From time to time, you may receive an email notification or see a notification in Control Hub that the Cisco Webex single sign-on (SSO) certificate is going to expire. Follow the process in this article to update the SSO cloud certificate metadata in your IdP, otherwise users won't be able to use Webex services.
If you are using the SAML SSO certificate in your Cisco Webex organization, you must plan to update the cloud certificate during a regular scheduled maintenance window as soon as possible.
All services that are part of your Cisco Webex organization subscription are affected, including but not limited to:
Cisco Webex services in Cisco Webex Control Hub, including Calling
Cisco Webex Meetings managed through Cisco Webex Control Hub
Cisco Jabber if it's integrated with Single Sign-On
Before you begin
Please read all directions before beginning. After you change the certificate or going through the wizard to update the certificate, new users may not be able to sign in successfully.
If your IdP does not support multiple certificates (most IdPs in the market do not support this feature), we also recommend that you schedule this upgrade during a maintenance window where Cisco Webex users are not affected.
- Scheduled Maintenance Not Needed
If you are using one of the following IdP products that use multiple certificates, you may be able to proceed without the scheduled maintenance window:
ADFS 2.0 or later
Ping Identity Federation
ForgeRock OpenAM 12.0 or later
- Certificate Update Needed Under Certain Conditions
If you are using any of the following features, you must update the IdP with the new Cisco Webex cloud certificate:
Signing AuthN Requests
Signing SLO Request
Encrypt Assertion Response to SP
- Certificate Update Not Needed
If you use Google G Suite, OKTA, or Microsoft Azure, but are not using any of the features listed above, you do not need to update the IdP with the new Cisco Webex cloud certificate.
To check if the Webex SSO certificate is going to expire:
Go to Renew to launch the certificate update wizard.and click
If you decide to exit the wizard before you complete it, you can access it again from Organization Settings in https://admin.webex.com.
Choose the first radio button if any of these features apply to your Identity Provider (IdP), and then click Next :
Things to Keep in Mind
If you are sure you're not using any of the above services, choose None of these apply to my IdP , and then click Submit .
Choose the type of IdP that your organization uses and then click Next :
Click Download Metadata File to download a copy of the updated metadata with the new certificate from the Cisco Webex cloud. Keep this screen open.
In a new browser tab or window, navigate to your IdP management interface to upload the new Webex metadata file:
Return to the tab where you signed in to Cisco Webex Control Hub and click Next .
Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly by your IdP. Confirm the expected results in the pop-up window, and if the test was successful, click Switch to new metadata .