Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

CWMS 1.5 - SSO/SAML With ADFS 2.0 - How I did it.

All,

I have successfully configured SSO/SAML with full integration to Microsoft ADFS 2.0 to include not just authentication, but account details such as address, phone numbers, etc.  It was incredibly frustrating to find information detailing how to perform the tasks I needed, and also the errors in Cisco's documentation didn't help much.

Here are my findings:

  1. This guide here was a great start to get you basic SSO/SAML connectivity (All credit goes to Steve for posting this):  http://steve.heyvan.com/2013/04/06/connecting-cwms-to-adfs-2-0/
  2. The outgoing claim types ARE case sensitive.
  3. The claims rules that Steve posted will work, but can be simplified to a single rule as follows (including the user's address information):

    Main Account Details Rule.png
  4. Some clarifications for the screenshot: 
    1. The sixth LDAP Attribute is a lower case "L".
    2. Cisco Incorrectly listed the SAML assertion for zipcode as "ZIP Code" in their documentation.  The correct SAML assertion (or as Microsoft ADFS calls it, an Outgoing Claim Type) is ZipCode (case sensitive).
  5. For a list of other assertions see: http://www.cisco.com/en/US/docs/collaboration/CWMS/1_5/Planning_Guide_chapter_01001.html#reference_CD7A7E58EAF44AA4BBDCF67F5742ABF1
  6. Use SAML Tracer 0.2 for Firefox to see the contents of the SAML Assertion that you are sending to CWMS to assure that the data going over looks properly.  This was a huge help in verifying that everything was being transmitted.
  7. CWMS will not import any data into the user's account setting until the A/D account gets a new "whenChanged" value.  If you want to test, you might need to modify your test A/D account to change the "whenChanged" value so that the update will proceed.
  8. Getting phone numbers over to CWMS is a little more difficult, and you end up having to add 5 more custom claim rules in ADFS per phone number.  Simply add the following custom claim rules into ADFS for the Relying Party Trust that you created per Steve's blog (order of rules are important, you need to extract, then transform, then send. You can send in any order.  Schema.company.com type name doesn't really matter, but needs to match between rules):

1) Extract Office Phone Number:

(This rule grabs the telephoneNumber AD attribute and places it into ophone)

               ---- CUT HERE ----

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

=> add(store = "Active Directory", types = ("http://schemas.company.com/ophone"), query = ";telephoneNumber;{0}", param = c.Value);

               2) Transform Office Phone Number:

               (This rule takes the ophone variable and removes all non-digit characters and places it into ophoneplain)

               ---- CUT HERE ----

               c:[Type == "http://schemas.company.com/ophone"]

                => add(Type = "http://schemas.company.com/ophoneplain", Value = RegExReplace(c.Value, "\D", ""));

               3) Send Office Country Code:

               (We hard-coded country code to be US, Don't add the "+" sign in here, no first line, just a "=> issue" statement)

               ---- CUT HERE ----

                => issue(Type = "OPhoneCountry", Value = "1");

               4) Send Office Area Code:

               (Removes the right 7 digits from the plain phone number keeping area code only, modify {7} for your locale as needed)

               ---- CUT HERE ----

               c:[Type == "http://schemas.company.com/ophoneplain"]

                => issue(Type = "OPhoneArea", Value = RegExReplace(c.Value, "\d{7}$", ""));

               5) Send Office Local Phone Number:

               (Removes left 3 digits from the plain phone number keeping local number only, modify {3} for your locale as needed)

               ---- CUT HERE ----

               c:[Type == "http://schemas.company.com/ophoneplain"]

               => issue(Type = "OPhoneLocal", Value = RegExReplace(c.Value, "^\d{3}", ""));

               6) Repeat for mobile phone number (Comments omitted):

               Extract Mobile Phone Number:

               c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]

                => add(store = "Active Directory", types = ("http://schemas.company.com/mphone"), query = ";telephoneNumber;{0}", param = c.Value);

               Transform Mobile Phone Number:

               c:[Type == "http://schemas.company.com/mphone"]

                => add(Type = "http://schemas.company.com/mphoneplain", Value = RegExReplace(c.Value, "\D", ""));

               Send Mobile Country Code:

                => issue(Type = "MPhoneCountry", Value = "+1");

               Send Mobile Area Code:

               c:[Type == "http://schemas.company.com/mphoneplain"]

                => issue(Type = "MPhoneArea", Value = RegExReplace(c.Value, "\d{7}$", ""));

               Send Mobile Local Phone Number

               c:[Type == "http://schemas.company.com/mphoneplain"]

                => issue(Type = "MPhoneLocal", Value = RegExReplace(c.Value, "^\d{3}", ""));

I hope this helps someone out there.  I know I could have used this a week ago.

-Pete

13 REPLIES
Community Member

CWMS 1.5 - SSO/SAML With ADFS 2.0 - How I did it.

Thanks - looking to add SAML/SSO across several other UC applications and this is good starting point.

Community Member

CWMS 1.5 - SSO/SAML With ADFS 2.0 - How I did it.

HI Pkarelis,

Great to hear that! by the way, hows your authentication when you join the meeting? Does it goes directly to the meeting conference without any pop up?

I have mine setup but it gives me lots of pop up window. Hope I can hear it from you soon.

Thanks!

Community Member

CWMS 1.5 - SSO/SAML With ADFS 2.0 - How I did it.

We simply go to our meeting URL, and then click the "Sign In" button, and get directed straight to the meeting with Windows pass-through authentication (no pop-ups).

The trick is to change the authentication settings within IIS on the ADFS 2.0 server.  Within IIS manager, go to the adfs/ls directory and click on authentication, and make sure that Windows Authentication is enabled.

If your desktops are configured to pass-through credentials to intranet hosts, then it should work.

Community Member

CWMS 1.5 - SSO/SAML With ADFS 2.0 - How I did it.

Hi Pkarelis,

Thanks, I thought you are using the Outlook invite to launch the webex meeting. I want to achieve a single click only (just like how the "meet now" button works).

Once you click the URL, it should directly connect you to webex meeting without going thru the "sign in" button anymore.

Thanks!

Community Member

Great guide, I followed it

Great guide, I followed it and got ADFS working in CWMS 2.0, but it has broken since upgrading to 2.5. have you tested CWMS 2.5 yet and were there any changes needed?

Community Member

Hi gdsouza8484, How does your

Hi gdsouza8484,

 

How does your SSO behavior works. Does it work like once you click your WebEx meeting URL invitation does it go straight to the WebEx meeting?

 

Thanks!

Community Member

We haven't upgraded or even

We haven't upgraded or even tested CWMS2.5.  It may be that there are additional SAML Assertions that it requires, or they have fixed the assertion for "ZIP Code", so that it is now "ZIP Code" as the documentation states, instead of "zipcode" that it was accepting before.

Community Member

We are just sending the

We are just sending the basics in the claim rule, Only email address, first name and last name. I have even turned of the auto creation for troubleshooting.

Community Member

Here are the adfs claim rules

Here are the adfs claim rules that were working with 2.0, are there any new values that are now required. Can you send me a link to document that has the expected values?

Community Member

I'm also seeing the same

I'm also seeing the same issue in our test environment.  I upgraded that from 2.0 to 2.5 and am getting an SSO protocol error when logging in.  Something has to be different, but I can't seem to figure it out either.  Any help would be appreciated.

Community Member

did you figure out the issue

did you figure out the issue with CWMS 2.5 ?

Community Member

Here is the bugidhttps:/

Here is the bugid

https://tools.cisco.com/bugsearch/bug/CSCur59123

Weird how it says status fixed but there is no fixed releases. I was told it would be patched in MR1, still waiting for that to come out.

 

Community Member

We used the workaround.  All

We used the workaround.  All we had to do was change the signature algorithm on ADFS for the WebEx rule to use SHA-1 instead of SHA-256.  After changing that it worked fine.

3448
Views
0
Helpful
13
Replies
CreatePlease to create content