WebEx has a feature which allows user accounts to be automatically created for users who are authenticating via SAML. Automatic WebEx account creation is possible both via the institution's IdP and via the MEETS platform.
Option #1: Automatic Account creation via the institution's IdP only (not using MEETS for Auto-Account creation)
If your institution's IdP is setup to handle auto-account creation for WebEx, teachers will be able to use their WebEx accounts in MEETS without any additional configurations.
This assumes, however, that:
- The teacher has first logged into WebEx using the institution's IdP, prior to using MEETS. Else, the teacher will not have an account created for them by the IdP before attempting to use it in MEETS.
- The teacher's email stored in the LMS matches the email stored in the institution's directory service. This is required as WebEx will attempt to identify the teacher using his email when accessing MEETS, so these two fields need to match in order to properly identify the teacher with the teacher's WebEx account created by the IdP (which used the user's credentials stored in the institution's directory service to create the teacher's WebEx account).
- The teacher's user ID in the SAML Assertion sent by the IdP is up to 64 characters in length, and only contains letters, numbers, dashes, underscores, periods, and the @ symbol. WebEx does not allow user IDs longer than 64 characters, or which contain other symbols. Failing to meet these requirements will result in WebEx not creating an account for this teacher.
To summarize, the main drawback of not using MEETS for Auto-Account creation alongside you institution's IdP, is that teachers logging into the LMS without first logging into WebEx using the institution's IdP will not have an active WebEx account. As such, they will not be able to use MEETS prior to logging into WebEx using the institution's IdP.
Note: If you choose to only have your institution's IdP handle auto-account creation for WebEx (and not use MEETS' Auto-Account creation feature), make sure to turn Automatic Host Provisioning off in the MEETS Admin Panel, in order to ensure that MEETS will not attempt to auto-create WebEx accounts for your users as well.
Option #2: Enabling Automatic Account creation via MEETS (alongside Auto-Account creation with your institution's IdP)
If you choose, you can configure MEETS to auto-create WebEx accounts for your users. If enabled, MEETS will automatically create a WebEx account with the services of your choice (Meeting Center, Training Center, Event Center) for teachers without an existing WebEx account - when they first access MEETS.
In order to allow a teacher to access his newly created WebEx account outside MEETS, we will need to ensure that the teacher's credentials in the institution's directory service (as passed onto WebEx via the institution's IdP) match the teacher's credentials which were used by MEETS when creating his WebEx account.
This is achieved by:
- Ensuring that the email addresses assigned to users in the LMS, is identical to the email addresses assigned to users in the institution's directory service
- Setting the NameID Format in your idP's SAML Assertions to Email Address (urn:oasis:names:tc:SAML:1.1:nameidformat:emailAddress). When a user attempts to log into WebEx via an IdP, they will bear a SAML assertion which allows WebEx to identify the user. The key parameter for identifying the user is the variable "NameID", which is contained in the SAML assertion. By setting the NameID Format to Email Address, WebEx will correctly match the teacher's email address stored in the directory service with the email address stored in the LMS and allow the teacher to access his WebEx account.
- When auto-creating a WebEx account for a teacher, MEETS will assign the WebEx user ID as "MEETS_AUTOGEN_" followed by a hexadecimal encoding of the user's ID number as it exists internally to MEETS. This will not affect the teacher's ability to access his WebEx account, as above, a teacher can still login to WebEx via the institution's IdP, which will identify the teacher using his email address. This user ID is merely a generic identifier used by MEETS when creating WebEx accounts. WebEx will never prompt a user for this information.
- If preferred, when auto-creating WebEx accounts, MEETS can assign the WebEx user ID as the teacher's email. As above, this will not have any effect on the teacher's ability to log into WebEx outside MEETS using the institution's IdP, and only affects the way WebEx accounts appear for Administrators. In this case as well, setting the NameID Format in your idP's SAML Assertions to Email Address is required, as WebEx will still identify a teacher using his email address, as explained above.
- Alternatively, if an institution prefers to use a NameID Format other than Email Address in its IdP's SAML Assertions, please contact CirQlive Tech Support firstname.lastname@example.org or your CirQlive account executive to adjust MEETS auto-account creation settings to your institution's requirements.
To summarize, you can choose to enable WebEx Automatic Account creation via MEETS as well as having Auto-Account creation enabled with your institution's IdP. In this case, teachers logging into WebEx directly using your institution's IdP, will have a WebEx account created for them (by the institution's IdP. The teacher will be able to use this account when logging into MEETS in the LMS. If a teacher logs into MEETS before first logging into WebEx directly, MEETS will create a WebEx account for him, which he can start using immediately in MEETS. When later logging into WebEx using the institution's IdP, WebEx will match this teacher with his WebEx account (created by MEETS), and allow him to use this account outside of MEETS as well.
If you choose to enable auto-account creation for WebEx with MEETS, make sure to turn Automatic Host Provisioning on in the MEETS Admin Panel.
To configure automatic host provisioning:
To to the "Conferencing Accounts" tab in your MEETS admin panel.