Shibboleth IdP with Webex
Brandon McKean
mckeanbs at jmu.edu
Wed Dec 2 14:02:31 EST 2015
I wanted to express my sincerest thanks for this configuration info
Andrew. I was able to adapt it to our configuration and get it working.
I took a different approach for the nameid and one of the attribute
sources though, but if there's any interest in the specifics I'd be
happy to share to help others.
Thanks again,
--
Brandon McKean
IT / Systems
Linux Administrator
(540)568-4235
On 11/05/2015 12:35 PM, Andrew Morgan wrote:
> On Thu, 5 Nov 2015, Sacilowski, Tadeusz wrote:
>
>> Hi All,
>>
>> So I'm still having some issues with the WebEx auto account creation.
>> The
>> error message on the WebEx side shows "Auto Account Creation failed
>> (31)".
>> I've added the following to my attribute.resolver.xml:
>>
>> <!-- BEGIN: Attributes for WebEx auto account creation -->
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExUid
> "> sourceAttributeID="uid">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String
> "> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="uid" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExFirstname
> "> sourceAttributeID="givenName">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String
> "> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="firstname" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExLastname
> "> sourceAttributeID="sn">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String
> "> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="lastname" />
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition xsi:type="ad:Simple" id="WebExEmail
> "> sourceAttributeID="mail">
>> <resolver:Dependency ref="myLDAP" />
>> <resolver:AttributeEncoder xsi:type="enc:SAML2String
> "> nameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
>> name="email" />
>> </resolver:AttributeDefinition>
>> <!-- END: Attributes for WebEx auto account creation -->
>>
>> And I'm releasing them to WebEx as such (we will have multiple WebEx
>> sites,
>> hence the "basic:OR" for AttributeRequesterString):
>>
>> <!-- Release WebEx attributes -->
>> <afp:AttributeFilterPolicy id="releaseToWebEx">
>> <afp:PolicyRequirementRule xsi:type="basic:OR">
>> <basic:Rule xsi:type="basic:AttributeRequesterString" value=
> ">
> https://urldefense.proofpoint.com/v2/url?u=http-3A__www.webex.com&d=BQICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=iZ_ekq9_90q96juMacb0Sg&m=IPecvV2LdYm_SoZsPlP9dnQk4Ei6qMIcTPTlT8uKo6c&s=1ZFD1SWY0AWNvb606PJt6kg56xRC0vHbHxYXvCLAG-0&e=
> " />
>> <basic:Rule xsi:type="basic:AttributeRequesterString" value=
> ">
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.webex.com&d=BQICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=iZ_ekq9_90q96juMacb0Sg&m=IPecvV2LdYm_SoZsPlP9dnQk4Ei6qMIcTPTlT8uKo6c&s=wtz-NVlPOI0U-7f3DJLUoHzqSUbWRkvKppFdp3PCFIo&e=
> " />
>> </afp:PolicyRequirementRule>
>>
>> <afp:AttributeRule attributeID="WebExUid">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>>
>> <afp:AttributeRule attributeID="WebExFirstname">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>>
>> <afp:AttributeRule attributeID="WebExLastname">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>>
>> <afp:AttributeRule attributeID="WebExEmail">
>> <afp:PermitValueRule xsi:type="basic:ANY"/>
>> </afp:AttributeRule>
>> </afp:AttributeFilterPolicy>
>>
>> I see the values being populated in my logs... not sure what I'm doing
>> wrong. Hoping maybe someone might have some insight as I wait for a
>> response from their support folks.
>
> You are setting a nameFormat on all of the attributes, but none of
> them are being encoded as a NameID. You only need the nameFormat on
> the attribute you are encoding as a NameID.
>
> Here is OSU's working configuration (with 2 webex sites, btw).
>
> attribute-resolver.xml:
>
> <!-- WebEx NameID attribute -->
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex-principal" sourceAttributeID="eduPersonPrincipalName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID"
> nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"/>
> </resolver:AttributeDefinition>
>
> <!-- WebEx attributes -->
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="webex_uid"
> sourceAttributeID="uid">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="uid" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_firstname" sourceAttributeID="givenName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="firstname" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_lastname" sourceAttributeID="sn">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="lastname" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_email" sourceAttributeID="eduPersonPrincipalName">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="email" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Simple"
> id="webex_updatetimestamp" sourceAttributeID="modifytimestamp">
> <resolver:Dependency ref="ONIDLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="updateTimeStamp" />
> </resolver:AttributeDefinition>
>
> <resolver:AttributeDefinition xsi:type="ad:Script"
> id="webex_affiliation">
> <resolver:Dependency ref="ismemberof" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="webex_affiliation" />
> <ad:Script>
> <![CDATA[
> importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
> webex_affiliation = new
> BasicAttribute("webex_affiliation");
> if (typeof ismemberof != "undefined" && ismemberof !=
> null) {
> for (var i=0; i<ismemberof.getValues().size(); i++) {
> var group = ismemberof.getValues().get(i);
> if (group.toLowerCase() ==
> "cn=staff,ou=webex,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=orst.edu")
> {
> webex_affiliation.getValues().add('staff');
> }
> if (group.toLowerCase() ==
> "cn=students,ou=webex,ou=app,ou=is,ou=org,ou=osu,ou=grouper,ou=groups,o=orst.edu")
> {
> webex_affiliation.getValues().add('students');
> }
> }
> }
> ]]>
> </ad:Script>
> </resolver:AttributeDefinition>
>
>
> attribute-filter.xml:
>
> <!-- WebEx filters -->
> <afp:AttributeFilterPolicy id="webex-deny-transientid">
> <afp:PolicyRequirementRule xsi:type="basic:OR">
> <basic:Rule xsi:type="basic:AttributeRequesterString"
> value="https://oregonstate-staff.webex.com" />
> <basic:Rule xsi:type="basic:AttributeRequesterString"
> value="https://oregonstate-students.webex.com" />
> </afp:PolicyRequirementRule>
> <afp:AttributeRule attributeID="transientId">
> <afp:DenyValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
> <afp:AttributeFilterPolicy id="webex-staff">
> <afp:PolicyRequirementRule xsi:type="basic:AND">
> <basic:Rule xsi:type="basic:AttributeRequesterString"
> value="https://oregonstate-staff.webex.com" />
> <basic:Rule xsi:type="basic:AttributeValueString"
> attributeID="webex_affiliation" value="staff" />
> </afp:PolicyRequirementRule>
> <afp:AttributeRule attributeID="webex-principal">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_uid">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_firstname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_lastname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_email">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_updatetimestamp">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
> <afp:AttributeFilterPolicy id="webex-students">
> <afp:PolicyRequirementRule xsi:type="basic:AND">
> <basic:Rule xsi:type="basic:AttributeRequesterString"
> value="https://oregonstate-students.webex.com" />
> <basic:Rule xsi:type="basic:AttributeValueString"
> attributeID="webex_affiliation" value="students" />
> </afp:PolicyRequirementRule>
> <afp:AttributeRule attributeID="webex-principal">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_uid">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_firstname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_lastname">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_email">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> <afp:AttributeRule attributeID="webex_updatetimestamp">
> <afp:PermitValueRule xsi:type="basic:ANY" />
> </afp:AttributeRule>
> </afp:AttributeFilterPolicy>
>
>
> I'm happy to help! Ask questions. :)
>
> Andy
More information about the users
mailing list