System for Cross-domain Identity Management (SCIM)

The integration between users in the directory and Control Hub uses the System for Cross-domain Identity Management ( SCIM) API. SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make it easier to manage user identities in cloud-based applications and services. SCIM uses a standardized API through REST.

Before configuring Webex Control Hub for automatic user provisioning with Azure AD, you need to add Cisco Webex from the Azure AD application gallery to your list of managed applications.


 

If you already integrated Webex Control Hub with Azure for single sign-on (SSO), Cisco Webex is already added to your enterprise applications and you can skip this procedure.

1

Sign in to the Azure portal at https://portal.azure.com with your administrator credentials.

2

Go to Azure Active Directory for your organization.

3

Go to Enterprise Applications and then click Add.

4

Click Add an application from the gallery.

5

In the search box, type Cisco Webex.

6

In the results pane, select Cisco Webex, and then click Add to add the application.

A message appears that says the application was added successfully.

7

To make sure that the Webex application you've added for synchronization doesn't show up in the user portal, open the new application, go to Properties, and set Visible to users? to No.

This procedure lets you choose users to synchronize to the Webex cloud.

Azure AD uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups of users that are "assigned" to an application in Azure AD are synchronized to Control Hub.


 

Webex can synchronize the users in an Azure AD group, but doesn't synchronize the group object itself.

If you are configuring your integration for the first time, we recommend you assign one user for testing, and then add other users and groups after a successful test.

1

Open the Cisco Webex application in the Azure portal, then go to Users and groups.

2

Click Add Assignment.

3

Find the users/groups you want to add to the application:

  • Find individual users to assign to the application.
  • Find a group of users to assign to the application.
4

Click Select and then click Assign.

Repeat these steps until you have all the groups and users you want to synchronize with Webex.

Use this procedure to set up provisioning from Azure AD and obtain a bearer token for your organization. The steps cover necessary and recommended administrative settings.

Before you begin

Get your organization ID from the customer view in Control Hub: click your organization name on the bottom left and then copy the value from Organization ID into a text file. You'll need this value when you enter the tenant URL. We will use this value as an example: a35bfbc6-ccbd-4a17-a488-72gf46c5420c

1

Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.

2

Choose Cisco Webex from your list of enterprise applications.

3

Go to Provisioning, and then change the Provisioning Mode to Automatic.

The Webex app is created with some default mappings between Azure AD user attributes and Webex user attributes. These attributes are enough to create users, but you can add more as described later in this article.

4

Enter the Tenant URL in this form:

https://api.ciscospark.com/v1/scim/{OrgId}

Replace {OrgId} with the organization ID value that you got from Control Hub, so that the tenant URL looks like this: https://api.ciscospark.com/v1/scim/a35bfbc6-ccbd-4a17-a488-72gf46c5420c

5

Follow these steps to get the bearer token value for the Secret Token:

  1. Copy the following URL and run it in an incognito browser tab: https://idbroker.webex.com/idb/oauth2/v1/authorize?response_type=token&client_id=C4ca14fe00b0e51efb414ebd45aa88c1858c3bfb949b2405dba10b0ca4bc37402&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcode&scope=spark%3Apeople_read%20spark%3Apeople_write%20Identity%3ASCIM&state=this-should-be-a-random-string-for-security-purpose.

    An incognito browser is important to make sure you sign in with the correct admin credentials. If you are already signed in as a less privileged user, the bearer token you return may not be authorized to create users.

  2. From the Webex sign in page that appears, sign in with a full admin account for your organization.

    An error page appears saying that the site can't be reached, but this is normal.

    The generated bearer token is included in the error page's URL. This token is valid for 365 days (after which it expires).

  3. From the URL in the browser's address bar, copy the bearer token value from between access_token= and &token_type=Bearer.

    For example, this URL has the token value highlighted: http://localhost:3000/auth/code#access_token={sample_token}&token_type=Bearer&expires_in=3887999&state=this-should-be-a-random-string-for-security-purpose


     

    We recommend that you paste this value into a text file and save it, so that you have a record of the token in case the URL is not available any more.

6

Return to the Azure portal and paste the token value into Secret Token.

7

Click Test Connection to make sure the organization and token are recognized by Azure AD.

A successful result states that the credentials are authorized to enable user provisioning.

8

Enter a Notification Email and check the box to get email when there are provisioning errors.

9

Click Save.

At this point, you've successfully authorized Azure AD to provision and synchronize Webex users, and completed the steps to set up synchronization.

What to do next

If you want to map additional Azure AD user attributes to Webex attributes, continue to the next section.

For info on making changes to the synchronized organization, see the Manage Synchronized Azure Active Directory Users help article.

Follow this procedure to map additional user attributes from Azure to Webex, or to change existing user attribute mappings.

We recommend that you do not change the default attribute mappings unless absolutely necessary. The value that you map as the username is particularly important. Webex uses the user's email address as their username. By default, we map userPrincipalName (UPN) in Azure AD to email address (username) in Control Hub.

If the userPrincipalName does not map to the email in Control Hub, users are provisioned into Control Hub as new users instead of matching existing users. If you want to use another Azure user attribute that is in email address format instead of UPN, you must change that default mapping in Azure AD from userPrincipalName to the appropriate Azure AD user attribute.

Before you begin

You have added and configured the Cisco Webex app to your Azure Active Directory, and tested the connection.

You can modify the user attribute mappings before or after you start synchronizing users.

1

Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.

2

Open the Cisco Webex application.

3

Select the Provisioning page, expand the Mappings section, and click Provision Azure Active Directory Users.

4

Check the Show advanced options check box and then click Edit attribute list for CiscoWebEx.

5

Choose the Webex attributes to be populated from Azure user attributes. The attributes and mappings are shown later in this procedure.

6

After selecting the Webex attributes, click Save, and then Yes to confirm.

The Attribute Mapping page opens, so you can map Azure AD user attributes to the Webex user attributes you chose.

7

Near the bottom of the page, click Add new mapping.

8

Choose Direct mapping. Select the Source attribute (Azure attribute) and the Target attribute (Webex attribute), and then click OK.

Table 1. Azure to Webex Mappings

Azure Active Directory Attribute (source)

Webex User Attribute (target)

Attributes Populated by Default

userPrincipalName

userName

Switch([IsSoftd], , "False", "True", "True", "False")

active

displayName

displayName

surname

name.familyName

givenName

name.givenName

objectId

externalId

Additional Available Attributes

jobTitle

title

usageLocation

addresses[type eq "work"].country

city

addresses[type eq "work"].locality

streetAddress

addresses[type eq "work"].streetAddress

state

addresses[type eq "work"].region

postalCode

addresses[type eq "work"].postalCode

telephoneNumber

phoneNumbers[type eq "work"].value

mobile

phoneNumbers[type eq "mobile"].value

facsimileTelephoneNumber

phoneNumbers[type eq "fax"].value

9

Repeat the previous two steps until you have added or modified all the mappings you need, then click Save and Yes to confirm your new mappings.


 

You can Restore default mappings if you want to start again.

Your mappings are done and the Webex users will be created or updated on the next synchronization.