configuring an ADFS 2.0 First Run 18

Configuring an ADFS 2.0 First Run 12. Review the final settings, and if needed, fix any problems that may have occured. Important: These errors may require assistance from your system administrator. WebEx support is not able to help with errors at this stage. 13. When you have completed the fixes, select Close. 19

5 Exporting a Token Signing Certificate To export a token signing certificate: 1. Select the Start menu > Administrative Tools > ADFS 2.0 Management. The ADFS Management console is displayed. 2. Select and expand the Service tree and select Certificates. In the center window listed under Certificates find your Token- signing certificate. 3. Right click on the Token- signing certificate and select View Certificate from the pop- up. The certificate is displayed. 21

Exporting a Token Signing Certificate 4. Select the Details tab. 5. Select Copy to File. 22

Exporting a Token Signing Certificate 6. Ensure the DER encoded Binary X.509 (.CER) radio button is selected and select Next. 23

Exporting a Token Signing Certificate 7. Choose a path and file name to store the certificate as, and select Next. 24

Exporting a Token Signing Certificate 8. Select Finish. 25

Exporting a Token Signing Certificate 9. Select OK to confirm the operation is completed. 26

6 Configuring WebEx Centers This chapter details the tasks you need to complete to set up your WebEx site for ADFS 2.0 including: Installing the token- signing certificate Selecting the correct Single Sign- On (SSO) version Setting up the service provider initiated SSO in the SSO profile Setting up the service provider ID Setting up the issuer ID Setting up the SSO sign- in URL Setting up the name ID format Setting up the AuthnContextClassRef value Saving the WebEx configuration Exporting the WebEx Metadata.xml file To install the token- signing certificate: 1. Sign- in to the Cisco WebEx Site Administration Tool. 2. On the left navigational menu, select the SSO Configuration link. 3. Select the Site Certificate Manager link. 27

Configuring WebEx Centers 4. In the Site Certificate Manager screen, select Browse to select the token- signing certificate. 5. Browse to the required certificate and select Open. 28

Configuring WebEx Centers 6. Select OK to load the certificate to WebEx. 29

Configuring WebEx Centers 7. Select Close. 30

Configuring WebEx Centers To select the correct SSO version: 1. Sign- in to Cisco WebEx Site Administration. 2. On the left navigational menu, select the SSO Configuration link. 3. The default SSO value of SAML 1.1 is displayed on the right of the page. 4. Select SAML 2.0 from the list. 31

Configuring WebEx Centers 5. The default SAML 2.0 configuration screen for WebEx is displayed. 32

Configuring WebEx Centers To setup the Service Provider initiated SSO in the SSO Profile: In the SAML 2.0 configuration screen for WebEx, ensure the SP Initiated option is selected. Do NOT check the AuthnRequest Signed checkbox. To setup the Service Provider ID: The default value for the SP ID is http://www.webex.com. This value is pre- populated and can remain at the default. Important: There may be a possible conflict with Cisco WebEx Messenger / Cisco Jabber. Unfortunately Cisco WebEx Messenger and Cisco Jabber both have the same default value for SP ID. If you are using both services with SSO, one of these values needs to change. In the below section it is recommended to change the value for WebEx Messenger, keeping the default for WebEx Centers. To setup the correct issuer ID: 1. Launch the ADFS 2.0 Management console. 2. On right- hand side of the main ADFS Management console screen under Actions, select Edit Federation Server Properties. The Federation Server Properties screen is displayed. 33

Configuring WebEx Centers 3. Copy the value displayed in the Federation Service Identifier field. 34

Configuring WebEx Centers 4. Paste the Federation Service Identifier into the WebEx field Issuer for SAML (IdP ID). 35

Configuring WebEx Centers To setup the SSO sign- in URL: 1. First you need to create the endpoint URL, which needs to be pieced together from ADFS and IIS. The endpoint URL is where WebEx directs users to sign- in. This value is different from customer to customer. The format of the URL is https://{server Name}/{path of endpoint}/. Important: The instructions provided below are a best effort to assist you in putting the endpoint URL together. If you are not sure of this value, or if the provided instructions do not match up in your environment, contact your system administrator. 2. Launch the ADFS 2.0 Management console. 3. On right- hand side of the main ADFS Management console screen under Actions, select Edit Federation Server Properties. The Federation Server Properties screen is displayed. 36

Configuring WebEx Centers 4. Copy the value displayed in the Federation Service name field. This is our server name for the endpoint URL for example, https:// adfs- fed- srv2.adfs.webexeagle.com /{path of endpoint}/. 37

Configuring WebEx Centers 5. Select OK or Cancel. 6. Launch the ADFS 2.0 Management console, open the Services Tree and select Endpoint. You now need to find the SAML 2.0/WS- Federation type. Copy the value listed under URL Path and add to the full end point URL. Using the previous example you should now have the following URL: https:// adfs- fed- srv2.adfs.webexeagle.com /adfs/ls/ 38

Configuring WebEx Centers 7. Sign- in to Cisco WebEx Site Admininistratin and add this to the SSO Service Login URL field. 39

Configuring WebEx Centers. To setup the name ID format: The Name ID format should remain at the default value Unspecified. To setup the AuthnContextClassRef value: Currently WebEx sets the default value for AuthnContextClassRef to urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport. Delete this value and replace it with urn:federation:authentication:windows. 40

Configuring WebEx Centers Note: This value can change depending on your setup. Finding the value may require extra troubleshooting to determine. Listed below are the most common AuthnContextClassRef values. Windows Authentication is the most common value, and is used in this guide. If you are using a different authentication scheme you just need to ensure the values between your assertion and WebEx match exactly. If you continue to have issues with this value (WebEx error 13), you refer to the SAML Troubleshooting Guide, or contact technical support. Common AuthnContextClassRef values: AuthnContextClassRef Windows Authentication (Suggested) Value urn:federation:authentication:windows Kerberos Authentication urn:oasis:names:tc:saml:2.0:ac:classes:kerberos Password Authentication urn:oasis:names:tc:saml:2.0:ac:classes:password or urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtrans port 41

Configuring WebEx Centers AuthnContextClassRef Forms Authentication Value urn:oasis:names:tc:saml:2.0:ac:classes:password or urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtrans port To save the WebEx configuration: At this point you need to save/update the values for the Federated Web SSO Configuration page. Select Update. To export the WebEx Metadata.xml file: 1. In WebEx Site Administration, select Export and save the file to your desktop. 42

Configuring WebEx Centers 2. The screen below is displayed. Select Save File and OK. You may have to select the location to download the file. We suggest the desktop for ease of use. 43

Configuring WebEx Centers 44

7 Configuring WebEx Messenger This chapter details the tasks you need to complete to set up your WebEx Messenger service for ADFS 2.0 including: Installing the token- signing certificate Selecting the correct Single Sign- On (SSO) version Setting up the service provider initiated SSO in the SSO profile Setting up the service provider ID Setting up the issuer ID Setting up the SSO sign- in URL Setting up the name ID format Setting up the AuthnContextClassRef value Saving the WebEx configuration Exporting the WebEx Metadata.xml file To install the token- signing certificate: 1. Sign- in to Cisco WebEx Administraton. 2. On the left navigational menu, select the Security Settings link. 3. Select the Organization Certificate Manager link. 45

Configuring WebEx Messenger 4. In the Organization Certificate Manager screen, select Import New Certificate. 5. In the Alias field, type an alias for the certificate and select Browse to select it. 46

Configuring WebEx Messenger 6. Browse to the required certificate, and select Open. 7. Select Import. 47

Configuring WebEx Messenger 8. Ensure the certificate is correct, and select Close. 9. Ensure the new certificate is selected, and select Save. 48

Configuring WebEx Messenger To select the correct SSO version: 1. Sign- in to the Cisco WebEx Organization Administration Tool. 2. Select the Configuration tab. 3. On the left navigational menu, select Security Settings. 4. Select Federated Web SSO Configuration. 49

Configuring WebEx Messenger 5. The default SSO value of SAML 12.0 is displayed in the Federation Protocol field. You do not need to make any changes. 50

Configuring WebEx Messenger To setup the Service Provider initiated SSO in the SSO Profile: In the Federated Web SSO Configuration screen, ensure the SP Initiated option is selected. Do NOT check the AuthnRequest Signed checkbox. 51

Configuring WebEx Messenger To setup the Service Provider ID: The default value for the SP ID is http://www.webex.com. This value is pre- populated but must be changed to http://www.webex.com/connect, or http://www.webexconnect.com to avoid a potential conflict with WebEx Centers. 52

Configuring WebEx Messenger To setup the correct issuer ID: 1. Launch the ADFS 2.0 Management console. 2. On right- hand side of the main ADFS Management console screen under Actions, select Edit Federation Server Properties. The Federation Server Properties screen is displayed. 3. Copy the value displayed in the Federation Service Identifier field. 53

Configuring WebEx Messenger 4. Paste the Federation Service Identifier into the WebEx field Issuer for SAML (IdP ID). 54

Configuring WebEx Messenger To setup the SSO sign- in URL: 1. First you need to create the endpoint URL, which needs to be pieced together from ADFS and IIS. The endpoint URL is where WebEx directs users to sign- in. This value is different from customer to customer. The format of the URL is https://{server Name}/{path of endpoint}/. Important: The instructions provided below are a best effort to assist you in putting this together. If you are not sure of this value, or if the provided instructions do not match up in your environment, contact your system administrator. 55

Configuring WebEx Messenger 2. Launch the ADFS 2.0 Management console. 3. On right- hand side of the main ADFS Management console screen under Actions, select Edit Federation Server Properties. The Federation Server Properties screen is displayed. 4. On right- hand side of the main ADFS Management console screen under Actions, select Edit Federation Server Properties. The Federation Server Properties screen is displayed. 5. Copy the value displayed in the Federation Service name field. This is our server name for the endpoint URL for example, https:// adfs- fed- srv2.adfs.webexeagle.com /{path of endpoint}/. 6. Select OK or Cancel. 7. Launch the ADFS 2.0 Management console, open the Services Tree and select Endpoint. You now need to find the SAML 2.0/WS- Federation type. Copy the value listed under URL Path and add to the full end point URL. Using the previous example you should now have the following URL: https:// adfs- fed- srv2.adfs.webexeagle.com /adfs/ls/ 56

Configuring WebEx Messenger 8. Sign- in to the Cisco WebEx Admininistraton Tool and add this to the Customer SSO Service Login URL field. 57

Configuring WebEx Messenger. To setup the name ID format: The Name ID format should remain at the default value Unspecified. To setup the AuthnContextClassRef value: 58 Please refer to the To setup the AuthnContextClassRef value section in Configuring WebEx Centers for this procedure.

Configuring WebEx Messenger To save the WebEx configuration: At this point you need to save/update the values for the Federated Web SSO Configuration screen. Select Save. To export the WebEx Metadata.xml file: 1. In the Cisco WebEx Administration Tool in the Federated Web SSO Configuration screen, select Export and save the file to your desktop. 59

Configuring WebEx Messenger 2. The screen below is displayed. Select Save File and OK. 60

Configuring WebEx Messenger 3. You may have to select the location to download the file. We suggest the desktop for ease of use. 61

Configuring WebEx Messenger 62

8 Configuring ADFS 2.0 for a Relay Party Trust To configure ADFS 2.0 for a relay party trust: 1. Launch the ADFS 2.0 Management console. 2. Select Required: Add a trusted relying party. 63

Configuring ADFS 2.0 for a Relay Party Trust 3. The Add Relying Party Trust Wizard is displayed. Read the information provided, and select Start. 64

Configuring ADFS 2.0 for a Relay Party Trust 4. In the Select Data Source screen, select Import data about the relying party from a file, and then select Browse. 65

Configuring ADFS 2.0 for a Relay Party Trust 5. Browse to the location where you previously saved the WebEx Metadata file, and select Open. 66

Configuring ADFS 2.0 for a Relay Party Trust 6. Verify the file location path is correct, and select Next. 67

Configuring ADFS 2.0 for a Relay Party Trust 7. In the Specify Display Name screen in the Display name field, enter a name for the relying party. For example, WebEx_SP. 8. In the Notes field, enter a description for the relying party. We recommend you fill out both the Display name and the Notes fields. 68

Configuring ADFS 2.0 for a Relay Party Trust 9. Select Next. 10. In the Choose Issuance Authorization Rules screen, select Permit all users to access this relying party, and then select Next. 69

Configuring ADFS 2.0 for a Relay Party Trust 11. In the Ready to Add Trust screen, review all of the data. No changes should be necessary. 70

Configuring ADFS 2.0 for a Relay Party Trust 12. Select Next. 13. In the Finish screen, ensure Open the edit claim rules dialog for this relying party trust when the wizard closes is selected, and then select Close. 71

Configuring ADFS 2.0 for a Relay Party Trust 72

9 Edit Claim Rules for Login To edit the claim rules for login: 1. Launch the ADFS 2.0 Management console. 2. Expand the Trust Relationships folder. 3. Select the Relying Party Trusts folder. The WebEx_SP Relying Party Trust should be displayed. 4. Under Actions > WebEx_SP, select Edit Claim Rules. 73

Edit Claim Rules for Login 5. In the Edit Claim Rules for WebEx_SP screen, select Add Rule. 74

Edit Claim Rules for Login 6. In the Select Rule Template screen, ensure the Claim rule template is set to Send LDAP Attributes as Claims, and then select Next. 75

Edit Claim Rules for Login 7. In the Configure Rule screen in the Claim rule name field, enter Name ID Mapping. 76

Edit Claim Rules for Login 8. From the Attribute store list, select Active Directory. 77

Edit Claim Rules for Login 9. Under Mapping of LDAP attributes to outgoing claim types: there are two labeled columns. Select the drop down arrow for LDAP Attribute. 10. From the list, select either E- Mail- Addresses or SAM- Account- Name. Important: The option you choose here depends on the username field from your WebEx site. If you have existing accounts on the WebEx site, you must ensure this value maps a matching value between your active directory and the username field. For example, if the username on your WebEx site is klewis, choose the SAM- Account- Name which takes the same format. If your username is kingsley.lewis@cisco.com, then choose E- Mail- Addresses. 78

Edit Claim Rules for Login 11. Select the drop down arrow for Outgoing Claim Type. 12. From the list, select Name ID. 79

Edit Claim Rules for Login 13. Review the settings, and then select Finish. 80

Edit Claim Rules for Login You have now completed the first steps of setting up ADFS 2.0. If you have existing user accounts on your site, you can now test to verify authentication. Resolve any problems at this point before moving on to Auto Account Creation. If you do not have any user accounts, or are using a new format for username then you can move on to Auto Account Creation. If you do not plan on using Auto Account Creation, then congratulations you have completed setting up ADFS 2.0 14. Select OK to close the window. 81

Edit Claim Rules for Login. 82

10 Setup Auto Account Creation Auto account creation is used to generate accounts on the WebEx site, helping reduce the need for administration and user management. To editing claims for auto account creation: 1. Launch the ADFS 2.0 Management console. 2. Expand the Trust Relationships folder. 3. Select Rely Party Trusts. WebEx_SP should be displayed. 4. Under Actions > WebEx_SP, select Edit Claim Rules. 83

Setup Auto Account Creation 5. In the Edit Claim Rules for WebEx_SP screen, select Add Rule. 84

Setup Auto Account Creation 6. In the Select Rule Template screen, select Send LDAP Attributes as Claims from the list select Next. 85

Setup Auto Account Creation 7. In the Configure Rule screen in the Claim rule name field, enter AutoAccountCreate. 86

Setup Auto Account Creation 8. From the Attribute store list, select Active Directory. 87

Setup Auto Account Creation 9. Under Mapping of LDAP attributes to outgoing claim types: there are two labeled columns. The first is LDAP Attribute, and the second is Outgoing Claim Type. You must add four rows filling out both of these columns. For basic auto account creation WebEx requires the four following outgoing claim types; uid, email, firstname, and lastname. 10. From the LDAP Attributes list, select E- Mail- Addresses. Other acceptable options are SAM- Account- Name, or User- Principal- Name. The option you must be the exact same as the one selected for NameID in step 9.0 88

Setup Auto Account Creation 11. In the Outgoing Claim Type field, type uid. Tip: DO NOT CLICK on the list arrow; you must type this in manually. A triple click in the field enables you to start typing.. 89

Setup Auto Account Creation 12. In the second row from the LDAP Attributes list, select E- Mail- Addresses. 13. In the Outgoing Claim Type field, type email. DO NOT CLICK on the list arrow; you must type this in manually. 14. In the third row from the LDAP Attributes list, select Given- Name. 15. In the Outgoing Claim Type field, type firstname. DO NOT CLICK on the list arrow; you must type this in manually. 16. In the fourth row from the LDAP Attributes list, select Surname. 17. In the Outgoing Claim Type field, type lastname. DO NOT CLICK on the list arrow; you must type this in manually. 18. In the LDAP Attribute field, type whenchanged. DO NOT CLICK on the list arrow; you must type this in manually. 19. In the Outgoing Claim Type field, type updatetimestamp. DO NOT CLICK on the list arrow; you must type this in manually. 90

Setup Auto Account Creation 20. When complete, select Finish. 21. There are now two claim rules listed in the Edit Claim Rules for WebEx_SP screen. 91

Setup Auto Account Creation To configure WebEx for auto account update: 1. Sign- in to your Cisco WebEx Administration Tool or your Cisco WebEx Messenger Administration Tool. 2. Select SSO Configuration. 3. Select Auto Account Update. 92

Setup Auto Account Creation 4. Select Update to save the values. 93

Setup Auto Account Creation 94

11 Setup Auto Account Update To edit claims for auto account update: 1. Launch the ADFS 2.0 Management console. 2. Expand the Trust Relationships folder. The WebEx_SP Relying Party Trust should be displayed. 3. Under Actions > WebEx_SP, select Edit Claim Rules.. 95

Setup Auto Account Update 4. In the Edit Claim Rules for WebEx_SP screen, select Add Rule. 96

Setup Auto Account Update 5. The Add Transform Claim Rule Wizard is displayed. 6. From the Claim rule template list, select Send Claims Using a Custom Rule, and then select Next. 97

Setup Auto Account Update 7. Read the Notes about the claim rule template description, and then select Next. 98

Setup Auto Account Update 8. In the Claim rule name field, enter AutoAccountUpdate. 9. In the Custom rule: text box, enter the following rule: c:[type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsa ccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("updatetimestamp"), query = ";whenchanged;{0}", param = c.value); 10. Select Finish. 99

Setup Auto Account Update 11. The AutoAccountUpdate is now listed under the Claims Rules for WebEx_SP. 100

Setup Auto Account Update To configure WebEx for auto account update: 1. Sign- in to your Cisco WebEx Administration Tool or your Cisco WebEx Messenger Administration Tool. 2. Select SSO Configuration. 3. Select Auto Account Update. 101

Setup Auto Account Update 4. Select Update to save the values. 102

Setup Auto Account Update 103

12 Testing the Connection in WebEx Centers To test the connection in WebEx Centers: 1. Open up a web browser and point to http://sitename.webex.com replacing sitename with your WebEx branded site. 2. Select Login on the right side of the screen. You should now be directed into your Cisco WebEx site, or you need to enter your network credentials in the login screen. 3. The Cisco WebEx site is displayed. 105

Testing the Connection in WebEx Centers 106

13 Testing the Connection in WebEx Messenger Cisco WebEx Messenger 7.0 and greater automatically recognizes that Single Sign- On (SSO) is turned on for your organization, and attempts to sign- in to your Active Directory. Some older versions of Cisco WebEx Messenger need to be installed with a switch to turn on SSO. Customers who would like to package and manually install Cisco WebEx Messenger across a network can also use this switch. Please refer to the Cisco WebEx Organization Administration documentation for additional details if you plan on using this method. Use the following example for installing the Cisco WebEx Messenger client: OR For a non- SSO msi installation - msiexec.exe /i apsetup.msi For a SSO msi installation - msiexec.exe /i apsetup.msi /SSO_ORG EXAMPLE.com Connect.exe (installation package) or apsetup.exe to install non- SSO Connect.exe (installation package) or apsetup.exe /SSO_ORG EXAMPLE.com to install SSO Note: Connect.exe installation package and Connect.exe run- time executable are two different files. To enable or disable the SSO Connect.exe (run time executable): Enabled - Connect.exe /SSO_ORG EXAMPLE.com 107

Testing the Connection in WebEx Messenger Disabled - Connect.exe /SSO_ORG NONE A second option for testing is to use the Cisco WebEx Messenger Web IM to test SSO. Replace {ORG} in https://loginp.webexconnect.com/cas/sso/{org}/webim.app with your Cisco WebEx Messenger organization. 108

Appendix Accepted attributes in the assertion for Meeting Center Attribute Name uid firstname lastname email Required for Auto Account Creations NO YES YES YES Usage groupid NO Only support create, not update updatetimestamp NO, but it is necessary for Auto Account Update Support long value, UTC time format, & LDIF time format optionalparams NO optional parameters can be set in two formats as following: <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrname- format:basic Name= optionalparams > <saml:attributevalue xsi:type= xs:string >City=Toronto</saml:AttributeValue > <saml:attributevalue xsi:type= xs:string >AA=OFF</saml:AttributeValue > </saml:attribute> or the same format as the mandatory attributes, don't need wrapped into optionalparams <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrname- format:basic Name= City > <saml:attributevalue xsi:type= xs:string >Toronto</saml:AttributeValue> </saml:attribute> <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrname- format:basic Name= AA > <saml:attributevalue xsi:type= xs:string >OFF</saml:AttributeValue> </saml:attribute> RP NO Support Record Editor LA NO LabAdmin Privilege 109

Appendix Attribute Name Required for Auto Account Creations Usage OPhoneCountry NO office phone country code OPhoneArea NO office phone area OPhoneLocal NO office phone local OPhoneExt NO office phone ext. FPhoneCountry NO Fax phone country code FPhoneArea NO Fax phone area FPhoneLocal NO Fax phone local FPhoneExt NO Fax phone ext. TimeZone NO TimeZone Address1 NO Address1 Address2 NO Address2 City, State, ZipCode,Country MW FL AB PF MM MR AA RC RE LB AS AC MT NO mywebex type SupportFileFolder SupportMyContacts SupportMyProfile SupportMyMeetings SupportEndUserReport SupportAccessAnywhere SupportMyRecordings SupportEventDocuments SupportPersonalLobby AdditionalStorageNumber AdditionalComputerNumber <1,2,3,...> Accepted attributes for Cisco WebEx Messenger Attribute Name Required for Auto Account Creations Usage uid NO If uid is missing, systems sets uid=email firstname lastname email YES YES YES 110

Attribute Name updatetimestamp Required for Auto Account Creations NO, but it is necessary for Auto Account Update Usage Support long value, UTC time format, & LDIF time format optionalparams NO optional parameters can be set in two formats as following: <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrname- format:basic Name= optionalparams > <saml:attributevalue xsi:type= xs:string >City=Toronto</saml:AttributeValue > <saml:attributevalue xsi:type= xs:string >AA=OFF</saml:AttributeValue > </saml:attribute> or the same format as the mandatory attributes, don't need wrapped into optionalparams <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrname- format:basic Name= City > <saml:attributevalue xsi:type= xs:string >Toronto</saml:AttributeValue> </saml:attribute> <saml:attribute NameFormat= urn:oasis:names:tc:saml:2.0:attrname- format:basic Name= AA > <saml:attributevalue xsi:type= xs:string >OFF</saml:AttributeValue> </saml:attribute> employeeid NO need be unique for an org groupid NO Only support auto account creation displayname companyname streetline1 streetline2 city state zipcode NO NO NO NO NO NO NO country NO Need to be an ISO country code jobtitle mobilephone businessphone businessfax NO NO NO NO 111

Appendix Attribute Name optionalparams Required for Auto Account Creations NO Usage imloggingenabled NO When an org has IMLogging enabled, if no such attribute, it would set to false. imloggingendpointn ame NO If the value is null when imloggingenabled is true, will use default endpoint set in administrator portal upgradesite NO Only support auto account update 112

Index No index entries found. 113