SSO with multiple IdPs in Webex

Single sign-on (SSO) enables users to sign in to Webex securely by authenticating to your organization's common identity provider. An identity provider (IdP) securely stores and manages your users’ digital identities and provides the user authentication service for your Webex users.

Why you might need multiple IdPs

Many big companies undergo mergers and acquisitions, and these companies rarely have the same IT infrastructure and identity providers. Government institutions have various organizations and agencies under them. Often, these organizations have a single email address for their own IT departments and infrastructure, respectively. Major educational institutions have a central purchasing department, but different universities and colleges with different IT organizations and departments.

It’s common to see IdPs and service providers (SPs) federate with each other. The IdP is responsible for authenticating your users’ credentials and the SP trusts the authentication made by the IdP. This allows your users to access various SaaS applications and services using the same digital identity. But, if for some reason your organization can’t federate between the IdPs, then Webex provides a workaround to support multiple IdPs. For these reasons, we’re giving you the option to configure SSO for multiple IdPs in Webex and simplify your users’ authentication process.

Limitations

This feature is only available if you have purchased Webex Extended Security Pack.

All users must be provisioned with Directory Connector if you're using Directory Connector in your organization. Refer to the Directory Connector deployment guide for more information.

We currently support only SAML, OpenID Connect, and Webex Identity as identity providers.

Out of scope

Configure group assignments.

Domain verification. Refer to Manage your domains for more information.

User provisioning. Refer to Ways to add users to your Control Hub organization for more information.

This section covers how you can integrate your identity providers (IdP) with your Webex organization. You can choose the IdPs that best fit your organization's requirements.

If you're looking for SSO integration of a Webex Meetings site (managed in Site Administration), then refer to Configure Single Sign-On for Webex Administration.

Prerequisites

Before you begin

Ensure that the following conditions are met:

You must have Webex Extended Security Pack to configure SSO with multiple IdPs in Control Hub.

You must have a Full Admin role in Control Hub.

A metadata file from the IdP to give to Webex and a metadata file from Webex, to give to the IdP. For more information, refer to Single Sign-On Integration in Control Hub. This is only applicable to the SAML configuration.

You should plan your routing rules behavior before setting up multiple IdPs.

The default routing rule is applied once you configure your initial IdP. But you can set another IdP as the default. Refer to Add or edit routing rule in the Routing rules tab in this article.

Configure SAML

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Activate SSO to start the configuration wizard.

Select SAML as your IdP and click Next.

Choose the certificate type:

Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
Signed by a public certificate authority—More secure, but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.

Click Download metadata and click Next.

The Webex App metadata filename is idb-meta-<org-ID>-SP.xml.

Upload your IdPs metadata file or fill out the configuration form.

When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:

Customer IdP provides a signature in the metadata that is signed by a Public Root CA.

Customer IdP provides a self-signed private CA or doesn’t provide a signature for their metadata. This option is less secure.

Else, in the configuration form, enter the IdP information.

Click Next.

(Optional) Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

Return to the Control Hub browser tab.

If the test was successful, select Successful test. Activate SSO and IdP and click Activate.

If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.

The SSO configuration does not take effect in your organization unless you choose the first radio button and activate SSO.

What to do next

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

Configure OpenID Connect

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Activate SSO to start the configuration wizard.

Select OpenID Connect as your IdP and click Next.

Enter your IdP information.

Name—The name to identify your IdP.

Client ID—The unique ID to identify you and your IdP.

Client Secret—The password that you and your IdP know.

Scopes—The scopes to be associated with your IdP.

Choose how to add endpoints. This can be done automatically or manually.

Use the discovery URL—Enter the configuration URL for your IdP.
Manually add endpoints information—Enter the following details.
- Issuer
- Authorization endpoint
- Token endpoint
- JWKS endpoint
- Userinfo endpoint
For more information, refer to the OpenID Connect configuration guide.

(Optional) Configure the Just In Time (JIT) settings.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

Return to the Control Hub browser tab.

If the test was successful, select Successful test. Activate SSO and IdP and click Activate.

If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.

The SSO configuration doesn’t take effect in your organization unless you choose the first radio button and activate SSO.

What to do next

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

Configure Webex Identity

1	From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Activate SSO to start the configuration wizard.
2	Select Webex as your IdP and click Next.
3	Check I've read and understood how Webex IdP works and click Next.
4	Set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

Once you've added a routing rule, your IdP is added and is shown under the Identity provider tab.

What to do next

You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

Routing rules are applicable when setting up more than one IdP. Routing rules enable Webex to identify which IdP to send your users to when you have configured multiple IdPs.

When setting up more than one IdP, you can define your routing rules in the SSO configuration wizard. If you skip the routing rule step, then Control Hub adds the IdP but doesn’t activate the IdP. You must add a routing rule to activate the IdP.

Add or edit routing rules

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

Go to the Routing rules tab.

When configuring your first IdP, the routing rule is automatically added and is set as the Default rule. You can choose another IdP to set as the default rule later.

Click Add new routing rule.

Enter the details for a new rule:

Rule name—Enter the name for the routing rule.

Select a routing type—Select domain or group.

If these are your domains/groups—Enter the domains/groups within your organization.

Then use this identity provider—Select the IdP.

Click Add.

Select the new routing rule and click Activate.

You can change the routing rule priority order if you have routing rules for multiple IdPs.

Deactivate or delete routing rules

1	From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.
2	Go to the Routing rules tab.
3	Select the routing rule.
4	Choose if you want to Deactivate or Delete the routing rule. It’s recommended that you have another active routing rule for the IdP. Otherwise, you may run into problems with your SSO login.

The Default rule can’t be deactivated or deleted, but you can modify the routed IdP.

Manage your Identity Provider (IdP) certificates

Before you begin

From time to time, you may receive an email notification or see an alert in Control Hub that the IdP certificate is going to expire. Because IdP vendors have their own specific documentation for certificate renewal, we cover what's required in Control Hub, along with generic steps to retrieve updated IdP metadata and upload it to Control Hub to renew the certificate.

This is only applicable to the SAML configuration.

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

Go to the Identity provider tab.

Go to the IdP, click upload and select Upload Idp metadata.

To download the metadata file, click

and select Download Idp metadata.

Navigate to your IdP management interface to retrieve the new metadata file.

Return to Control Hub and drag and drop your IdP metadata file into the upload area or click Choose a file to upload the metadata.

Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed and click Save.

Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

Click Save.

Manage your Service Provider (SP) certificates

Before you begin

It is recommended that you update all your IdPs in your organization when renewing your SP certificate.

This is only applicable to the SAML configuration.

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

Go to the Identity provider tab.

Go to the IdP and click .

Click Review certificates and expiry date.

This take you to the Service Provider (SP) certificates window.

Click Renew certificate.

Choose the type of IdP in your organization:

An IdP that supports multiple certificates
An IdP that supports a single certificate

Choose the certificate type for the renewal:

Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
Signed by a public certificate authority—More secure but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.

Click Download metadata or Download certificate to download a copy of the updated metadata file or certificate from the Webex cloud.

Navigate to your IdP management interface to upload the new Webex metadata file or certificate.

This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step.

For more information, see our SSO integration guides or contact your IdP admin for support. If you're on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS

Return to the Control Hub interface and click Next.

Select Successfully updated all the IdPs and click Next.

This uploads the SP metadata file or certificate to all IdPs in your organization.

Click Finish renewal.

Test your SSO setup

Before you begin

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

Go to the Identity provider tab.

Go to the IdP and click .

Select Test IdP.

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

Return to the Control Hub browser tab.

If the test was successful, select Successful test. Activate SSO and IdP and click Save.

If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.

The SSO configuration does not take effect in your organization unless you choose first radio button and activate SSO.

Configure Just In Time (JIT) and SAML mapping

Before you begin

Ensure that the following preconditions are met:

SSO is already configured.
The domains have already been verified.
The domains are claimed and turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IdP.
If DirSync or Azure AD are enabled, then SAML JIT create or update won’t work.
"Block user profile update" is enabled. SAML Update Mapping is allowed because this configuration controls the user’s ability to edit the attributes. Admin-controlled methods of creation and update are still supported.

When setting up SAML JIT with Azure AD or an IdP where the email isn’t a permanent identifier, we recommend you use the externalId linking attribute to map to a Unique Identifier. If we find that the email doesn’t match the linking attribute, the user is prompted to verify their identity or create a new user with the correct email address.

Newly created users won't automatically get assigned licenses unless the organization has an automatic license template set up.

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

Go to the Identity provider tab.

Go to the IdP and click .

Select Edit SAML mapping.

Configure Just-in-Time (JIT) settings.

Create or activate user: if no active user is found, then Webex Identity creates the user and update the attributes after the user has authenticated with the IdP.
Update user with SAML attributes: if a user with email address is found, then Webex Identity updates the user with the attributes mapped in the SAML Assertion.

Confirm users can sign in with a different, unidentifiable email address.

Configure SAML mapping required attributes.

Table 1. Required attributes
Webex Identity attribute name	SAML attribute name	Attribute description
Username / Primary email address	Example: uid	Map the UID attribute to the provisioned user's email, upn, or edupersonprincipalname.

Configure the Linking attributes.

This should be unique to the user. It is used to lookup a user so that Webex can update all profile attributes, including email for a user.

Table 2. Linking attributes
Webex Identity attribute name	SAML attribute name	Attribute description
externalId	Example: user.objectid	To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.
employeenumber	Example: user.employeeid	The user's employee number, or an identification number within their HR system. Note that this isn't for `externalid`, because you can reuse or recycle `employeenumber` for other users.
Extension Attribute 1	Example: user.extensionattribute1	Map these custom attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.
Extension Attribute 2	Example: user.extensionattribute2
Extension Attribute 3	Example: user.extensionattribute3
Extension Attribute 4	Example: user.extensionlattribute4
Extension Attribute 5	Example: user.extensionattribute5

Configure Profile attributes.

Table 3. Profile attributes
Webex Identity attribute name	SAML attribute name	Attribute description
externalId	Example: user.objectid	To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.
employeenumber	Example: user.employeeid	This user's employee number, or an identification number within their HR system. Note that this isn't for "externalid," because you can re-use or recycle "employeenumber" for other users.
preferredLanguage	Example: user.preferredlanguage	The user's preferred language.
locale	Example: user.locale	The user's primary work location.
timezone	Example: user.timezone	The user's primary time zone.
displayName	Example: user.displayname	The user's display name in Webex.
name.givenName	Example: user.givenname	The user's first name.
name.familyName	Example: user.surname	The user's last name.
addresses.streetAddress	Example: user.streetaddress	The street address of their primary work location.
addresses.state	Example: user.state	The state of their primary work location.
addresses.region	Example: user.region	The region of their primary work location.
addresses.postalCode	Example: user.postalcode	The zip code of their primary work location.
addresses.country	Example: user.country	The country of their primary work location.
phoneNumbers.work	Example: work phonenumber	The work phone number of their primary work location. Use the international E.164 format only (15 digits maximum).
phoneNumbers.extension	Example: mobile phonenumber	The work extension of their primary work phone number. Use the international E.164 format only (15 digits maximum).
pronoun	Example: user.pronoun	The user's pronouns. This is an optional attribute, and the user or admin can make it visible on their profile.
title	Example: user.jobtitle	The user's job title.
department	Example: user.department	The user's job department or team.
pronoun	Example: user.pronoun	This is the pronoun of the user. The visibility of this attribute is controlled by the Admin and the user
manager	Example: manager	The user's manager or their team lead.
costcenter	Example: cost center	This is the last name of the user also known as surname or familyname
email.alternate1	Example: user.mailnickname	An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.
email.alternate2	Example: user.primaryauthoritativemail	An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.
email.alternate3	Example: user.alternativeauthoritativemail	An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.
email.alternate4	Example: user.othermail	An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.
email.alternate5	Example: user.othermail	An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

Configure Extension attributes.

Map these attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.

Table 4. Extension attributes
Webex Identity attribute name	SAML attribute name
Extension Attribute 1	Example: user.extensionattribute1
Extension Attribute 2	Example: user.extensionattribute2
Extension Attribute 3	Example: user.extensionattribute3
Extension Attribute 4	Example: user.extensionattribute4
Extension Attribute 5	Example: user.extensionattribute5
Extension Attribute 6	Example: user.extensionattribute6
Extension Attribute 7	Example: user.extensionattribute7
Extension Attribute 8	Example: user.extensionattribute8
Extension Attribute 9	Example: user.extensionattribute9
Extension Attribute 10	Example: user.extensionattribute10

Configure Group attributes.

Create a group in Control Hub and note the Webex group ID.
Go to your user directory or IdP and set up an attribute for users who will be assigned to the Webex group ID.
Update your IdP's configuration to include a claim that carries this attribute name along with the Webex Group ID (e.g. c65f7d85-b691-42b8-a20b-12345xxxx). You can also use the External ID for managing changes to group names or for future integration scenarios. For example, syncing with Azure AD or implementing SCIM group synchronization.
Specify the exact name of the attribute that will be sent in the SAML Assertion with the group ID. This is used to add the user to a group.
Specify the exact name of the external ID of the group object if you are using a group from your directory to send members in the SAML Assertion.

If user A is associated with groupID 1234 and user B with groupID 4567, they are assigned to separate groups. This scenario indicates that a single attribute allows users to associate with multiple group IDs. While this is uncommon, it is possible and can be considered as an additive change. For example, if user A initially signs in using groupID 1234, they become a member of the corresponding group. If user A later signs in using groupID 4567, they are also added to this second group.

SAML JIT provisioning does not support the removal of users from groups or any deletion of users.

Table 5. Group attributes
Webex Identity attribute name	SAML attribute name	Attribute description
groupId	Example: groupId	Map group attributes from IdP to Webex Identity group Attributes for the purpose of mapping that user to a group for licensing or the setting service.
groupexternalId	Example: groupexternalId	Map group attributes from IdP to Webex Identity group Attributes for the purpose of mapping that user to a group for licensing or the setting service.

For a list of SAML assertion attributes for Webex Meetings, see https://help.webex.com/article/WBX67566.

Delete your Identity Provider (IdP)

Before you begin

It's recommended that you first deactivate or delete the IdP’s routing rules before deleting the IdP.

1	From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.
2	Go to the Identity provider tab.
3	Go to the IdP and click .
4	Select Delete.

1	From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.
2	Go to the Identity provider tab.
3	Click Deactivate SSO. Confirm SSO deactivation.

Once confirmed, SSO is deactivated for all IdPs in your organization.

You'll receive alerts in Control Hub before certificates are set to expire, but you can also proactively set up alert rules. These rules let you know in advance that your SP or IdP certificates are going to expire. We can send these to you through email, a space in the Webex App, or both.

Regardless of the delivery channel configured, all alerts always appear in Control Hub. See Alerts center in Control Hub for more information.

From the customer view in https://admin.webex.com, go to Alerts center.

Choose Manage then All rules.

From the Rules list, choose any of the SSO rules that you'd like to create:

SSO IDP Certificate expiry
SSO SP Certificate expiry

In the Delivery channel section, check the box for Email, Webex space, or both.

If you choose Email, enter the email address that should receive the notification.

If you choose the Webex space option, you're automatically added to a space inside of the Webex App and we deliver the notifications there.

Save your changes.

What to do next

We send certificate expiry alerts once every 15 days, starting 60 days before expiry. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.

If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.