This document was generated from CDN thread
Created by: Gal Szkolnik on 26-12-2012 10:27:58 AM
I've posted this in SO, where the formatting is better and the question is more readable:
http://stackoverflow.com/questions/14043254/how-to-use-webexs-xml-api-with-sso-saml
I am writing a small tool to open a WebEx with our support customers using the support ticket information.
When the site used Username/Password I could make it work, now we use SSO.
The WebEx server is already setup to accept SSO (by our IT manager - not me).
The WebEx reference (linked below) does not elaborate, and this dev forum is pretty mute when it comes to answers about this subject.
Anyone have an idea how to make the code below actually work?
What goes into the <samlResponse> tag and replace the below line in the code with something that will make it work:
<samlResponse>samlResponse message will go here</samlResponse>
What does SAML assertion in the documentation (see below) means?
What I've found out till now
WebEx's XML-API documentation (Page 68) describes the following:
> 3.1 AuthenticateUser
>
> The AuthenticateUser API will accept a SAML assertion in place of a user password. The
<sessionTicket> returned can be used for subsequent XML API requests without using
<password> for the session duration as defined in Super Admin. This can take the place of the current requirement for a <userName> and <password> for authentication.
> ...
>
> The following schema diagram shows the element structure of the AuthenticateUser request
message.
And then it provide the XML schema diagram, and a sample.
Referencing the example .NET code (which does not use SAML) I came up with the following code:
string strXMLServer = "https://varonis.webex.com/WBXService/XMLService";
WebRequest request = WebRequest.Create(strXMLServer);
// Set the Method property of the request to POST.
request.Method = "POST";
// Set the ContentType property of the WebRequest.
request.ContentType = "application/x-www-form-urlencoded";
// Create POST data and convert it to a byte array.
Func<StringBuilder, StringBuilder> webExXML =
bodySB => new StringBuilder(1024) // Currently 294 bytes in length
.AppendLine("<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>")
.Append("<serv:message xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"")
.Append(" xmlns:serv=\"http://www.webex.com/schemas/2002/06/service\"")
.Append(" xsi:schemaLocation=\"http://www.webex.com/schemas/2002/06/service")
.Append(" http://www.webex.com/schemas/2002/06/service/service.xsd\">")
.AppendLine("<header>")
.AppendLine("<securityContext>")
.AppendLine("<siteName>siteName</siteName>")
.AppendLine("<webExID>username</webExID>")
.AppendLine("<password></password>")
.AppendLine("<partnerID></partnerID>")
.AppendLine("</securityContext>")
.AppendLine("</header>")
.AppendLine()
.AppendLine("<body>")
.Append(bodyS
.AppendLine()
.AppendLine("</body>")
.AppendLine("</serv:message>");
var xmlAuthBodyContent = new StringBuilder()
.AppendLine("<bodyContent ")
.AppendLine("xsi:type=\"java:com.webex.service.binding.user.AuthenticateUser\">")
.AppendLine("<samlResponse>samlResponse message will go here</samlResponse>")
.AppendLine("</bodyContent>");
byte[] byteArray = Encoding.UTF8.GetBytes(webExXML(xmlAuthBodyContent).ToString());
// Set the ContentLength property of the WebRequest.
request.ContentLength = byteArray.Length;
// Get the request stream.
Stream dataStream = request.GetRequestStream();
// Write the data to the request stream.
dataStream.Write(byteArray, 0, byteArray.Length);
// Close the Stream object.
dataStream.Close();
// Get the response.
WebResponse response = request.GetResponse();
DataSet DSResponse = new DataSet();
DSResponse.ReadXml(response.GetResponseStream());
DSResponse.GetXml().Dump();
The result I get is:
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service">
<serv:header>
<serv:response>
<serv:result>FAILURE</serv:result>
<serv:reason>Authentication Server can't generate a valid session ticket</serv:reason>
<serv:gsbStatus>PRIMARY</serv:gsbStatus>
<serv:exceptionID>030048</serv:exceptionID>
<serv:subErrors>
<serv:subError>
<serv:exceptionID>AS0062</serv:exceptionID>
<serv:reason>Validate assertion failed</serv:reason>
<serv:value />
</serv:subError>
</serv:subErrors>
</serv:response>
</serv:header>
<serv:body>
<serv:bodyContent />
</serv:body>
</serv:message>
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Nathan Morrow on 02-01-2013 10:57:38 AM
A SAML assertion is an XML style document that is used for SAML based authentication. It includes several values that are necessary for authentication and a digital signature using a previously configured trust certificate. You will need to work with IT to gain access to retrieving SAML assertions from the Identity Management system being used. Once you are able to retrieve the SAML assertion in BASE64 format (it won't look like XML in this format, just a block of characters), you will then place the entire assertion in to the samlResponse element in your authenticateUser request.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Nathan Morrow on 02-01-2013 11:49:50 AM
WebEx productivity tools uses custom internal APIs and web browser capability to access your companies authentication portal to confirm authentication. There is a SAML assertion involved behind the scenes. Once you are able to retrieve the assertion for your tool, it will also appear behind the scenes to the end user.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Nathan Morrow on 02-01-2013 12:08:55 PM
I don't have any plans to use stack overflow. My answers can be shared if it means more developers will have access to this information without needing to ask.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Gal Szkolnik on 02-01-2013 11:37:53 AM
Thank! I'll try that.
But... When I use WebEx's own 'OneClick' tool, they don't ask me for the SAML assertion, they know they need to provide a different type of auth - any idea if there is a way to get this information from the service itself?
again, thanks!, I'll update one I get the answer.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Gal Szkolnik on 02-01-2013 11:58:17 AM
Makes sense. Thanks!
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Gal Szkolnik on 02-01-2013 12:03:38 PM
Nathan, would it be OK to copy your answer to StackOverflow?
If you have a stack overflow account, you are welcome to answer it there, I'd be glad to give you the bounty I've set up there.
http://stackoverflow.com/questions/14043254/how-to-use-webexs-xml-api-with-sso-saml
Created by: Gal Szkolnik on 26-12-2012 10:27:58 AM
I've posted this in SO, where the formatting is better and the question is more readable:
http://stackoverflow.com/questions/14043254/how-to-use-webexs-xml-api-with-sso-saml
I am writing a small tool to open a WebEx with our support customers using the support ticket information.
When the site used Username/Password I could make it work, now we use SSO.
The WebEx server is already setup to accept SSO (by our IT manager - not me).
The WebEx reference (linked below) does not elaborate, and this dev forum is pretty mute when it comes to answers about this subject.
Anyone have an idea how to make the code below actually work?
What goes into the <samlResponse> tag and replace the below line in the code with something that will make it work:
<samlResponse>samlResponse message will go here</samlResponse>
What does SAML assertion in the documentation (see below) means?
What I've found out till now
WebEx's XML-API documentation (Page 68) describes the following:
> 3.1 AuthenticateUser
>
> The AuthenticateUser API will accept a SAML assertion in place of a user password. The
<sessionTicket> returned can be used for subsequent XML API requests without using
<password> for the session duration as defined in Super Admin. This can take the place of the current requirement for a <userName> and <password> for authentication.
> ...
>
> The following schema diagram shows the element structure of the AuthenticateUser request
message.
And then it provide the XML schema diagram, and a sample.
Referencing the example .NET code (which does not use SAML) I came up with the following code:
string strXMLServer = "https://varonis.webex.com/WBXService/XMLService";
WebRequest request = WebRequest.Create(strXMLServer);
// Set the Method property of the request to POST.
request.Method = "POST";
// Set the ContentType property of the WebRequest.
request.ContentType = "application/x-www-form-urlencoded";
// Create POST data and convert it to a byte array.
Func<StringBuilder, StringBuilder> webExXML =
bodySB => new StringBuilder(1024) // Currently 294 bytes in length
.AppendLine("<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>")
.Append("<serv:message xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"")
.Append(" xmlns:serv=\"http://www.webex.com/schemas/2002/06/service\"")
.Append(" xsi:schemaLocation=\"http://www.webex.com/schemas/2002/06/service")
.Append(" http://www.webex.com/schemas/2002/06/service/service.xsd\">")
.AppendLine("<header>")
.AppendLine("<securityContext>")
.AppendLine("<siteName>siteName</siteName>")
.AppendLine("<webExID>username</webExID>")
.AppendLine("<password></password>")
.AppendLine("<partnerID></partnerID>")
.AppendLine("</securityContext>")
.AppendLine("</header>")
.AppendLine()
.AppendLine("<body>")
.Append(bodyS
.AppendLine()
.AppendLine("</body>")
.AppendLine("</serv:message>");
var xmlAuthBodyContent = new StringBuilder()
.AppendLine("<bodyContent ")
.AppendLine("xsi:type=\"java:com.webex.service.binding.user.AuthenticateUser\">")
.AppendLine("<samlResponse>samlResponse message will go here</samlResponse>")
.AppendLine("</bodyContent>");
byte[] byteArray = Encoding.UTF8.GetBytes(webExXML(xmlAuthBodyContent).ToString());
// Set the ContentLength property of the WebRequest.
request.ContentLength = byteArray.Length;
// Get the request stream.
Stream dataStream = request.GetRequestStream();
// Write the data to the request stream.
dataStream.Write(byteArray, 0, byteArray.Length);
// Close the Stream object.
dataStream.Close();
// Get the response.
WebResponse response = request.GetResponse();
DataSet DSResponse = new DataSet();
DSResponse.ReadXml(response.GetResponseStream());
DSResponse.GetXml().Dump();
The result I get is:
<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service">
<serv:header>
<serv:response>
<serv:result>FAILURE</serv:result>
<serv:reason>Authentication Server can't generate a valid session ticket</serv:reason>
<serv:gsbStatus>PRIMARY</serv:gsbStatus>
<serv:exceptionID>030048</serv:exceptionID>
<serv:subErrors>
<serv:subError>
<serv:exceptionID>AS0062</serv:exceptionID>
<serv:reason>Validate assertion failed</serv:reason>
<serv:value />
</serv:subError>
</serv:subErrors>
</serv:response>
</serv:header>
<serv:body>
<serv:bodyContent />
</serv:body>
</serv:message>
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Nathan Morrow on 02-01-2013 10:57:38 AM
A SAML assertion is an XML style document that is used for SAML based authentication. It includes several values that are necessary for authentication and a digital signature using a previously configured trust certificate. You will need to work with IT to gain access to retrieving SAML assertions from the Identity Management system being used. Once you are able to retrieve the SAML assertion in BASE64 format (it won't look like XML in this format, just a block of characters), you will then place the entire assertion in to the samlResponse element in your authenticateUser request.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Nathan Morrow on 02-01-2013 11:49:50 AM
WebEx productivity tools uses custom internal APIs and web browser capability to access your companies authentication portal to confirm authentication. There is a SAML assertion involved behind the scenes. Once you are able to retrieve the assertion for your tool, it will also appear behind the scenes to the end user.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Nathan Morrow on 02-01-2013 12:08:55 PM
I don't have any plans to use stack overflow. My answers can be shared if it means more developers will have access to this information without needing to ask.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Gal Szkolnik on 02-01-2013 11:37:53 AM
Nathan Morrow:You will need to work with IT to gain access to retrieving SAML assertions from the Identity Management system being used.
Thank! I'll try that.
But... When I use WebEx's own 'OneClick' tool, they don't ask me for the SAML assertion, they know they need to provide a different type of auth - any idea if there is a way to get this information from the service itself?
again, thanks!, I'll update one I get the answer.
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Gal Szkolnik on 02-01-2013 11:58:17 AM
Nathan Morrow:WebEx productivity tools uses custom internal APIs...
Makes sense. Thanks!
Subject: RE: How to use WebEx's XML-API with SSO (SAML)?
Replied by: Gal Szkolnik on 02-01-2013 12:03:38 PM
Nathan, would it be OK to copy your answer to StackOverflow?
If you have a stack overflow account, you are welcome to answer it there, I'd be glad to give you the bounty I've set up there.
http://stackoverflow.com/questions/14043254/how-to-use-webexs-xml-api-with-sso-saml
