Cisco - Networking, Cloud, and Cybersecurity Solutions



Installation instructions for setting up ADFS 2.0 to work with Webex Connect for Windows 2008 R2.Rev 1 by Kingsley LewisThe instructions listed below should be reviewed by your system administrator. Each of our customers’ environments will differ and the ability to match each of these environments is not feasible. These instructions are supplied, as a best effort, to match the base install from Microsoft Windows 2008 R2. ADFS 2.0 is only available on Windows 2008 R2 and above.Prerequisite:Active Directory Domain Services (AD DS) should be configured correctly with at least one user listed. User accounts must have, at a minimum, an email address, SAM-Account-Name or UPN, first name, and last name. Installation and configuration of Active Directory, LDAP, or IWA is outside the scope of these installation instructions. Verify your Connect Organization is setup for SSO. Verify you have a Federation Web SSO Configuration link listed under Security Settings. If your Connect Organization is not configured for SSO, please contact your Webex account manager and ask to have it enabled.T.O.C.Download and install ADFS 2.0Create a Self Signed CertificateConfigure ADFS 2.0 first runExporting a Token Signing CertificateConfigure Webex ConnectInstall the Token-signing CertificateSelecting the correct SSO versionSetup SP initiated SSO in the SSO ProfileSetup Service Provider IDSetup Issuer IDFinding your Issuer ID ValueSetup SSO Login URLCreate your endpoint URLDetermine the Server NameDetermine the endpoint path.Setup the Name ID FormatSetup the AuthnContextClassRef valueOther AuthnContextClassRef ValuesWindows AuthenticationKerberos AuthenticationPassword AuthenticationForms AuthenticationSave the Webex ConfigurationExport the Webex Metadata.xml FileConfiguring ADFS 2.0 for a Relay Party TrustEditing Claims for LoginTesting the connection in Webex ConnectDownload and install ADFS 2.0At the time this document was created the download link for ADFS 2.0 is located at If this link is not longer active please do a web search, using your favorite search engine, to find the most recent download link. The file AdfsSetup.exe should be downloaded to your desktop. Double click this file to start installation. Click on the Run buttonClick on the Next button to continueMake sure there is a checkbox in the “I accept the terms of the License Agreement” field, and then click on the Next button to continue.Make sure there is a bullet point in the “Federation server” field, and then click on the Next button to continue.Review the prerequisites, and then click on the Next button to continue.Once the installation is complete, click on Finish to close the Install wizard.Create a Self Signed Certificate In IISIf you are planning on using a CA Certificate this step can be skipped. Please note that creating, signing, and importing a CA Certificate is outside the scope of Webex support for ADFS. Please contact your system administrator for help with this process.Start by clicking on the Start menu, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.When IIS Manager loads Click on your server home, you should see the option for Server Certificates. Click on this icon. On the Server Certificate screen click on the “Create Self Signed Certificate” link located on the right side of the screen, listed under the Actions window.Type your name or a company name for the “Friendly Name” field.You should now have a new certificate listed for your IIS server. You can close the IIS Manager window.Configure ADFS 2.0 first runLaunch the ADFS 2.0 Management console. If the ADFS Management console is not open, click on the start menu, choose Administrative Tools, and then click on ADFS 2.0 ManagementYou should now be at the main ADFS Management console screen. Click on the link “AD FS 2.0 Federation Server Configuration Wizard” to start the setup wizard.Make sure the radio button is selected for “Create a new Federation Service”, and then click on the Next button to continue.Make sure the radio button is selected for “New federation server farm”, and then click on the Next button to continue.If you do not see a certificate listed you will need to create a self signed certificate from Step 2.0 of this document. Otherwise you can click on Next at the bottom of the screen to continue.On the Specify a Service Account screen click on the browse button.You’ll need to assign one of your computers accounts as a service account for ADFS. The exact account will vary from customer to customer. If you are not sure what this account needs to be, please contact your system administrator.After typing in the name for the service account you can click on the Check Names button to validate the name.Once Windows has found a valid account, click on the OK button.Type in a password for the service account, and then click on the Next button to continue.Review the Ready to Apply Settings, and then click on the Next button to continue.Windows will apply the settings. This process may take a few minutes.Review the final settings, and if needed, fix any problems that may occur. Any problems that occur at this point may require your system administrator. Webex support will not be able to help with errors at this stage. Once you have completed any fixes click on the Close button to continue. Exporting a Token Signing CertificateLaunch the ADFS 2.0 Management console. If the ADFS Management console is not open, click on the start menu, choose Administrative Tools, and then click on ADFS 2.0 ManagementWhen the management console loads click and expand the Service tree and click on Certificates. In the center window listed under Certificates find your Token-signing certificateRight click on the Token-signing certificate and choose the “View Certificate…” option.You should now be viewing the certificate. Click on the details tab at the top of the screen.Click on the “Copy to File…” button at the bottom of the screen.Select the radio button option for a DER encoded Binary X.509 (.CER) certificate, and then click on the Next button to continue.Choose a path and file name to store the certificate as, and then click on the Next button to continue.Click on the Finish button to complete the Certificate Export Wizard.Click the OK button to confirm the operation is completed.5.0 Configuring Webex Connect5.1 Install the Token-signing CertificateLogin to your Webex Org admin page, on the left navigation menu you should see a link for Security Settings. Once you click on the link you will see another link for the Organization Certificate Manager. Click this link.You will now be in the Organization Certificate Management screen. Click on the “Import New Certificate” link.You should now see a new screen to upload and name a new certificateType in an alias for the certificate, and then click on the browse button.Locate your certificate and click on the Open buttonClick on the import button.Validate the certificate is correct and click on the Close button.Make sure that your new certificate is selected and click on the Save button.5.2 Selecting the Correct SSO Version.If you are not logged into your Webex Org Admin page, please login and click on the Security Settings link.Click on the “Federated Web SSO Configuration” link.You should see the default SSO value of SAML 2.0. No changes need to be made.5.3 Setup SP initiated SSO in the SSO ProfileMake sure you have a selected the radio button for SP Initiated. Do NOT check the AuthnRequest Signed checkbox.5.4 Setup Service Provider IDThe default value for the SP ID is . This value is pre-populated but should be changed to avoid a potential conflict with Webex Centers.My suggestion is to change this to , or Setup Issuer ID5.5.1 Finding your Issuer ID.Launch the ADFS 2.0 Management console. If the ADFS Management console is not open, click on the start menu, choose Administrative Tools, and then click on ADFS 2.0 ManagementMake sure you are on the main ADFS Management console screen. On the Right Menu under Action Click on the option “Edit Federation Server Properties”Find the value labeled as “Federation Service Identifier:”. Copy this value, or write it down.Paste the Federation Service Identifier from your ADFS server into the Webex field Issuer for SAML (IdP ID).5.6 Setup SSO Login URL 5.6.1 Create your Endpoint URLThe endpoint URL will need to be pieced together from ADFS and IIS. The endpoint URL is where Webex will direct users to login. This value will be different from customer to customer. The instructions provided below are a best effort to have you put this together. If you are not sure of this value, or if the provided instructions do not match up in your environment, please contact your system administrator to get this value.The format of this URL follows https://{Server Name}/{path of endpoint}/5.6.1.1 Determine the Server Name Launch the ADFS 2.0 Management console. If the ADFS Management console is not open, click on the start menu, choose Administrative Tools, and then click on ADFS 2.0 ManagementMake sure you are on the main ADFS Management console screen. On the Right Menu under Action Click on the option “Edit Federation Server Properties”Copy or write down the value of Federation Service name. This will be our server name for the endpoint URL.In the below example we should now have {path of endpoint}/5.6.1.2 Determine the endpoint pathLaunch the ADFS 2.0 Management console. If the ADFS Management console is not open, click on the start menu, choose Administrative Tools, and then click on ADFS 2.0 ManagementOpen the Services Tree and click on Endpoint. You now need to find the SAML 2.0/WS- Federation type. The value listed under URL Path needs to be copied or written down and added to our full end point URL. Using my previous example you should now have the following URL Now that we have the full endpoint URL we will need to log back in to the Webex org admin page and add this to our SSO Service Login URL field.5.7 Setup the Name ID FormatThe Name ID format should stay at Unspecified.5.8 Setup the AuthnContextClassRef valueThis value can change depending on your setup. Finding the value is not trivial and can require extra troubleshooting to determine. Listed in section 6.8.1 are the most common AuthnContextClassRef values that are used. Windows Authentication is the most common value, and will be used in this guide. If you happen to be using a different authentication scheme you just need to make sure that the values between your assertion and Webex match exactly. If you continue to have issues with this value (Webex error 13), you will need to refer to the SAML troubleshooting guide (TBD), or contact technical support.Currently Webex sets the default value for AuthnContextClassRef to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. Delete this value and replace it with urn:federation:authentication:windows.5.8.1 Other AuthnContextClassRef values5.8.1.1Windows Authentication (Suggested)urn:federation:authentication:windows5.8.1.2Kerberos Authenticationurn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos5.8.1.3 Password Authenticationurn:oasis:names:tc:SAML:2.0:ac:classes:Password orurn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport5.8.1.4Forms Authenticationurn:oasis:names:tc:SAML:2.0:ac:classes:Password or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport5.9 Save the Webex ConfigurationAt this point you need to save/update the values for the Federated Web SSO Configuration page.5.10 Export the Webex Metadata.xml fileFrom the Webex org admin page you will need to click on the “Export” button and save the file to your desktop.After clicking on the “Export” button you should see this page. Make sure to select the Save File option and click “OK”.You may have to select the location to download the file. I suggest the desktop for ease of use.6.0 Configuring ADFS 2.0 for a Relay Party TrustLaunch the ADFS 2.0 Management console. If the ADFS Management console is not open, click on the start menu, choose Administrative Tools, and then click on ADFS 2.0 ManagementYou should now be at the main ADFS Management console screen. Click on the link “Required: Add a trusted relying party”.You’ll be greeted with the Add Relying Party Trust Wizard. Read the information provided, and then click on the Start button.On the Select Data Source page select the option “Import data about the relying party from a file”, and then select the Browse button.Select the Webex Metadata file from we saved from the previous section, and then click on the Open button.You will be brought back to the Select Relying Party page. Verify the file location path is correct, and then click on the Next button.On the Specify Display Name page click into the Display name field and type in a name for this relying party. In the example we specify the name as Webex_SP and we put in a description for this relying party. Fill out both the Display name and Notes fields, and then click on the Next button.On the Choose Issuance Authorization Rules page, put a radio button on the option “Permit all users to access this relying party, and then click on the Next button.On the Ready to Add Trust page you can review all of the data. No changes should be necessary. Review the data, and then click on the Next button.On the Finish page, make sure the check box is selected to Open the edit claim rules dialog, and then click on the Close button.7.0 Edit Claim Rules for LoginIf you are not coming from the step above, or do not see the Edit Claims Rules for Webex _SP window, follow these instructions.Launch the ADFS 2.0 Management console. If the ADFS Management console is not open, click on the start menu, choose Administrative Tools, and then click on ADFS 2.0 ManagementFrom the ADFS 2.0 Management Console click on the (+) Trust Relationships folder to expand it. Highlight Rely Party Trusts. You should see Webex_SP listed. If not please go to the step above. On the left side of the screen located under Actions you will see the link to “Edit Claim Rules…” for Webex_SP. Click on that link.In the Edit Claim Rules for Webex_SP window click on the “Add Rule…” button.From the Select Rule Template page, make sure the Claim rule template is set to “Send LDAP Attributes as Claims” is selected from the drop down list, and then click on the Next button. On the Configure Rule page click into the Claim rule name field. Name this rule “Name ID Mapping”.Next listed under Attribute store click the drop down arrow and choose the option for “Active Directory”.Under the label “Mapping of LDAP attributes to outgoing claim types:” you will see two labeled columns. Click the drop down arrow under “LDAP Attribute” . Select either the option E-Mail-Addresses, or SAM-Account-Name.NOTE: The option you choose here depends on the username field from your Webex site. If you have existing accounts on the Webex site, you must make sure this value maps a matching value between your active directory and the username field. For example if the username on my Webex site is “klewis” I would choose SAM-Account-Name which takes the same format. If my username was “kingsley.lewis@” then I would choose E-Mail-Addresses. Under the label “Mapping of LDAP attributes to outgoing claim types:” you will see two labeled columns. Click the drop down arrow under “Outgoing Claim Type” . Select from the drop down list the Name ID option.Review the settings, and then click the Finish button.You have now completed the first steps of setting up ADFS 2.0. If you have existing user accounts on your site you can now test to verify authentication. I suggest getting any problems at this point resolved before moving on to auto account creation. If you do not have any user accounts, or are using a new format for username then you can move on to auto account creation.If you do not plan on using auto account creation, then congratulations you’re now done setting up ADFS 2.0. You can click the OK button and close out of all open windows.8.0 Testing the connection in Webex ConnectWebex Connect 7.0 and greater will automatically recognize that SSO is turned on for your organization, and attempt to login to your Active Directory. Some older versions of connect require that they be installed with a switch to turn on SSO. Customers who would like to package and manually install Webex connect across a network can also use this switch. Please refer to the Org admin documentation for additional details if you plan on using this method. Use the following example for installing the Cisco Webex Connect client:For a non-SSO msi installationmsiexec.exe /i apSetup.msiFor an SSO msi installationmsiexec.exe /i apSetup.msi /SSO_ORG orConnect.exe (installation package) or apSetup.exe to install non-SSOConnect.exe (installation package) or apSetup.exe /SSO_ORG to install SSO?Note: Connect.exe installation package and Connect.exe run-time executable are two different files.To enable/disable the SSO Connect.exe (run time executable): Enabled:Connect.exe /SSO_ORG Disabled:Connect.exe /SSO_ORG NONEA second option for testing is to use the Webex Connect Web IM to test SSO. Change {ORG} in the below URL with your Webex Connect organization.{ORG}/webim.app ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download