Active Directory Federation Services

(1)

Active Directory

Federation Services

Installation Instructions for WebEx

Messenger and WebEx Centers Single

Sign-‐On for Windows 2008 R2

(2)

Copyright

© 1997-‐2013 Cisco and/or its affiliates. All rights reserved. WEBEX, CISCO, Cisco WebEx, the CISCO logo, and the Cisco WebEx logo are trademarks or registered trademarks of Cisco and/or its affiliated entities in the United States and other countries. Third-‐party trademarks are the property of their respective owners.

U.S. Government End User Purchasers. The Documentation and related Services qualify as "commercial items," as that term is defined at Federal Acquisition Regulation ("FAR") (48 C.F.R.) 2.101. Consistent with FAR 12.212 and DoD FAR Supp.

227.7202-‐1 through 227.7202-‐4, and notwithstanding any other FAR or other contractual clause to the contrary in any agreement into which the Agreement may be incorporated, Customer may provide to Government end user or, if the

Agreement is direct, Government end user will acquire, the Services and Documentation with only those rights set forth in the Agreement. Use of either the Services or Documentation or both constitutes agreement by the Government that the Services and Documentation are commercial items and constitutes acceptance of the rights and restrictions herein.

Last updated: 10232013 www.webex.com

(3)

i

Introduction and Prerequisites ... 1

Introduction ... 1

Prerequisites ... 1

Downloading and Installing ADFS 2.0 ... 3

Accessing the ADFS Installation File ... 3

Creating a Self-‐Signed Certificate in IIS ... 5

Configuring an ADFS 2.0 First Run ... 11

Exporting a Token Signing Certificate ... 21

Configuring WebEx Centers ... 27

Configuring WebEx Messenger ... 45

Configuring ADFS 2.0 for a Relay Party Trust ... 63

Edit Claim Rules for Login ... 73

Setup Auto Account Creation ... 83

Setup Auto Account Update ... 95

Testing the Connection in WebEx Centers ... 105

(4)

Appendix ... 109

Index ... 113

(5)

1

1 Chapter 1

Introduction

This document covers the installation and configuration of the required software components essential for achieving a Single Sign-‐On (SSO) solution with Active Directory Federation Services (ADFS). The environment of each customer differs and the ability to match each of these environments is not feasible.

These instructions are supplied, as a best effort, to match the base installation from Microsoft Windows 2008 R2. ADFS 2.0 is only available on Windows 2008 R2 and above. The instructions listed below should be reviewed by your system administrator.

Prerequisites

Prerequisites required prior to ADFS installation include the following:

§ Active Directory Domain Services (AD DS) must be configured correctly with at least one user listed.

§ User accounts must have, at a minimum, an email address, SAM-‐Account-‐ Name or UPN, first name, and last name.

Note: The installation and configuration of Active Directory, LDAP, or IWA is outside the scope of this document.

(6)

Introduction and Prerequisites

§ Verify your WebEx site, or Messenger Organization is setup for SSO by doing one or both of the following:

§ Login to the WebEx site administrator page. On the left navigation menu you should have a link for SSO Configuration.

§ On WebEx Messenger verify you have a Federation Web SSO

Configuration link listed under Security Settings. If your WebEx site, or Messenger Organization is not configured for SSO, please contact your WebEx account manager and ask to have it enabled.

Note: If your WebEx site or Messenger Organization is not configured for SSO, please contact your WebEx account manager for configuration assistance.

(7)

2

3 Chapter 2

Accessing the ADFS Installation File

The download link for ADFS 2.0 is located at

http://www.microsoft.com/download/en/details.aspx?id=10909. However, if

this link is no longer active perform a web search to find the most recent download link.

To install ADFS:

1. Download the installation file onto your desktop from the Microsoft

Download Centre.

2. Double-‐click the file to start the installation. 3. Select Run.

(8)

Downloading and Installing ADFS 2.0

4. Select Next to continue.

5. Select the I accept the terms in the License Agreement check box and

select Next.

6. In the Server Role screen, ensure the Federation server radio button is

selected and select Next.

7. Review the prerequisites and select Next.

8. Once the installation is complete, select the Start the AD FS 2.0

Management snap-‐in when the wizard closes check box.

(9)

3

5 Chapter 3

Important: If you are planning on using a CA Certificate you can skip this step. Creating, signing, and importing a CA Certificate is outside the scope of WebEx support for ADFS. Contact your system administrator for help with this process.

To create a self-‐signed certificate in IIS:

1. Select the Start menu > Administrative Tools > Internet Information

Services (IIS) Manager.

Note: We recommend using a server name the DNS server can resolve.

(10)

Creating a Self-‐Signed Certificate in IIS

2. When IIS Manager loads, select the server home icon and the Server

Certificates icon.

3. On the Server Certificate screen under Actions, select the Create Self

(11)

Creating a Self-‐Signed Certificate in IIS 7

4. The specify Friendly Name screen is displayed. In the Friendly Name field,

(12)

5. Select OK. You should now have a new certificate listed for your IIS server.

You can close the IIS Manager screen.

(13)

9

9. Select OK. SSL is now enabled.

(14)

(15)

4

11

To configure an ADFS 2.0 first run:

1. Select the Start menu > Administrative Tools > ADFS 2.0 Management.

The ADFS Management console is displayed.

2. Select the AD FS 2.0 Federation Server Configuration Wizard link to begin

the setup wizard.

3. Ensure the Create a new Federation Service radio button is selected and

select Next.

(16)

Configuring an ADFS 2.0 First Run

4. Ensure the Stand-‐alone federation service radio button is selected and

(17)

Configuring an ADFS 2.0 First Run 13

(18)

(19)

6. Select Browse. The Select User screen is displayed.

Note: You must assign one of your computer accounts as a service account for ADFS. The exact account varies from customer to customer. If you are not sure what account to use, contact your system administrator.

7. Type the name of the service account in the Enter the object name to select

(20)

8. Select Check Names to validate the name.

9. When the account is validated, select OK.

10. In the Specify a Service Account screen in the Password field, type in a

(21)

11. Review the Ready to Apply Settings, and select Next. Windows applies the

(22)

(23)

12. Review the final settings, and if needed, fix any problems that may have

occured.

Important: These errors may require assistance from your system administrator. WebEx support is not able to help with errors at this stage.

(24)

(25)

5

21

To export a token signing certificate:

1. Select the Start menu > Administrative Tools > ADFS 2.0 Management.

The ADFS Management console is displayed.

2. Select and expand the Service tree and select Certificates. In the center

window listed under Certificates find your Token-‐signing certificate.

3. Right click on the Token-‐signing certificate and select View Certificate…

from the pop-‐up. The certificate is displayed.

(26)

Exporting a Token Signing Certificate

(27)

Exporting a Token Signing Certificate 23

6. Ensure the DER encoded Binary X.509 (.CER) radio button is selected and

(28)

(29)

(30)

9. Select OK to confirm the operation is completed.

(31)

6

27

This chapter details the tasks you need to complete to set up your WebEx site for ADFS 2.0 including:

§ Installing the token-‐signing certificate

§ Selecting the correct Single Sign-‐On (SSO) version

§ Setting up the service provider initiated SSO in the SSO profile

§ Setting up the service provider ID

§ Setting up the issuer ID

§ Setting up the SSO sign-‐in URL

§ Setting up the name ID format

§ Setting up the AuthnContextClassRef value

§ Saving the WebEx configuration

§ Exporting the WebEx Metadata.xml file

To install the token-‐signing certificate:

1. Sign-‐in to the Cisco WebEx Site Administration Tool.

2. On the left navigational menu, select the SSO Configuration link. 3. Select the Site Certificate Manager link.

(32)

Configuring WebEx Centers

4. In the Site Certificate Manager screen, select Browse to select the token-‐

signing certificate.

(33)

Configuring WebEx Centers 29

(34)

(35)

Configuring WebEx Centers 31 To select the correct SSO version:

1. Sign-‐in to Cisco WebEx Site Administration.

(36)

5. The default SAML 2.0 configuration screen for WebEx is displayed.

(37)

33 To setup the Service Provider initiated SSO in the SSO Profile:

§ In the SAML 2.0 configuration screen for WebEx, ensure the SP Initiated option is selected. Do NOT check the AuthnRequest Signed checkbox.

To setup the Service Provider ID:

• The default value for the SP ID is http://www.webex.com. This value is pre-‐

populated and can remain at the default.

Important: There may be a possible conflict with Cisco WebEx Messenger / Cisco Jabber. Unfortunately Cisco WebEx Messenger and Cisco Jabber both have the same default value for SP ID. If you are using both services with SSO, one of these values needs to change. In the below section it is recommended to change the value for WebEx Messenger, keeping the default for WebEx Centers.

To setup the correct issuer ID:

1. Launch the ADFS 2.0 Management console.

2. On right-‐hand side of the main ADFS Management console screen under

(38)

(39)

4. Paste the Federation Service Identifier into the WebEx field Issuer for

SAML (IdP ID).

(40)

To setup the SSO sign-‐in URL:

1. First you need to create the endpoint URL, which needs to be pieced together

from ADFS and IIS. The endpoint URL is where WebEx directs users to sign-‐ in. This value is different from customer to customer. The format of the URL is https://{Server Name}/{path of endpoint}/.

Important: The instructions provided below are a best effort to assist you in putting the endpoint URL together. If you are not sure of this value, or if the provided instructions do not match up in your environment, contact your system administrator.

(41)

4. Copy the value displayed in the Federation Service name field. This is our

server name for the endpoint URL for example, https:// adfs-‐fed-‐

srv2.adfs.webexeagle.com /{path of endpoint}/.

(42)

5. Select OK or Cancel.

6. Launch the ADFS 2.0 Management console, open the Services Tree and

select Endpoint. You now need to find the SAML 2.0/WS-‐ Federation type. Copy the value listed under URL Path and add to the full end point URL. Using the previous example you should now have the following URL: https://

adfs-‐fed-‐srv2.adfs.webexeagle.com /adfs/ls/

(43)

7. Sign-‐in to Cisco WebEx Site Admininistratin and add this to the SSO Service

(44)

.

To setup the name ID format:

§ The Name ID format should remain at the default value Unspecified. To setup the AuthnContextClassRef value:

§ Currently WebEx sets the default value for AuthnContextClassRef to

(45)

Note: This value can change depending on your setup. Finding the value may require extra troubleshooting to determine. Listed below are the most common AuthnContextClassRef values. Windows Authentication is the most common value, and is used in this guide. If you are using a different authentication scheme you just need to ensure the values between your assertion and WebEx match exactly. If you continue to have issues with this value (WebEx error 13), you refer to the SAML Troubleshooting Guide, or contact technical support.

§ Common AuthnContextClassRef values:

AuthnContextClassRef Value

Windows Authentication

(Suggested) urn:federation:authentication:windows

Kerberos Authentication urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos Password Authentication urn:oasis:names:tc:SAML:2.0:ac:classes:Password

or

(46)

AuthnContextClassRef Value

Forms Authentication urn:oasis:names:tc:SAML:2.0:ac:classes:Password

or

urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTrans port

To save the WebEx configuration:

§ At this point you need to save/update the values for the Federated Web SSO

Configuration page. Select Update.

To export the WebEx Metadata.xml file:

1. In WebEx Site Administration, select Export and save the file to your

(47)

2. The screen below is displayed. Select Save File and OK.

(48)

(49)

7

45

This chapter details the tasks you need to complete to set up your WebEx Messenger service for ADFS 2.0 including:

§ Installing the token-‐signing certificate

§ Selecting the correct Single Sign-‐On (SSO) version

§ Setting up the service provider initiated SSO in the SSO profile

§ Setting up the service provider ID

§ Setting up the issuer ID

§ Setting up the SSO sign-‐in URL

§ Setting up the name ID format

§ Setting up the AuthnContextClassRef value

§ Saving the WebEx configuration

§ Exporting the WebEx Metadata.xml file

To install the token-‐signing certificate:

1. Sign-‐in to Cisco WebEx Administraton.

2. On the left navigational menu, select the Security Settings link. 3. Select the Organization Certificate Manager link.

(50)

Configuring WebEx Messenger

4. In the Organization Certificate Manager screen, select Import New

(51)

Configuring WebEx Messenger 47

6. Browse to the required certificate, and select Open.

(52)

8. Ensure the certificate is correct, and select Close.

(53)

Configuring WebEx Messenger 49 To select the correct SSO version:

1. Sign-‐in to the Cisco WebEx Organization Administration Tool. 2. Select the Configuration tab.

3. On the left navigational menu, select Security Settings. 4. Select Federated Web SSO Configuration.

(54)

5. The default SSO value of SAML 12.0 is displayed in the Federation Protocol

field. You do not need to make any changes.

(55)

To setup the Service Provider initiated SSO in the SSO Profile:

§ In the Federated Web SSO Configuration screen, ensure the SP Initiated option is selected. Do NOT check the AuthnRequest Signed checkbox.

(56)

To setup the Service Provider ID:

• The default value for the SP ID is http://www.webex.com. This value is pre-‐

(57)

To setup the correct issuer ID:

Actions, select Edit Federation Server Properties. The Federation Server Properties screen is displayed.

(58)

4. Paste the Federation Service Identifier into the WebEx field Issuer for

SAML (IdP ID).

(59)

Configuring WebEx Messenger 55 To setup the SSO sign-‐in URL:

1. First you need to create the endpoint URL, which needs to be pieced together

from ADFS and IIS. The endpoint URL is where WebEx directs users to sign-‐ in. This value is different from customer to customer. The format of the URL is https://{Server Name}/{path of endpoint}/.

Important: The instructions provided below are a best effort to assist you in putting this together. If you are not sure of this value, or if the provided instructions do not match up in your environment, contact your system administrator.

(60)

5. Copy the value displayed in the Federation Service name field. This is our

server name for the endpoint URL for example, https:// adfs-‐fed-‐

srv2.adfs.webexeagle.com /{path of endpoint}/.

(61)

8. Sign-‐in to the Cisco WebEx Admininistraton Tool and add this to the

(62)

.

To setup the name ID format:

(63)

59 To save the WebEx configuration:

§ At this point you need to save/update the values for the Federated Web SSO

Configuration screen. Select Save.

To export the WebEx Metadata.xml file:

1. In the Cisco WebEx Administration Tool in the Federated Web SSO

(64)

2. The screen below is displayed. Select Save File and OK.

(65)

3. You may have to select the location to download the file. We suggest the

(66)

(67)

8

63

To configure ADFS 2.0 for a relay party trust:

1. Launch the ADFS 2.0 Management console. 2. Select Required: Add a trusted relying party.

(68)

Configuring ADFS 2.0 for a Relay Party Trust

3. The Add Relying Party Trust Wizard is displayed. Read the information

(69)

Configuring ADFS 2.0 for a Relay Party Trust 65

4. In the Select Data Source screen, select Import data about the relying

(70)

5. Browse to the location where you previously saved the WebEx Metadata file,

(71)

Configuring ADFS 2.0 for a Relay Party Trust 67

(72)

7. In the Specify Display Name screen in the Display name field, enter a name

for the relying party. For example, WebEx_SP.

8. In the Notes field, enter a description for the relying party. We recommend

(73)

Configuring ADFS 2.0 for a Relay Party Trust 69 9. Select Next.

10. In the Choose Issuance Authorization Rules screen, select Permit all users

(74)

11. In the Ready to Add Trust screen, review all of the data. No changes should

(75)

Configuring ADFS 2.0 for a Relay Party Trust 71 12. Select Next.

13. In the Finish screen, ensure Open the edit claim rules dialog for this

(76)

(77)

9

73

To edit the claim rules for login:

1. Launch the ADFS 2.0 Management console. 2. Expand the Trust Relationships folder.

3. Select the Relying Party Trusts folder. The WebEx_SP Relying Party Trust

should be displayed.

4. Under Actions > WebEx_SP, select Edit Claim Rules….

(78)

Edit Claim Rules for Login

5. In the Edit Claim Rules for WebEx_SP screen, select Add Rule….

(79)

Edit Claim Rules for Login 75

6. In the Select Rule Template screen, ensure the Claim rule template is set

(80)

7. In the Configure Rule screen in the Claim rule name field, enter Name ID

(81)

(82)

9. Under Mapping of LDAP attributes to outgoing claim types: there are two

labeled columns. Select the drop down arrow for LDAP Attribute.

10. From the list, select either E-‐Mail-‐Addresses or SAM-‐Account-‐Name.

(83)

(84)

13. Review the settings, and then select Finish.

(85)

You have now completed the first steps of setting up ADFS 2.0. If you have existing user accounts on your site, you can now test to verify authentication. Resolve any problems at this point before moving on to Auto Account Creation. If you do not have any user accounts, or are using a new format for username then you can move on to Auto Account Creation.

If you do not plan on using Auto Account Creation, then congratulations you have completed setting up ADFS 2.0

(86)

(87)

10

83

Auto account creation is used to generate accounts on the WebEx site, helping reduce the need for administration and user management.

To editing claims for auto account creation:

1. Launch the ADFS 2.0 Management console. 2. Expand the Trust Relationships folder.

3. Select Rely Party Trusts. WebEx_SP should be displayed. 4. Under Actions > WebEx_SP, select Edit Claim Rules….

(88)

Setup Auto Account Creation

5. In the Edit Claim Rules for WebEx_SP screen, select Add Rule….

(89)

Setup Auto Account Creation 85

6. In the Select Rule Template screen, select Send LDAP Attributes as Claims

(90)

7. In the Configure Rule screen in the Claim rule name field, enter

(91)

(92)

9. Under Mapping of LDAP attributes to outgoing claim types: there are two

labeled columns. The first is LDAP Attribute, and the second is Outgoing

Claim Type. You must add four rows filling out both of these columns. For

basic auto account creation WebEx requires the four following outgoing claim types; uid, email, firstname, and lastname.

(93)

11. In the Outgoing Claim Type field, type uid.

Tip: DO NOT CLICK on the list arrow; you must type this in manually. A triple click in the field enables you to start typing.

(94)

12. In the second row from the LDAP Attributes list, select E-‐Mail-‐Addresses. 13. In the Outgoing Claim Type field, type email. DO NOT CLICK on the list

arrow; you must type this in manually.

14. In the third row from the LDAP Attributes list, select Given-‐Name.

15. In the Outgoing Claim Type field, type firstname. DO NOT CLICK on the list

arrow; you must type this in manually.

16. In the fourth row from the LDAP Attributes list, select Surname.

17. In the Outgoing Claim Type field, type lastname. DO NOT CLICK on the list

(95)

20. When complete, select Finish.

21. There are now two claim rules listed in the Edit Claim Rules for WebEx_SP

(96)

To configure WebEx for auto account update:

1. Sign-‐in to your Cisco WebEx Administration Tool or your Cisco WebEx

(97)

(98)

(99)

11

95

To edit claims for auto account update:

2. Expand the Trust Relationships folder. The WebEx_SP Relying Party Trust

should be displayed.

3. Under Actions > WebEx_SP, select Edit Claim Rules…..

(100)

Setup Auto Account Update

(101)

Setup Auto Account Update 97

5. The Add Transform Claim Rule Wizard is displayed.

6. From the Claim rule template list, select Send Claims Using a Custom

(102)

7. Read the Notes about the claim rule template description, and then select

(103)

Setup Auto Account Update 99

8. In the Claim rule name field, enter AutoAccountUpdate. 9. In the Custom rule: text box, enter the following rule:

• c:[Type ==

"http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsa ccountname", Issuer == "AD AUTHORITY"] => issue(store = "Active Directory", types = ("updateTimeStamp"), query = ";whenChanged;{0}", param = c.Value);

(104)

(105)

Setup Auto Account Update 101 To configure WebEx for auto account update:

1. Sign-‐in to your Cisco WebEx Administration Tool or your Cisco WebEx

Messenger Administration Tool.

(106)

(107)

(108)

(109)

12

105

To test the connection in WebEx Centers:

1. Open up a web browser and point to http://sitename.webex.com replacing

sitename with your WebEx branded site.

2. Select Login on the right side of the screen. You should now be directed into

your Cisco WebEx site, or you need to enter your network credentials in the login screen.

3. The Cisco WebEx site is displayed.

(110)

Testing the Connection in WebEx Centers

(111)

13

107

Cisco WebEx Messenger 7.0 and greater automatically recognizes that Single Sign-‐On (SSO) is turned on for your organization, and attempts to sign-‐in to your Active Directory. Some older versions of Cisco WebEx Messenger need to be installed with a switch to turn on SSO.

Customers who would like to package and manually install Cisco WebEx Messenger across a network can also use this switch. Please refer to the Cisco WebEx Organization Administration documentation for additional details if you plan on using this method.

Use the following example for installing the Cisco WebEx Messenger client: § For a non-‐SSO msi installation -‐ msiexec.exe /i apSetup.msi

§ For a SSO msi installation -‐ msiexec.exe /i apSetup.msi /SSO_ORG EXAMPLE.com

OR

§ Connect.exe (installation package) or apSetup.exe to install non-‐SSO

§ Connect.exe (installation package) or apSetup.exe /SSO_ORG EXAMPLE.com to install SSO

Note: Connect.exe installation package and Connect.exe run-‐time executable are two different files.

To enable or disable the SSO Connect.exe (run time executable): § Enabled -‐ Connect.exe /SSO_ORG EXAMPLE.com

(112)

Testing the Connection in WebEx Messenger

§ Disabled -‐ Connect.exe /SSO_ORG NONE

A second option for testing is to use the Cisco WebEx Messenger Web IM to test SSO. Replace {ORG} in https://loginp.webexconnect.com/cas/sso/{ORG}/webim.app with your Cisco WebEx Messenger organization.

(113)

109

Accepted attributes in the assertion for Meeting Center

Attribute Name Required for Auto Account Creations Usage uid NO firstname YES lastname YES email YES

groupid NO Only support create, not update updateTimeStamp NO, but it is

necessary for Auto Account Update

Support long value,

UTC time format, & LDIF time format

optionalparams NO optional parameters can be set in two formats as following:

<saml:Attribute NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-‐ format:basic’ Name=”optionalparams”> <saml:AttributeValue xsi:type=”xs:string”>City=Toronto</saml:AttributeValue > <saml:AttributeValue xsi:type=”xs:string”>AA=OFF</saml:AttributeValue > </saml:Attribute>

or the same format as the mandatory attributes, don't need wrapped into optionalparams <saml:Attribute NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-‐ format:basic’ Name=”City”> <saml:AttributeValue xsi:type=”xs:string”>Toronto</saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-‐ format:basic’ Name=”AA”> <saml:AttributeValue xsi:type=”xs:string”>OFF</saml:AttributeValue> </saml:Attribute>

RP NO Support Record Editor

LA NO LabAdmin Privilege

(114)

Appendix Attribute Name Required for Auto Account Creations Usage

OPhoneCountry NO office phone country code OPhoneArea NO office phone area

OPhoneLocal NO office phone local OPhoneExt NO office phone ext. FPhoneCountry NO Fax phone country code FPhoneArea NO Fax phone area

FPhoneLocal NO Fax phone local FPhoneExt NO Fax phone ext.

TimeZone NO TimeZone

Address1 NO Address1

Address2 NO Address2

City, State, ZipCode,Country NO MW mywebex type FL SupportFileFolder AB SupportMyContacts PF SupportMyProfile MM SupportMyMeetings MR SupportEndUserReport AA SupportAccessAnywhere RC SupportMyRecordings RE SupportEventDocuments LB SupportPersonalLobby AS AdditionalStorageNumber AC AdditionalComputerNumber MT <1,2,3,...>

(115)

111 Attribute Name Required for Auto Account Creations Usage

updateTimeStamp NO, but it is necessary for Auto Account Update

Support long value,

UTC time format, & LDIF time format

optionalparams NO optional parameters can be set in two formats as following:

<saml:Attribute NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-‐ format:basic’ Name=”optionalparams”> <saml:AttributeValue xsi:type=”xs:string”>City=Toronto</saml:AttributeValue > <saml:AttributeValue xsi:type=”xs:string”>AA=OFF</saml:AttributeValue > </saml:Attribute>

or the same format as the mandatory attributes, don't need wrapped into optionalparams <saml:Attribute NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-‐ format:basic’ Name=”City”> <saml:AttributeValue xsi:type=”xs:string”>Toronto</saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat=”urn:oasis:names:tc:SAML:2.0:attrname-‐ format:basic’ Name=”AA”> <saml:AttributeValue xsi:type=”xs:string”>OFF</saml:AttributeValue> </saml:Attribute>

employeeid NO need be unique for an org

groupid NO Only support auto account creation

displayName NO companyName NO streetLine1 NO streetLine2 NO city NO state NO zipcode NO

country NO Need to be an ISO country code

jobTitle NO

mobilePhone NO

businessPhone NO

(116)

Appendix Attribute Name Required for Auto Account Creations Usage optionalparams NO

imloggingenabled NO When an org has IMLogging enabled, if no such attribute, it would set to “false”.

imloggingendpointn

ame NO If the value is null when imloggingenabled is true, will use default endpoint set in administrator portal upgradesite NO Only support auto account update

(117)

113

No index entries found.

Active Directory Federation Services