Guest

Cisco Unified MeetingPlace

Unified MeetingPlace 7.0 Single Sign-On with WebEx Type II

Cisco - Unified MeetingPlace 7.0 Single Sign-On with WebEx Type II

Document ID: 111787

Updated: Feb 18, 2010

   Print

Introduction

This document describes Cisco Unified MeetingPlace 7.0 single sign-on (SSO) for use with Cisco WebEx Type II.

Features

  • Cisco Unified MeetingPlace Application Server bridges Cisco Corporate Directory and Cisco WebEx Meeting Center.

  • Eliminates the need to manage separate Unified MeetingPlace and WebEx user accounts (adds, changes, de-activations).

  • End users utilize their Lightweight Directory Access Protocol (LDAP) user IDs and passwords and are authenticated on premises for WebEx Productivity Tools and WebEx web scheduling interface.

  • Simplifies deployment of WebEx Productivity Tools.

  • Creates WebEx host accounts created dynamically when users log in.

  • Supports all three (3) WebEx contract types: named host, concurrent ports, and per minute.

  • For WebEx Type II scheduling, Unified MeetingPlace uses reservationless meetings:

    • The profile number is used as the reservationless ID for all meetings.

    • The Host of the meeting must log in using their Unified MeetingPlace profile number and profile password in order to start audio meetings.

      OR

    • Unified MeetingPlace can be configured to use the Auto-Attend feature that will use caller ID to log users into meetings automatically. All Guest users are held in a waiting room until the host logs in or (optionally) until another profile user logs in to that audio meeting.

Single Sign-On (SSO)

MeetingPlace SSO balances ease-of-use with security:

  • Because Unified MeetingPlace resides completely within the corporate network, Unified MeetingPlace SSO requires meeting hosts to connect to the corporate network before they can log in.

  • Unified MeetingPlace SSO requires meeting hosts to enter their LDAP/Microsoft Active Directory (AD) user ID and password upon log in to WebEx Page and Productivity Tools. As a convenience, the login information is stored for up to 90 minutes.

  • Once they log in, the meeting host can schedule or launch meetings.

  • Meeting guests do not have to authenticate against Unified MeetingPlace SSO to join meetings.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on the Cisco Unified MeetingPlace 7.0.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Architecture

meetingplace-sso-webex-01.gif

  • WebEx Telephony Service Provider (TSP) provides a persistent encrypted TCP 443 socket connection with Transport Layer Security (TLS) security certificates to the WebEx site from the inside to the outside firewall for secure communication via an XML API instruction set.

    • Cisco Unified Communications Manager (CUCM) LDAP integration with end-user authentication is enabled to corporate LDAP system, and all users are created in the CUCM end-user database.

    • Then, Unified MeetingPlace Directory Service is enabled to synchronize CUCM users to Unified MeetingPlace.

    • SSO must be enabled on the WebEx site during provisioning and cannot be changed after without re-build of the site.

    • All profiles on Unified MeetingPlace will then be automatically propagated to WebEx, and SSO is provided on premises.

  • No LDAP passwords are sent or stored on Unified MeetingPlace or WebEx; all authentication occurs on premises to LDAP.

    • If the Unified MeetingPlace Directory Service is enabled with CUCM 6.x or later, authentication is provided through CUCM to LDAP authentication.

      Unified MeetingPlace profile passwords are created in the CUCM PIN field during profile synchronization, and a default PIN is supplied to all users. PINs can be changed only through the CUCM end-user pages via the GUI (https://<ccm url>/ccmuser) or by CUCM system administrator PIN reset.

    • Authentication might also be provided with local Unified MeetingPlace user IDs and passwords (no LDAP directory service integration is enabled on CUCM or Unified MeetingPlace).

  • End-user authentication by Unified MeetingPlace passes through Security Assertion Markup Language (SAML) to WebEx as a trusted site.

  • If they do not already exist, profiles are created on WebEx in these instances:

    • When a user schedules a WebEx meeting.

    • When a user accesses their account from the scheduling page.

  • WebEx TSP assumes that no user name conflicts will occur because the WebEx site is dedicated to this customer and used exclusively.

  • WebEx requires unique e-mail addresses for all users on the site.

  • When integrated with WebEx, the Unified MeetingPlace user profile number reservationless ID requirement is 8 digits or less. Typically, the reservationless profile number should be a work telephone number without the country code or area codes.

  • User profiles must be manually deactivated from the WebEx site administration center. Alternately, you can enable the WebEx site setting to automatically Deactivate Account after XX days of inactivity. (This function is not supported automically by TSP for SSO or non-SSO systems.)

LDAP Profile Synchronization

Customer LDAP “MS AD 2000/3/7” UC Manager User Profile MeetingPlace Directory Services WebEx Host Account
givenName First name First name First name
sn Last name Last name Last name
sAMAccountName User ID User ID User ID
Password Password (from LDAP if authentication is enabled) Password (from LDAP or Local MP password) Password (not sent if INTEGRATED LDAP is enabled) Local password in WebEx is used if no INTEGRATED LDAP
telephoneNumber Telephone number Profile number (modify 3 different methods for this) Profile number (limit 8 digits)
N/A PIN and confirm PIN Profile password and confirm N/A
mail Mail ID Email address Email address
telephoneNumber Main phone number Main phone number Office Phone
department Department Group Name (default is System)  
N/A LDAP synch status User status: Active, Disabled, Locked  
N/A N/A Billing code (optional) Billing code (optional)

Note: If customer LDAP is SunOne/iPlanet, the fields are different for the LDAP database names, but are similar to Microsoft AD.

Customer Directory CUCM Directory Services
Windows AD 2000 Yes
Windows AD 2003 Yes
Windows AD 2007 Yes
Windows AD 2008 Yes
Netscape 4.x Yes
iPlanet 4.x Yes
Sun 5.1 Directory Server Yes
Sun Java 5.2 Directory Server Yes
OpenLDAP Yes
IBM Tivoli Directory Services On roadmap
Novell eDirectory Yes
SunOne No
Domino Directory No

Unified Communication Manager User PIN Recommendations

  • Set a default credential policy for all users. Refer to Credential Policy Default Configuration for more information.

  • DO NOT USE AN EASY DEFAULT PIN; for example, “123456” should not be used as a default PIN due to security risks.

  • On the Credential Policy Default Configuration page, check the User Must Change at Next Login check box.

    meetingplace-sso-webex-02.gif

  • End users must access the User Options ccmuser pages in order to change their PIN for Unified MeetingPlace profile password to be secure: https://<UCManager Hostname>/ccmuser

  • Current PIN is the default, which is set on the Credential Policy Default Configuration page as shown above.

    meetingplace-sso-webex-03.gif

MeetingPlace 7 Directory Service Filters

Filters are configurable to create profiles based on country code or to create time zones based on telephone numbers.

meetingplace-sso-webex-04.gif

Directory Service Filters for Time Zones

Any of these fields that are not available in Cisco Unified Communications Manager (via LDAP) are left blank in the Cisco Unified MeetingPlace user profile:

  • First name, last name, or user ID.

  • Profile number, which is a unique number based on the main phone number.

  • User status.

  • E-mail address.

  • Main telephone number.

Directory Service Filters for Groups

  • Filtered by phone number prefix (area code, country code, etc.).

  • By default, the local time of the application server is assigned Filters for Groups.

  • Group name is filtered by department number.

  • By default, the System user group is assigned.

Profile Numbers

Procedure

  1. Configure filters for Time Zones.

  2. Configure filters for Groups.

  3. Configure Profile Number filters.

  4. Perform a directory synch with CUCM.

Recommendations

  • Use a phone number as the profile number.

    Notes:

    • The CUCM user profile Telephone Number field entry is the profile number.

    • If the telephone number for a user is blank or conflicts with an existing profile number in Unified MeetingPlace, the system uses a six-digit auto-generated profile number.

  • Use the last ‘n’ (number) digits of a phone number as profile number.

    Note: If the telephone number for a user is blank or if applying this method for a user conflicts with an existing profile number in Unified MeetingPlace, then the system uses instead a six-digit auto-generated profile number.

  • Use the six (6) digit auto-generated profile number.

    • The auto-generated profile numbers start from 100001 and always contain six digits.

    • If the Telephone Number field entry for a user is shorter than the configured number of digits, the number will be used as is.

  • Apply the profile number configuration method to the following:

    • New users

    • Each user profile that gets imported

    • Profiles that are updated during Directory Service user profile updates

    • Full synchronizations

End User Authentication Process

The entire WebEx user authentication is handled on premises by Unified MeetingPlace. Once the user is authenticated, a WebEx session ID is generated for the user, and the request is redirected to the WebEx service.

Here is an overview of the flow for the SAMLv2 SSO:

  1. User clicks a protected resource on the WebEx site.

  2. WebEx realizes that the user has not logged in based on the session information.

  3. WebEx redirects the user to the identity provider (Unified MeetingPlace).

  4. Unified MeetingPlace also notices the user is not logged in based on its own session information.

  5. Unified MeetingPlace shows the user its own login page and authenticates them.

  6. Unified MeetingPlace generates SAML assertion and redirects the user to send this assertion to WebEx.

  7. WebEx validates the assertion, and the user is authenticated.

  8. The user can now access protected resource on WebEx.

Here is the step-by-step flow for the SAMLv2 SSO:

  1. WebEx Site automatically redirects the user to the internal Unified MeetingPlace applications server for on premises authentication.

    meetingplace-sso-webex-05.gif

  2. User accesses the Unified MeetingPlace authentication page on premises behind the corporate firewall.

    meetingplace-sso-webex-06.gif

  3. Based on the user credentials, the Unified MeetingPlace server authenticates the user against its own local Unified MeetingPlace database or the corporate LDAP directory (if enabled via the directory service).

  4. Unified MeetingPlace server sends a sessionGenerate request for the user to WebEx.

  5. WebEx assumes the user is already authenticated and sends a unique session ID for the user to MeetingPlace.

  6. MeetingPlace redirects the users to WebEx (with the session ID in the query string of the URL).

    meetingplace-sso-webex-07.gif

  7. Unified MeetingPlace authenticates the user and asserts that they are who they are.

  8. WebEx validates the assertion by checking the signature with the Unified MeetingPlace certificate that has been provisioned and then trusts the claim that Unified MeetingPlace made if the validation succeeded.

  9. User can now schedule or attend meetings from the WebEx web interface.

User ID and Password Saved Settings

The WebEx site configuration has an option to control the duration of authentication service under Add/Edit.

meetingplace-sso-webex-08.gif

Users log in, and the WebEx site parameters specify how long that login is allowed into the system before the user is prompted again for their login credentials.

Optional Web Browser Password Security Settings

If the browser security setting is enabled to use Remember Me password saved settings, the users is not prompted again to log in to the Unified MeetingPlace system. By design, Unified MeetingPlace prompts for login credentials in order to preserve the security integrity of users logging into the system. (Unified MeetingPlace does not save passwords.) This is controlled entirely by the Enterprise user permissions allowed or not allowed by IT department controls.

For Firefox, this security setting is located in the Security Options dialog box.

meetingplace-sso-webex-09.gif

For Internet Explorer, this security setting is located in the AutoComplete Settings dialog box.

meetingplace-sso-webex-10.gif

Outlook and Lotus Notes SSO

WebEx/Unified MeetingPlace meetings can be scheduled through WebEx Productivity Tools with Microsoft Outlook or Lotus Notes clients. The user must be configured and authenticated in the customer LDAP system before they can schedule a meeting via the plugin. There are two models for user authentication: one with directory service and the other one with no directory service.

Procedure

Complete these steps in order to schedule a meeting in Microsoft Outlook:

  1. Access Microsoft Outlook Calendar.

    meetingplace-sso-webex-11.gif

  2. Click Schedule Meeting.

    meetingplace-sso-webex-12.gif

  3. Click Add WebEx Meeting.

    The WebEx Productivity Tools dialog box appears.

    meetingplace-sso-webex-13.gif

  4. Enter your user name and password, and click Login.

    The WebEx meeting is scheduled. Users can cancel the WebEx meeting or change settings through the Microsoft Outlook plugin.

    meetingplace-sso-webex-14.gif

API and Plugin

For authentication through SSO, Unified MeetingPlace provides an API, which allows the WebEx plugin to identify whether there is SSO integration with Unified MeetingPlace. The API also allows the user to complete authentication. In the case where there is no directory service, the WebEx client plugin obtains the authentication from WebEx directly.

If Unified MeetingPlace is deployed with SSO, the plugin must send the authentication message to Unified MeetingPlace. If there is no SSO, the authentication message goes to WebEx.

The WebEx plugin requires this information in order to send the authentication message to the correct authentication service URL:

  • Unified MeetingPlace authentication service URL: https://<meetingplace-app-server>/public/login/applogin

  • WebEx service URL

  • Whether or not Unified MeetingPlace has Directory Service configured

The WebEx plugin might or might not be preconfigured with this information while installing to the client’s machine. If all the information is preconfigured, the plugin can be used to authenticate users by sending authentication messages to Unified MeetingPlace/WebEx based on the configuration.

If the plugin is not preconfigured with the information, the plugin needs to send a one-time message to Unified MeetingPlace to get the configuration information. The user must manually type the Unified MeetingPlace authentication service URL and submit the message. (This is a one-time manual step for the user.)

In response, MeetingPlace returns this information:

  • Whether or not Unified MeetingPlace has Directory Service configured

  • WebEx service URL

Once the plugin receives this information, it can be used for user authentication. The user is prompted to enter their user name and password.

If there is a directory service, it will send a message to the Unified MeetingPlace API once the data is submitted. Unified MeetingPlace authenticates the user based on their user ID and password and communicates with the WebEx API to generate a session key. If it is successful, the session key is returned through an XML response. If the operation fails, the XML message will contain an error message and error code.

WebEx Productivity Tool Setup

After you install WebEx Productivity Tools for the first time, the Web Productivity Tools login page appears. By design, the User Name and Password fields are disabled since Unified MeetingPlace provides authentication.

In order to log in, enter the domain name (for example, t27lmp.webex.com) in the Site URL field, and click Login.

meetingplace-sso-webex-15.gif

Note: The amount of time that passes before the user is prompted again for login credentials is set by the WebEx Site Authentication Service parameter.The default time is 90 minutes.

meetingplace-sso-webex-16.gif

Alternately, you can log in through the Cisco WebEx One-Click dialog box. Click the Edit WebEx Settings link.

meetingplace-sso-webex-17.gif

The Account tab opens, and the User Name and Password fields are disabled. Enter the domain name (for example, t27lmp.webex.com), and click Apply.

The WebEx Productivity Tools login page appears, and the user name and password are stored locally via the One-Click client. Users are not prompted to log into the system again.

Recordings

  • End users must always start recordings from the WebEx Meeting Center interface.

  • If you start a recording from the Unified MeetingPlace Voice User Interface (VUI) dual tone multifrequency (DTMF) relay, it records only audio and is not accessible for playback as an audio-only recording.

  • If you start the recording from the WebEx web conferencing, it records both audio and web.

  • When a meeting recording is started from the WebEx web conferencing interface, the Network-Based Recording (NBR) service follows a dial-out sequence using a published Unified MeetingPlace audio dial-in number.

  • The audio server recognizes the special sequence, knows that the user is a recording server from WebEx, and allows that voice link to be connected.

  • WebEx can create synchronized audio and web recordings, which are stored in the WebEx NBR service. You can set storage parameters within the NBR service.

  • The users must log in to their own WebEx portal to access recordings.

  • The Record Meeting option is set to true for all WebEx meetings, and the generic prompt, “Portions of this meeting may be recorded,” is played for all users. (This default setting can be disabled if desired.)

  • Audio-only meetings that must be recorded can be scheduled with WebEx and recorded through WebEx.

Audio-Only Users on Named Host Meeting Center WebEx Sites with Type II Scheduling

The customer system administrator must manually perform these steps as users are created on the system.

  1. The site administrator creates a host account with full WebEx privileges (with the following session types: PRO and AUO*).

    Note: This host account temporarily counts towards the named host quota purchased by the customer.

  2. The site administrator disables the PRO session type for this new host account, leaving only AUO enabled.

  3. The site administrator exports the permissions to an Excel CSV file, batch updates the permissions, and then imports the permissions.

    Note: This decrements the named host count so that an unlimited number of audio only host accounts are allowed to schedule via WebEx Productivity Tools.

Related Information

Updated: Feb 18, 2010
Document ID: 111787