If you are using the SAML SSO certificate in your Cisco Webex organization, you must plan to update the cloud certificate during a regular scheduled maintenance window as soon as possible.

All services that are part of your Cisco Webex organization subscription are affected, including but not limited to:

  • Cisco Webex services in Cisco Webex Control Hub, including Calling

  • Cisco Webex Meetings managed through Cisco Webex Control Hub

  • Cisco Jabber if it's integrated with Single Sign-On

Before you begin

Please read all directions before beginning. After you change the certificate or going through the wizard to update the certificate, new users may not be able to sign in successfully.

If your IdP does not support multiple certificates (most IdPs in the market do not support this feature), we also recommend that you schedule this upgrade during a maintenance window where Cisco Webex users are not affected.

Scheduled Maintenance Not Needed
If you are using one of the following IdP products that use multiple certificates, you may be able to proceed without the scheduled maintenance window:
  • ADFS 2.0 or later

  • Ping Identity Federation

  • ForgeRock OpenAM 12.0 or later

Certificate Update Needed Under Certain Conditions

If you are using any of the following features, you must update the IdP with the new Cisco Webex cloud certificate:

  • Signing AuthN Requests

  • Signing SLO Request

  • Encrypt Assertion Response to SP

Certificate Update Not Needed

If you use Google G Suite, OKTA, or Microsoft Azure, but are not using any of the features listed above, you do not need to update the IdP with the new Cisco Webex cloud certificate.


To check if the Webex SSO certificate is going to expire:

  • You may have received an email from us, but you should check in Control Hub to be certain.
  • Sign in to https://admin.webex.com, and check your notifications (click the bell icon). There may be a notification about updating the SSO certificate:

    A screenshot of the notifications panel in Control Hub, showing that the SSO certificate will expire
  • Sign in to https://admin.webex.com, go to Organization Settings > Authentication.Screenshot of Control Hub Authentication controls, showing that certificate expires on March 7, 2021

Go to Organization Settings > Authentication and click Renew to launch the certificate update wizard.

If you decide to exit the wizard before you complete it, you can access it again from Organization Settings in https://admin.webex.com.


Choose the first radio button if any of these features apply to your Identity Provider (IdP), and then click Next :

  • Signing AuthN Requests
  • Signing SLO Request
  • Encrypt Assertion Response to SP
Things to Keep in Mind
  • ADFS—Certificate expiration may be monitored and sign-in may be stopped at the IdP if the certificate is not upgraded within 30 days of expiration. If you're using any of the three features above, upgrade the certificate as soon as possible.

  • Shibboleth—SLO is not supported. If you're using any of the other two features above, upgrade the certificate as soon as possible.


If you are unsure whether you are using any of the features, we recommend updating your IdP configuration with the new Cisco Webex certificate so that that there is no interruption of service.

If you are sure you're not using any of the above services, choose None of these apply to my IdP , and then click Submit .


Choose the type of IdP that your organization uses and then click Next :

  • IdP that supports multiple certificates
  • IdP that supports a single certificate


If your IdP supports a single certificate, we recommend that you wait to perform these steps during scheduled downtime. While the Cisco Webex certificate is being updated, new user sign-ins briefly won't work; existing sign-ins are preserved.


Click Download Metadata File to download a copy of the updated metadata with the new certificate from the Cisco Webex cloud. Keep this screen open.


In a new browser tab or window, navigate to your IdP management interface to upload the new Webex metadata file:


Return to the tab where you signed in to Cisco Webex Control Hub and click Next .


Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly by your IdP. Confirm the expected results in the pop-up window, and if the test was successful, click Switch to new metadata .