To schedule WebEx-enabled meetings using Cisco TMS, Cisco TMS users must have the following stored in their Cisco TMS user profile:

• WebEx username

• WebEx password (unless single sign on is enabled)

• The WebEx site on which they have an account.

  Note	This WebEx site must also be added to Cisco TMS, as described in Configuring the Cisco WebEx Feature in Cisco TMS.

There are three ways to enable a Cisco TMS user's account for WebEx scheduling:

• Administrator edits the Cisco TMS user's profile.

For details, see Configuring a Configuring a Cisco CMR Hybrid User in Cisco TMS

• The Cisco TMS user edits their profile by logging in to Cisco TMS and clicking their username at the bottom left corner of the Cisco TMS Web UI.

• Administrator enables ‘Lookup User Information from Active Directory, ‘Get WebEx Username from Active Directory' and (optionally) Single Sign On (SSO).

The benefits of having the Active Directory lookup features enabled are that the user account information including WebEx username is automatically added to each new Cisco TMS user. WebEx password must still be added by the administrator or user, however, if Single Sign On is enabled, WebEx password is not required. With the Active Directory and Single Sign On features enabled, only the WebEx site must be selected for the user, if there are multiple WebEx sites configured on Cisco TMS. If there is only on WebEx site, Cisco TMS will use that site. If there are multiple sites configured, Cisco TMS will automatically select the WebEx site designated as the ‘Default', unless the user's Cisco TMS profile is edited to specify a different WebEx site.

For details, see Configuring Automatic User Lookup from Active Directory and Configuring Single Sign On in Cisco TMS

If you are using Active Directory (AD), you can configure Cisco TMS to automatically populate user profile information. When you enable this feature, details about the user will automatically be imported when they first access Cisco TMS and synchronized periodically. If you use a field in Active Directory for WebEx username (for example the AD username or email address), you can configure Cisco TMS to import the WebEx username as well by enabling the 'Get WebEx Username from Active Directory' feature in the WebEx Settings page.

For WebEx booking to work, the booking user must have a WebEx username and password defined as their WebEx Username and WebEx Password in their Cisco TMS profile. This ensures that the correct user "owns" the meeting in WebEx and can log in and operate the WebEx conference.

When Single Sign On (SSO) is enabled for the WebEx site, users with WebEx accounts can book WebEx-enabled meetings with Cisco TMS without requiring their WebEx password be stored in their Cisco TMS user profile. When SSO is configured and a user schedules a meeting, their WebEx username from their Cisco TMS user profile is passed to the WebEx site to complete the booking. For information about how to configure SSO, see Configuring Single Sign On in Cisco TMS.

The remaining fields are not mandatory, but are used for other Cisco TMS features. Later, if you are using Active Directory, you can configure Cisco TMS to populate these fields automatically for new users.

This configuration is not required if the following three conditions are true:

• ‘Lookup User Information from Active Directory' and ‘Get WebEx Username from Active Directory' are enabled, as described in Configuring Automatic User Lookup from Active Directory, page 6-5

• Single Sign On is enabled, as detailed in Configuring Single Sign On in Cisco TMS.

• The user will use the default WebEx site for scheduling WebEx meetings

To configure a Cisco CMR Hybrid user in Cisco TMS, do the following:

To enable port reservations for MCU, do the following in Cisco TMS:

To enable port reservations for TelePresence Server, do the following in Cisco TMS:

If the WebEx Welcome Screen is disabled, the user experience of the first TelePresence participant in a meeting that uses TelePresence Server varies depending on how the “Use Lobby Screen for conferences” setting for TelePresence Server is configured in Cisco TMS. Table 1 describes what the first TelePresence participant in a meeting will see in different scenarios. To ensure that the first TelePresence participant never sees a black screen, make sure you set “Use Lobby Screen for conferences” to Yes for all TelePresence Servers you will use for CMR Cloud meetings as described in the previous section.

Cisco recommends configuring Default Picture Mode to Continuous Presence. This allows multiple participants to be seen on screen at the same time for meetings that use MCU. TelePresence Server is always set to display multiple participants (called ActivePresence on the TelePresence Server).

To configure Default Picture Mode in Cisco TMS, do the following:

Cisco recommends configuring the Conference Connection/Ending Options in TMS so that if a meeting runs beyond the scheduled end time, participants are warned if there are not enough resources to extend the meeting.

TelePresence participants can join up to 5 minutes before the scheduled start time of the meeting. This ensures that Cisco TMS allocates the conference 5 minutes before the meeting start time on the Main Participant (MCU or TS). This is a best effort feature, so if the Main Participant does not have the resources available, some or all participants may be unable to join the meeting within the 5 minute window.

Note	Cisco TMS does not dial out to WebEx until the scheduled start time of the meeting.

To configure Allow Early Join in Cisco TMS, do the following:

When Resource Availability Check on Extension is enabled, a meeting automatically extends by 15 minutes if all resources are available, and reserves them until the extended meeting is finished.

To configure Resource Availability Check on Extension in Cisco TMS, do the following:

Before configuring SSO in Cisco TMS, you must work with the WebEx Cloud Services team to determine the following information that needs to be configured in both Cisco TMS and in the WebEx cloud:

• Partner Name

  This value must be determined by the WebEx team, because it must be unique among all WebEx customers. Contact the WebEx account team for this information.

  Example: examplesso.webex.com

• Partner Issuer (IdP ID)

  This is the Identity Provider, which is your TMS. This value must be determined by the WebEx team. Contact the WebEx account team for this information.

  Cisco recommends using a name to indicate your company's TMS.

  Example: exampletms

• SAML Issuer (SP ID)

  This refers to the Service Provider, which is WebEx. This value must be determined by the WebEx team. Contact the WebEx account team for this information.

  Example: https://examplesso.webex.com/examplesso

• AuthnContextClassRef

  This is the authentication context. The IdP authenticates the user in different contexts, e.g., X509 cert, Smart card, IWA, username/password).

  Use the default value automatically provided by TMS.

To configure SSO in Cisco TMS, do the following:

WebEx requires that a certificate pair (public certificate and private key) be used to authenticate Cisco TMS to the WebEx cloud.

Certificate pair requirements:

• Public certificate must be in .cer or .crt format - to send to the WebEx Cloud Services team

• Certificate and private key bundled in a PKCS12-formatted file - for upload to Cisco TMS

You can generate a new certificate or use an existing one, such as the one used to enable HTTPS on your Cisco TMS server.

These steps are required for enabling partner delegated authentication on your WebEx site:

To enable SSO in Cisco TMS, do the following:

While the focus of the previous section was how to configure SSO on TMS, it is also possible to configure SSO on the WebEx site itself. As a result, it's helpful to understand all the supported configurations for scheduling of CMR Hybrid meetings.

There are three possible supported configurations to allow the TMS to schedule on behalf of the WebEx host:

• WebEx site does not use SSO and TMS does not have SSO configured. No partner delegated authentication (PDA) relationship with the WebEx site. WebEx host login: The WebEx username and password are stored in WebEx, and the user authenticates directly to the WebEx site.

  • TMS scheduling: The host's WebEx username and password are also stored in their TMS personal profile. This must be maintained by the user, if they have access to the TMS, or by the TMS administrator. The TMS passes both username and password to WebEx at scheduling time.

• WebEx site does not use SSO, but TMS does have SSO configured. PDA relationship with the WebEx site. WebEx host login: The WebEx username and password are stored in WebEx, and the user authenticates directly to the WebEx site.

  • TMS scheduling: The host's WebEx username is stored in a TMS personal profile (a TMS admin task) but the WebEx password is not stored in TMS. TMS is trusted to schedule for that user.

• WebEx site uses SSO, and TMS has SSO configured. PDA relationship with the WebEx site. WebEx host login: The WebEx user logs in through the SSO identity service provider.

  • TMS scheduling: The host's WebEx username is stored in a TMS personal profile (a TMS admin task) but the WebEx password is not stored in Cisco TMS. Cisco TMS is trusted to schedule for that user.

If you use a certificate signed by a public CA that will soon be expiring you must renew it. Using an expired certificate will cause CMR Hybrid meeting scheduling to fail as WebEx rejects an expired certificate presented by TMS on behalf of a CMR Hybrid meeting scheduling attempt.