Discussion:
Shibboleth IdP with Webex
Todd, James
2014-09-10 08:42:51 UTC
Permalink
Hi Group,

I'd like some guidance primarily from those who have already got Shib and Webex working together here as I gather from other posts I've seen it's not entirely straightforward as other setups.

I've been trying to federate with Webex using our 2.3.8 IdP, using the documentation provided by Cisco (which seems heavily geared towards helping those using ADFS) and I'm hitting a brick wall. I've added the Webex metadata, I've pulled together the required attributes in the resolver (uid, email, firstname, lastname) and configured a webex nameid and used the uid for that. I've configured the attribute filter to remove all the unwanted attributes we usually release as default for other SPs. I've configured the webex side to point at our IdP, I've added our IdP metadata and all that good stuff.

So when it comes to Webex login it correctly redirects to our IdP and our IdP redirects back to Webex, from the logs I can see the attributes I want sent are being sent - but webex fails to login with the error "Reason: Invalid Response message (29)" obviously that means that something's wrong with my assertion but the documentation is of no help and as I've already said geared heavily to an ADFS implementation.

So, has anybody already successfully done this, and do they have any pointers?

Cheers

James
_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd-***@public.gmane.org<mailto:j.todd-***@public.gmane.org>

** IT Support is now available 24 hrs a day, 365 days of the year **

For Help and Advice on any of our IT services please visit:
Staff Intranet: http://staff.napier.ac.uk/services/cit/Pages/info-services.aspx
Student Portal: https://studentportal.napier.ac.uk/citservices/default.aspx

[CSE logo 2014]
Dave Perry
2014-09-10 08:45:12 UTC
Permalink
Generic thought - could you not contact Webex and ask them to check their logs, with the detail you've given us?

I'm working on a Google Apps pairing currently, and they've offered to examine the headers of the handshake and investigate the issue at their end.


Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Todd, James
Sent: 10 September 2014 09:43
To: users-***@public.gmane.org
Subject: Shibboleth IdP with Webex

Hi Group,

I'd like some guidance primarily from those who have already got Shib and Webex working together here as I gather from other posts I've seen it's not entirely straightforward as other setups.

I've been trying to federate with Webex using our 2.3.8 IdP, using the documentation provided by Cisco (which seems heavily geared towards helping those using ADFS) and I'm hitting a brick wall. I've added the Webex metadata, I've pulled together the required attributes in the resolver (uid, email, firstname, lastname) and configured a webex nameid and used the uid for that. I've configured the attribute filter to remove all the unwanted attributes we usually release as default for other SPs. I've configured the webex side to point at our IdP, I've added our IdP metadata and all that good stuff.

So when it comes to Webex login it correctly redirects to our IdP and our IdP redirects back to Webex, from the logs I can see the attributes I want sent are being sent - but webex fails to login with the error "Reason: Invalid Response message (29)" obviously that means that something's wrong with my assertion but the documentation is of no help and as I've already said geared heavily to an ADFS implementation.

So, has anybody already successfully done this, and do they have any pointers?

Cheers

James
_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd-***@public.gmane.org<mailto:j.todd-***@public.gmane.org>

** IT Support is now available 24 hrs a day, 365 days of the year **

For Help and Advice on any of our IT services please visit:
Staff Intranet: http://staff.napier.ac.uk/services/cit/Pages/info-services.aspx
Student Portal: https://studentportal.napier.ac.uk/citservices/default.aspx

[CSE logo 2014]


**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT
Todd, James
2014-09-10 08:50:21 UTC
Permalink
I'm not in direct contact with the Citirix guys - this is an implementation for our comms team and I'm just doing the authentication bit, so they will be contacting Citirix in the first instance but in the meantime I'd like a headstart while I wait! Also I'm wary that the response will be along the lines of they'd rather support ADFS so just getting all the help I can :)

James

_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd-***@public.gmane.org<mailto:j.todd-***@public.gmane.org>

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Dave Perry
Sent: 10 September 2014 09:45
To: Shib Users
Subject: RE: Shibboleth IdP with Webex

Generic thought - could you not contact Webex and ask them to check their logs, with the detail you've given us?

I'm working on a Google Apps pairing currently, and they've offered to examine the headers of the handshake and investigate the issue at their end.


Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org<mailto:***@hull-college.ac.uk> *

From: users-bounces-***@public.gmane.org<mailto:users-bounces-***@public.gmane.org> [mailto:users-bounces-***@public.gmane.org] On Behalf Of Todd, James
Sent: 10 September 2014 09:43
To: users-***@public.gmane.org<mailto:users-***@public.gmane.org>
Subject: Shibboleth IdP with Webex

Hi Group,

I'd like some guidance primarily from those who have already got Shib and Webex working together here as I gather from other posts I've seen it's not entirely straightforward as other setups.

I've been trying to federate with Webex using our 2.3.8 IdP, using the documentation provided by Cisco (which seems heavily geared towards helping those using ADFS) and I'm hitting a brick wall. I've added the Webex metadata, I've pulled together the required attributes in the resolver (uid, email, firstname, lastname) and configured a webex nameid and used the uid for that. I've configured the attribute filter to remove all the unwanted attributes we usually release as default for other SPs. I've configured the webex side to point at our IdP, I've added our IdP metadata and all that good stuff.

So when it comes to Webex login it correctly redirects to our IdP and our IdP redirects back to Webex, from the logs I can see the attributes I want sent are being sent - but webex fails to login with the error "Reason: Invalid Response message (29)" obviously that means that something's wrong with my assertion but the documentation is of no help and as I've already said geared heavily to an ADFS implementation.

So, has anybody already successfully done this, and do they have any pointers?

Cheers

James
_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd-***@public.gmane.org<mailto:j.todd-***@public.gmane.org>

** IT Support is now available 24 hrs a day, 365 days of the year **

For Help and Advice on any of our IT services please visit:
Staff Intranet: http://staff.napier.ac.uk/services/cit/Pages/info-services.aspx
Student Portal: https://studentportal.napier.ac.uk/citservices/default.aspx

[CSE logo 2014]

________________________________
This message is sent in confidence for the addressee only. It may contain confidential or sensitive information. The contents are not to be disclosed to anyone other than the addressee. Unauthorised recipients are requested to preserve this confidentiality and to advise us of any errors in transmission. Any views expressed in this message are solely the views of the individual and do not represent the views of the College. Nothing in this message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
________________________________
Martin, Andrew J.
2014-09-10 12:53:41 UTC
Permalink
Hi Todd,

Towson University has successfully integrated Shib 2.3.6 with WebEx - I'll gather some of my notes and contact you off-list. If I recall, there were at least a few deviations from a vanilla config.

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Todd, James
Sent: Wednesday, September 10, 2014 4:43 AM
To: users-***@public.gmane.org
Subject: Shibboleth IdP with Webex

Hi Group,

I'd like some guidance primarily from those who have already got Shib and Webex working together here as I gather from other posts I've seen it's not entirely straightforward as other setups.

I've been trying to federate with Webex using our 2.3.8 IdP, using the documentation provided by Cisco (which seems heavily geared towards helping those using ADFS) and I'm hitting a brick wall. I've added the Webex metadata, I've pulled together the required attributes in the resolver (uid, email, firstname, lastname) and configured a webex nameid and used the uid for that. I've configured the attribute filter to remove all the unwanted attributes we usually release as default for other SPs. I've configured the webex side to point at our IdP, I've added our IdP metadata and all that good stuff.

So when it comes to Webex login it correctly redirects to our IdP and our IdP redirects back to Webex, from the logs I can see the attributes I want sent are being sent - but webex fails to login with the error "Reason: Invalid Response message (29)" obviously that means that something's wrong with my assertion but the documentation is of no help and as I've already said geared heavily to an ADFS implementation.

So, has anybody already successfully done this, and do they have any pointers?

Cheers

James
_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd-***@public.gmane.org<mailto:j.todd-***@public.gmane.org>

** IT Support is now available 24 hrs a day, 365 days of the year **

For Help and Advice on any of our IT services please visit:
Staff Intranet: http://staff.napier.ac.uk/services/cit/Pages/info-services.aspx
Student Portal: https://studentportal.napier.ac.uk/citservices/default.aspx

[CSE logo 2014]
Todd, James
2014-09-11 10:53:55 UTC
Permalink
Thank you all for your assistance - Andrew Martin provided some assistance off-list and some further tweaks mean I now have a working federated login with auto-account create. All down to encryption of assertions in the end.

Cheers
James

_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd-***@public.gmane.org<mailto:j.todd-***@public.gmane.org>

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Todd, James
Sent: 10 September 2014 09:43
To: users-***@public.gmane.org
Subject: Shibboleth IdP with Webex

Hi Group,

I'd like some guidance primarily from those who have already got Shib and Webex working together here as I gather from other posts I've seen it's not entirely straightforward as other setups.

I've been trying to federate with Webex using our 2.3.8 IdP, using the documentation provided by Cisco (which seems heavily geared towards helping those using ADFS) and I'm hitting a brick wall. I've added the Webex metadata, I've pulled together the required attributes in the resolver (uid, email, firstname, lastname) and configured a webex nameid and used the uid for that. I've configured the attribute filter to remove all the unwanted attributes we usually release as default for other SPs. I've configured the webex side to point at our IdP, I've added our IdP metadata and all that good stuff.

So when it comes to Webex login it correctly redirects to our IdP and our IdP redirects back to Webex, from the logs I can see the attributes I want sent are being sent - but webex fails to login with the error "Reason: Invalid Response message (29)" obviously that means that something's wrong with my assertion but the documentation is of no help and as I've already said geared heavily to an ADFS implementation.

So, has anybody already successfully done this, and do they have any pointers?

Cheers

James
_____________________________________
James Todd | Data Centre & Operations Analyst
Edinburgh Napier University
Craiglockhart Campus
Edinburgh
EH14 1DJ
Tel: 0131 455 4313
Email: j.todd-***@public.gmane.org<mailto:j.todd-***@public.gmane.org>

** IT Support is now available 24 hrs a day, 365 days of the year **

For Help and Advice on any of our IT services please visit:
Staff Intranet: http://staff.napier.ac.uk/services/cit/Pages/info-services.aspx
Student Portal: https://studentportal.napier.ac.uk/citservices/default.aspx

[CSE logo 2014]

Loading...