Connecting CWMS to ADFS 2.0

April 6, 2013 · 11 comments

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

After installing the Cisco WebEx Meetings Server (CWMS), the time came for integration with Microsoft Active Directory Federation Services (ADFS).  The MS-Windows administrator for our company installed ADFS 2.0 on an internal server and we issued a single certificate from our certificate authority to it.  We used that same certificate for all three roles — service communications, Token-decrypting and Token-signing.  The next part was to connect CWMS to ADFS for single-signon (SSO) using the Security Assertion Markup Language (SAML).  Now, the real work and confusion set in — and I am not just talking about understanding all of the new set of acronyms.  Neither Cisco or Microsoft really explain how this all works in a clear way and unless you are going to dig deep into ADFS/SSO/SAML the solution is pretty tough to come by.Well, I started just like most people in my work — Google.  If you can get the right queries going, you can learn a lot.  Lucky for me, I came across a lot of articles that tried to explain things:

So, I plodded through everything and could finally get CWMS to take me over to the ADFS system, but that was it.  Nothing.  Finally, I came across an article that said the problem was probably due to a security issue with the private key.  They were absolutely correct.  We had a domain account running the ADFS service and that account was not granted read permission on the private key.  So, I crossed my first hurdle.  There were still holes in all of the URLs that I pieced together, but it was looking promising.  Finally, I had my Eureka! moment.  I found the article that showed a lot of promise.  It was written by Nick Mueller at CDW.  He works in their professional services organization as a video and TelePresence technical architect.  This outlined the basic design and architecture that I had already built and he clearly had things figured out.

Lucky for us, we have a relationship with CDW as they are our Microsoft partner for our Enterprise Agreement.  As such, we have training and professional services vouchers as part of that program, so we reached out to CDW to see if we could speak with Nick.  Very quickly, we were in touch with Nick on the phone and even though we had not arranged any service agreement yet, he was more than willing to walk me through the entire setup and get me going.  As of right now, we have SSO working and new user accounts are being created in CWMS with updates.

So, with Nick’s permission, I want to share the configuration steps we took to get the environment built.

Export the token-signing certificate from your ADFS server without the private key.  Even, though some documentation says they want this in the DER encoded binary format, what worked for use was the base-64 encoded format.

Import the token-signing certificate into CWMS.  Go to Settings->Security->Certificates and under “SSO IdP Certificate”, click Import Certificate and get the certificate that you exported above.

Configure Federated SSO.  Go to Settings->Security->Federated SSO and set the values as shown here.

SSO ProfileI blurred out some of the domain name information, so let me explain exactly what is being entered in each field:

  • SAML issuer (SP ID):  In this field, enter the DNS name of your Internet Reverse Proxy (IRP) virtual IP (VIP) address.  Yeah, more acronyms and this is http and not https.
  • Issuer for SAML (IdP ID): This is your ADFS server.  Again, this is http and not https.
  • Customer SSO service login URL: This is your ADFS server and note that this IS https and not http.
  • Customer SSO service logout URL:  This is your ADDS server and this is https.  Note that this is https://<your ADFS>/adfs/ls/?wa=wsignout1.0 (it is slightly cut off in the image).

Export the SAML Metadata File.  Save this file to your local computer and save these settings.

cwms export saml

Create the relaying party trust (RP). In order, for ADFS to work, it must be told about the relaying party which in this case is CWMS.  From the ADFS server, navigate to Trust Relationships->Relying Party Trusts.  On the right-had side, click on “Add Relying Party Trust…”.  This will open a dialog box titled “Add Relying Party Trust Wizard”, and click on “Start”.

Add Relying Party Trust Wizard

Next, click on “Import data about the relying party from a file.  This is where you select the SAML Metadata file that you exported from CWMS and click Next.  The display name can be anything you want, I chose “CWMS”. Specify Display Name

At this point, you  get the option of selecting who has access to this relying party.  We allow anyone in the domain to be added, but you could tighten that by selecting a certain group of users.  This can also be modified at any time later.  Now, you are ready to add the trust, so just click on Next.

Ready to Add Trust

Now that we have constructed the trust, we have to make some modifications/changes to get it working with CWMS.  So, double-click on the newly created CWMS relying party trust or click on the properties link in the right side of the Actions toolbar.

Relying Trust

Click on the Endpoints tab and then click on “Add…”.

Add an Endpoint

Copy the Customer SSO service logout URL from CWMS to the URL field, and then copy the SAML issuer (SP ID) from CWMS to the Response URL field and click OK.

Next, click on the “Edit Claim Rules…” from the Actions tab in  ADFS.  Here you will need to build three claim rules.

Click Add Rule and select “Send LDAP Attributes as Claims”.  When entering the LDAP Attribute and Outgoing Claim Type values, type these by hand, not from the dropdown lists and click on Finish

Name ID Mapping

Click on Add Rule again and select “Send LDAP Attributes as Claims”.  Note that these two claims CANNOT be combined.  They are separate claims and must be entered separately.

Auto Save Account

For the third claim, you need to create a custom rule.  This is to auto-update user information.  Click on Add Rule again and select “Send Claims Using a Custom Rule”.

Auto Update

There you have it.  At this point, you should be able to bring up your CWMS site.  Click on t he “Sign In” button and you will be prompted for your username and password, enter your Windows credentials (domain name is not required) and press OK.  You should be directed back to the CWMS site and ready to configure CWMS for your account and start hosting meetings.

CWMS Sign On

 Productivity Tools

CWMS Welcome

Enhanced by Zemanta

Article by Steve Van Domelen

Steve has written 47 awesome articles.

  • Bryan

    Thanks for sharing! I’m about to assist a client with this soon.

  • Bryan

    One question though…you said to export the SAML Metadata File…from the SSO configuration screen in CWMS, I only see an option to Import SAML Metadata. Am I missing something here?

    • Bryan,

      I have updated the document to show that the button on the Federated SSO page (Single Sign On (SSO) Profile) has a button called “Export SAML Metadata File”. I was not able to find an Import on CWMS — just ADFS.
      Let me know if this helps.

  • RF

    Hello, has anyone succeeded configuring the LogOut from WebEx meeting Center or WebEx connect with ADFS?

  • Atif

    Thank you very much Steve!! .it is really informative. :).

  • E. Pete Karelis


    Thanks for this post. It was a huge help in configuring SAML for us. I was able to get this working plus have SAML send over the full account details including phone numbers and address. The CWMS 1.5 documentation has some errors in it regarding the SAML assertions that should be used, and i had to “trial-and-error” my way through them (with the help of the SAML tracer tool for FireFox).

    If anyone is having difficulty and would like to see the claims rules I created just email me.


  • Alex

    Steve this was so great! Very valuable! I manage to get our CWMS and AD federated in no time! Thanks a lot!!!

  • Tom

    Steve, we followed this article and successfully made the connection between CWMS and ADFS 2.0. However I don’t understrand why it’s necessary to import IDP’s certificate before exporting out the metadata? A relying party’s (RP) metadata shold be independent from any IDP and vise versa.

    • Tom,
      I don’t know that it is necessary to import the IdP certificate before exporting the metadata. I may have thought it was needed at the time, but I have to agree with you. Did you attempt this process without those steps? If so, did that work? Unfortunately, we abandoned CWMS so I can no longer experiment on this.

  • Roger

    Hi Steve..
    Do you have any details for the token signing cert. every time i try to import the token signing cert into CWMS it just gives an error saying ” cannot import SSO cert”
    Any details regarding this would be appreciated

    • Roger,

      There was no secret to getting the token signing certificate imported. Just make sure that you export the token-signing certificate from your ADFS server without the private key in base-64 encoded format. DER format will not work and gives an error.

Previous post:

Next post: