Password management often contributes to the “nightmare scenario” for just about everyone in a work environment. For employees, it’s having too many accounts in too many places, and the Post-it note in the desk drawer is too darn small!
For IT help-desk staff, it’s the endless phone calls from employees that can’t remember their password for Cisco WebEx. And for CSOs, poor business processes with manual steps mean terminated employees could have access to WebEx for hours, days, even weeks after they’ve parted ways!
These are all nightmares from which you can wake—the solution is called Single Sign-On (SSO). With SSO, users may log into WebEx by authenticating against your Enterprise Directory solution, such as Microsoft Active Directory. Put another way, your Enterprise directory becomes the “source of truth” – passwords, account state and even directory group membership can control access to resources without the difficulty of a direct integration.
With SSO, standard security technologies like SSL/TLS and SAML 2.0 also guarantee your user’s credentials are stored in your directory, not replicated willy-nilly. This means a security problem at a cloud provider that leads to the leakage of user databases won’t leak YOUR passwords anymore.
What can you use SSO with? Here, we’ll focus on using SSO with Cisco WebEx, a cloud-based web conferencing service. It’s a perfect example – people need to meet and WebEx can turn a conference call into a truly productive meeting complete with audio, video and screen/document sharing capabilities.
WebEx and SSO: A Perfect Pair
WebEx enhanced by SSO eliminates some age-old problems, as hinted at above. In particular:
- WebEx stores user account information, but critically, not passwords – authentication occurs via SSO
- The Enterprise Directory (e.g. MS Active Directory) becomes the “source of truth” – authentication happens via the Enterprise Directory by way of SSO
- WebEx may create accounts “just in time”—with automatic account creation at first sign-in, the help desk is freed from having to manually provision new users
- Information about the user’s Enterprise Directory account may be used as part of authentication and provisioning – account state (active/disabled), group membership-based access, freeing the help desk from the need to manually delete users who separate from the company
- When configured properly, SSO services can be available both on- and off-site – and when on-site, sign-in can be seamless
WebEx enhanced by SSO can lead to significantly improved user and support experiences. Users can lighten “password fatigue” for a commonly used service, the help desk can shed dozens or even hundreds of tickets a month for password resets and account turn-up/-down, and the CSO can sleep easier at night knowing that access control flows are automated.
What is Single Sign-On? What is SAML?
SSO is a bit of a broad umbrella encompassing many different, but similar, technologies. WebEx, in particular, supports the Security Assertion Markup Language 2.0 (SAML) standard. That’s a mouthful, but SAML offers the key capability that makes SSO useful: the ability to leverage an Enterprise’s directory to provide authentication and access control to applications, including cloud-based applications.
A SAML-based approach depends on two key components: the Service Provider (SP, the application, e.g. WebEx) and the Identity Provider (IdP, a server which integrates to the Enterprise Directory to perform authentication). Microsoft Active Directory Federation Services (AD FS) is but one vendor implementation of an Identity Provider; we’ll use it for our example, since it is quite common (as many Enterprises use Microsoft Active Directory). The “user agent” (browser, WebEx mobile apps, WebEx Productivity Tools) acts as an intermediary, passing messages between the SP and IdP.
But How Does it Work?
A SAML-based authentication flow started at WebEx (“SP-initiated” authentication) looks like this:
- The user begins by visiting their WebEx site, which is administratively pre-configured with information about the SAML IdP (Microsoft AD FS). When they user clicks “Log In” on the page, the WebEx site redirects the user to Microsoft AD FS. This becomes the “SAML request,” as WebEx embeds information in the redirect URL in the form of a base64-encoded request parameter.
- The browser follows the redirect to the Microsoft AD FS service, which reads the request parameter containing the SAML request. Assuming it recognizes it, the user is prompted for authentication.
- If configured properly, the authentication may take place via Windows Integrated Authentication (WIA), meaning no authentication prompt and an entirely transparent end user experience.
- If the user has recently authenticated to the IdP for another web application, the browser may be able to use a stored IdP “cookie,” meaning no authentication prompt and an entirely transparent end user experience.
- Otherwise a user receives a username/password prompt for their Enterprise Directory credentials.
- Microsoft AD FS will attempt to authenticate the user. Configuration stored in AD FS specific to the Service Provider controls whether authentication is successful or not (more on this in a moment).
- Microsoft AD FS redirects the user’s browser once more, back to WebEx. This becomes the “SAML response,” again embedding information in the redirect URL in the form of a base64-encoded request parameter.
- WebEx reads the SAML response, and if the response indicates success, reads the information about the authenticated requestor. WebEx then cross-references the user ID in the SAML response with account information in its identity back-end, and allows the user access to the appropriate WebEx services.
Key things to note:
- The SAML request/response contains identifying information but not credentials. These messages are encrypted, signed, and transported securely over HTTPS end-to-end.
- WebEx never directly interacts with Microsoft AD FS. The user’s browser is redirected back and forth between the services, carrying messages in URL request parameter.
- Microsoft AD FS interacts with Microsoft Active Directory to perform the authentication. Depending on AD FS configuration for WebEx, AD FS may limit access based on whether the user is enabled/locked/disabled, Active Directory Group membership or other attributes. MS AD FS assembles user attributes such as userid, email and name (but not password information) and sends them back to WebEx in the SAML response.
- If desired, the authentication flow may also begin at Microsoft AD FS (“IdP-initiated” authentication) – sometimes useful as access to WebEx can be embedded in an Intranet “portal” or similar sites.
Tell Me about the User Experience
It’s the best: luxurious, classy, everything you’d want it to be and more. Seriously, we’re not kidding. In the eyes of the user, the login used for laptops and email also allows them to log into WebEx. In some cases, authentication can even be 100% transparent. And it works anywhere and everywhere – on- or off-site, via browsers, via their Outlook plugin, via WebEx Productivity Tools, via mobile apps. No separate passwords, no separate password complexity issues, no separate password expirations to deal with – everything is based on the credential they should know best and use every day.
Tell Me about the Administrative Experience
Also the best! Gone are the bothersome manual password resets, the tedious manual account creation and deactivation, etc. Tickets related to WebEx fall to a minimum and the help desk staff can resume their nerf-gun Tuesdays. With SSO, WebEx provisioning becomes almost entirely automatic.
What Does it Cost?
As with any solution, price is paramount.
SSO features can be enabled for free on any WebEx site. If you are already a Cisco WebEx customer, there’s no cost to you.
Similarly, Microsoft Active Directory Federation Services is a Windows role included in Windows Server 2012 R2 (as is the web reverse proxy role, used to secure external access). A few server VMs, an SSL certificate, some firewall configuration, and possibly a load-balancer are all that’s required to stand up the IdP, cost-wise. Alternative SAML IdP products from other providers may carry additional costs.
How do I Wake Up to SSO in the Morning?
CDW offers an inexpensive turnkey professional services engagement to setup Microsoft AD FS in either single-server or high availability “farm” mode, and integrate it with WebEx. We’ll get you up and running quickly and easily.
Contact your account manager for additional information. If you don’t have an account manager, use this form to get connected.
For the latest in collaboration trends, check out BizTech Magazine for more information.
Also, don’t forget to sign up for the CDW Solutions Blog monthly e-newsletter to stay on top of trending tech topics.