Solved: WebEx XML API

josh@sparkorange.net · ‎11-02-2017

I am trying to build an integration between Webex and another system. When I post a request formed as specified here:

I am getting the following response:

<serv:message xmlns:serv="http://www.webex.com/schemas/2002/06/service" xmlns:com="http://www.webex.com/schemas/2002/06/common" xmlns:use="http://www.webex.com/schemas/2002/06/service/user">

<serv:header>

<serv:response>

<serv:result>FAILURE</serv:result>

<serv:reason>Authentication Server can't generate a valid session ticket</serv:reason>

<serv:gsbStatus>BACKUP</serv:gsbStatus>

<serv:exceptionID>030048</serv:exceptionID>

<serv:subErrors><serv:subError>

<serv:exceptionID>AS0001</serv:exceptionID>

<serv:reason>authentication service error</serv:reason>

<serv:value></serv:value>

</serv:subError></serv:subErrors>

</serv:response>

</serv:header>

<serv:body><serv:bodyContent/></serv:body>

</serv:message>

All my searching has led me to no avail on how to resolve the error!

Any help is much appreciated!

nmorrow · ‎11-13-2017

Hello,

AuthenticateUser is only used when you are using an alternate authentication method, such as SAML SSO or through the Spark with WebEx platform. If using SAML SSO, you will need to have a valid assertion from your identity provider, in BASE64 encoding. Additionally, your site would need to be configured for IdP initiated SAML because SP initiated requires an InResponseTo value.

If you are not using SSO, you will enter your WebEx username and password in the security context for each API request, as webExID and password.

View solution in original post

Geevarghese Cheria · ‎11-12-2017

Hi Josh,

Apologies for the delay in responding to you. Have moved your question to WebEx Developer community . You may also

mail to webex-meetings-api-dev@cisco.com or check this url -

https://cisco- support.webex.com/Webex_AnonymousSubmitSupportCase

Thanks and Regards,

Geevarghese

nmorrow · ‎11-13-2017

Hello,

AuthenticateUser is only used when you are using an alternate authentication method, such as SAML SSO or through the Spark with WebEx platform. If using SAML SSO, you will need to have a valid assertion from your identity provider, in BASE64 encoding. Additionally, your site would need to be configured for IdP initiated SAML because SP initiated requires an InResponseTo value.

If you are not using SSO, you will enter your WebEx username and password in the security context for each API request, as webExID and password.

josh@sparkorange.net · ‎11-15-2017

Nathan,

Thanks for the information!

The current setup is that we use Active Directory to get SSO into our Webex account. We also have Salesforce which we are looking to integrate into our Webex to send requests to create meetings and handle invitees as well directly from Salesforce.

So the flow would be a user logs into Salesforce and upon a button click or some other action we send a call to Webex to create a meeting. If this is the case would we need to have Salesforce authenticate with Active Directory and then send the response in the request to Webex? Or would Salesforce authenticate with itself and send the response in the request?
I'm just not sure if I know the proper process to get to our end goal.

Again any information is appreciated!

nmorrow · ‎11-15-2017

Hello,

SSO authentication is handled by issuing the SAML assertion inside of the AuthenticateUser request. The assertion is BASE64 encoded and placed inside of the samlResponse element. The protocol element should also be set to SAML2.0. This only works for IdP initiated SSO, as SP initiated will require an InResponseTo value that would not be possible when initiated by the API request. The response to AuthenticateUser contains a sessionTicket that is used instead of password for subsequent requests.

If you are unable to get access to valid SAML assertions, you have 2 options for workaround. Site admin and read-only site admin accounts do maintain a WebEx password for emergency configuration purposes, these accounts can authenticate using username and password when issuing API requests on SSO sites. If you need to authenticate host accounts and are unable to elevate them to read-only admin, you have an option of creating a partner SAML configuration that can be used by your application to authenticate by SAML on any WebEx site (SSO or not) that allows your configuration. Partner SAML is separate from your sites existing SSO and will not affect normal site access. Partner SAML configurations are managed by WebEx via change requests. When you request creation or update of your configuration, you must specify any WebEx site URL's that you need to add to your configurations allowed sites list. Once added, the included sites will have a new Site Admin option to allow the partner SAML configuration to be used to authenticate site admin and/or host accounts. AuthenticateUser is not used in this case, the authentication flow is slightly different and can be discussed if deciding on this method of authentication.

For new Spark with WebEx sites, partner SAML can still be used, but there is an additional and preferred authentication method that can be used exclusively with that product, which can also be discussed as applicable.