Webex for Cisco BroadWorks Reference
UC-One SaaS Comparison with Webex for Cisco BroadWorks
Solution > |
UC-One SaaS |
Webex for Cisco BroadWorks |
---|---|---|
Cloud |
Cisco UC-One Cloud (GCP) |
Webex Cloud (AWS) |
Clients |
UC-One: Mobile, Desktop Receptionist, Supervisor |
Webex: Mobile, Desktop, Web |
Major Technology Difference |
Meetings delivered on Broadsoft Meet Technology |
Meetings delivered on Webex Meetings Technology |
Early Field Trials |
Staging environment, Beta clients |
Production environment, GA clients |
User identity |
BroadWorks ID served as primary ID, unless Service Provider has SSO Integration already.
User ID and secret in BroadWorks |
Email ID in Cisco CI serves as primary ID SSO integration into Service Provider BroadWorks where User will authenticate with BroadWorks User ID and BroadWorks secret at time.
User supplies credentials via SSO with BroadWorks and secret in BroadWorks OR User ID and secret in CI IdP OR User ID in CI, ID and secrets in IdP |
Client authentication |
Users supply credentials through client BroadWorks long-lived tokens required if using Webex messaging |
Users supply credentials via browser (either login page from Webex BIdP proxy or CI) Webex access and refresh tokens |
Management / configuration |
Your OSS/BSS systems and Reseller portal |
Your OSS/BSS systems and Control Hub |
Partner/Service Provider activation |
One time setup by Cisco Operations |
One time setup by Cisco Operations |
Customer/enterprise activation |
Reseller portal |
Control Hub Auto-created upon first user enrollment |
User activation options |
Self-enrolled Set external IM&P in BroadWorks |
Set Integrated IM&P in BroadWorks (typically enterprises) |
XSP service interfaces |
XSI-Actions
XSI-Events CTI (mTLS) AuthService (mTLS optional) DMS |
XSI-Actions XSI-Actions (mTLS) XSI-Events CTI (mTLS) AuthService (TLS) DMS |
Install Webex and Sign In (Subscriber Perspective)
1 |
Download and install Webex. For details, see Webex | Download the App. |
2 |
Run Webex. Webex prompts you for your email address.
|
3 |
Enter your email address and click Next. |
4 |
One of the following happens, depending on the way your organization is configured in Webex:
Webex loads after you successfully authenticate against the IdP or BroadWorks.
|
Data Exchange and Storage
These sections provide detail on data exchange and storage with Webex. All data is encrypted both in transit and at rest. For additional details, see Webex App Security.
Service Provider Onboarding
When you configure clusters and user templates in Webex Control Hub during Service Provider onboarding, you exchange the following BroadWorks data which Webex stores:
-
Xsi-Actions URL
-
Xsi-Events URL
-
CTI interface URL
-
Authentication service URL
-
BroadWorks Provisioning Adaptor credentials
Service Provider User Provisioning
This table lists user and enterprise data that is exchanged as part of user provisioning through the Webex APIs.
Data Moving to Webex |
From |
Through |
Stored by Webex? |
---|---|---|---|
BroadWorks UserID |
BroadWorks, by API |
Webex APIs |
Yes |
Email (if SP Provided) |
BroadWorks, by API |
Webex APIs |
Yes |
Email (if User Provided) |
User |
User Activation Portal |
Yes |
First name |
BroadWorks, by API |
Webex APIs |
Yes |
Last name |
BroadWorks, by API |
Webex APIs |
Yes |
Primary Phone Number |
BroadWorks, by API |
Webex APIs |
Yes |
Mobile Phone Number |
BroadWorks, by API |
Webex APIs |
Yes |
Primary Extension |
BroadWorks, by API |
Webex APIs |
Yes |
BroadWorks Service Provider ID & Group ID |
BroadWorks, by API |
Webex APIs |
Yes |
Language |
BroadWorks, by API |
Webex APIs |
Yes |
Time zone |
BroadWorks, by API |
Webex APIs |
Yes |
User Removal
Webex for Cisco BroadWorks APIs support both partial and full user removal. This table lists all user data that is stored during provisioning and what is deleted in each scenario.
User Data |
Partial Deletion |
Full Deletion |
---|---|---|
BroadWorks UserID |
Yes |
Yes |
|
No |
Yes |
First name |
No |
Yes |
Last name |
No |
Yes |
Primary Phone Number |
Yes |
Yes |
Mobile Phone Number |
Yes |
Yes |
Extension |
Yes |
Yes |
BroadWorks Service Provider ID & Group ID |
Yes |
Yes |
Language |
No |
Yes |
User Login and Configuration Retrieval
Webex Authentication
Webex authentication refers to user sign-in to a Webex app by any of the Webex support authentication mechanisms. (BroadWorks authentication is covered separately.) This table illustrates the type of data exchanged between the different components on the authentication flow.
Data Moving |
From |
To |
---|---|---|
Email address |
User through Webex app |
Webex |
Limited access token and (independent) IdP URL |
Webex |
User browser |
User credentials |
User browser |
Identity provider (which already has user identity) |
SAML assertion |
User browser |
Webex |
Authentication code |
Webex |
User browser |
Authentication code |
User browser |
Webex |
Access and Refresh tokens |
Webex |
User browser |
Access and Refresh tokens |
User browser |
Webex app |
BroadWorks Authentication
BroadWorks authentication refers to user sign-in to a Webex app using their BroadWorks credentials. This table illustrates the type of data exchanged between the different components on the authentication flow.
Data Moving |
From |
To |
---|---|---|
Email address |
User through Webex app |
Webex |
Limited access token and (Webex Bwks IdP proxy) IdP URL |
Webex |
User browser |
Branding information and BroadWorks URLs |
Webex |
User browser |
BroadWorks user credentials |
User through browser (branded sign-in page served by Webex) |
Webex |
BroadWorks user credentials |
Webex |
BroadWorks |
BroadWorks user profile |
BroadWorks |
Webex |
SAML assertion |
User browser |
Webex |
Authentication code |
Webex |
User browser |
Authentication code |
User browser |
Webex |
Access and Refresh tokens |
Webex |
User browser |
Access and Refresh tokens |
User browser |
Webex app |
Client Configuration Retrieval
This table illustrates the type of data exchanged between the different components while retrieving client configurations.
Data Moving |
From |
To |
---|---|---|
Registration |
Client |
Webex |
Organization settings, including BroadWorks URLs |
Webex |
Client |
BroadWorks JWT token |
BroadWorks through Webex |
Client |
BroadWorks JWT token |
Client |
BroadWorks |
Device Token |
BroadWorks |
Client |
Device Token |
Client |
BroadWorks |
Config file |
BroadWorks |
Client |
Steady State Usage
This section describes the data moving between components during re-authentication after token expiry, either through BroadWorks or Webex.
This table lists data movement for calling.
Data Moving |
From |
To |
---|---|---|
SIP signalling |
Client |
BroadWorks |
SRTP media |
Client |
BroadWorks |
SIP signalling |
BroadWorks |
Client |
SRTP media |
BroadWorks |
Client |
This table lists data movement for messaging, presence, and meetings.
Data Moving |
From |
To |
---|---|---|
HTTPS REST messaging and presence |
Client |
Webex |
HTTPS REST messaging and presence |
Webex |
Client |
SIP signalling |
Client |
Webex |
SRTP media |
Client |
Webex |
SIP signalling |
Webex |
Client |
SRTP media |
Webex |
Client |
Using the Provisioning API
Developer Access
The API specification is available on https://developer.webex.com and a guide to using it is at https://developer.webex.com/docs/api/guides/webex-for-broadworks-developers-guide.
You need to sign in to read the API specification at https://developer.webex.com/docs/api/v1/broadworks-subscribers.
Application Authentication and Authorization
Your application integrates with Webex as an Integration. This mechanism allows the application to perform administrative tasks (such as subscriber provisioning) for an administrator within your Partner organization.
Webex APIs follow the OAuth 2 standard (http://oauth.net/2/). OAuth 2 allows third-party integrations to obtain refresh and access tokens on behalf of your chosen Partner administrator for authenticating API calls.
You must first register your integration with Webex. Once registered, your application must then support this OAuth 2.0 authorization grant flow to obtain the necessary refresh and access tokens.
For more details on integrations and how to build this OAuth 2 authorization flow into your application, see https://developer.webex.com/docs/integrations.
There are two required roles for implementing integrations - the developer and the authorizing user - and they may be held by separate people/teams in your environment.
|
Organization Name
The Organization Name depends on which provisioning mode you use:
-
Enterprise mode—The Organization Name is an exact match of spEnterpriseId.
-
Service Provider mode—The Organization Name is the groupID portion of the spEnterpriseId.
The Organization Name will contain any whitespace, uppercase and special characters specified in the original spEnterpriseId.
BroadWorks Software Requirements
See Lifecycle Management - BroadSoft Servers.
We expect the Service Provider to be "patch current" with the latest BroadWorks patches and Release Independent (RI) apps. The list of patches below is the minimum requirement for integrating with Webex.
Make sure to review the patch notes for these software patches. Some patches may have additional CLI requirements.
|
Version R22
Server |
Patch |
Additional Info |
---|---|---|
Application Server |
||
Required for Directory Sync |
||
Required to upgrade from V1 to V2 Push Notifications |
||
Required patch for Application Server |
||
Required to upgrade from V1 to V2 Push Notifications |
||
Required patch for Call Recording feature |
||
Required Patch for Flow-through Provisioning |
||
Required Patch for Hook Status (Presence) and Unified Call History |
||
Profile Server |
||
Required Patch for Hook Status (Presence) and Unified Call History |
||
Platform |
||
Required for NPS Authentication Proxy |
||
Required for NPS Authentication Proxy |
||
Required for the Auth Service with CI Token Validation |
||
Required Patch for Hook Status (Presence) and Unified Call History |
||
XSP |
Required for NPS Authentication Proxy |
|
Required for the Auth Service with CI Token Validation |
||
Required for NPS Authentication Proxy |
||
Required to upgrade from V1 to V2 Push Notifications |
||
Required for NPS Authentication Proxy |
||
Required for NPS Authentication Proxy |
||
Required for the Auth Service with CI Token Validation |
||
Required for Unified Call History |
||
Other |
AP.xsa.22.0.1123.ap372757 |
|
Version R23
Server |
Patch |
Additional Info |
---|---|---|
Application Server |
Required for Directory Sync |
|
Config App Server |
||
Required to upgrade from V1 to V2 Push Notifications |
||
Required for Call Recording |
||
Required Patch for Hook Status (Presence) and Unified Call History |
||
Profile Server |
||
Platform |
||
Required for NPS Authentication Proxy |
||
Required Patch for Hook Status (Presence) and Unified Call History |
||
XSP |
||
Required for NPS Authentication Proxy |
||
Required to upgrade from V1 to V2 Push Notifications |
||
Required for NPS Authentication Proxy |
||
Required for NPS Authentication Proxy |
||
Required Patch for Hook Status (Presence) and Unified Call History |
||
Other |
If using ADP... |
Required Patch for Hook Status (Presence) and Unified Call History |
Version R24
Server |
Patch |
Additional Info |
---|---|---|
Application Server |
Required for flowthrough provisioning |
|
Required for Call Recording |
||
Required Patch for Hook Status (Presence) and Unified Call History |
||
Other |
Required Patch for Hook Status (Presence) and Unified Call History |
BroadWorks Tags Required for Webex
For information on the BroadWorks system tags and custom tags that you must configure for Webex, refer to the Webex for Cisco BroadWorks Configuration Guide.
User Provisioning and Activation Flows
Provisioning describes adding the user to Webex. Activation includes email validation and service assignment in Webex. |
Users email addresses must be unique as Webex uses the email address to identify a user. If you have trusted email addresses for the users, you can choose to have them automatically activated when you automatically provision them. This process is “automatic provisioning and automatic activation”.
Automated User Provisioning and Automatic Activation (Trusted Email Flow)
Prerequisites
-
Your provisioning adapter points to Webex for Cisco BroadWorks (which requires an outbound connection from AS to Webex Provisioning Bridge).
-
You must have valid reachable end-user email addresses as alternate IDs in BroadWorks.
-
Control Hub has a provisioning account in your partner organization configuration.
Step |
Description |
---|---|
1 |
You quote and take orders for the service with your customers. |
2 |
You process the customer order and provision the customer in your systems. |
3 |
The service provisioning system triggers the provisioning of BroadWorks. This step, in summary, creates the enterprise and the users. It then assigns the necessary services and numbers to each user. One of those services is the external IM&P. |
4 |
This provisioning step triggers the automatic provisioning of the customer organization and users in Webex. (The IM&P service assignment causes the provisioning adapter to call the Webex provisioning API). |
5 |
Your systems need to use the Webex provisioning API if you later need to adjust the package for the user (to change from the default). |
SSO Login Flow
Following is the SAML SSO login flow for the Webex app when using BroadWorks authentication, and when Cross-Origin Resource Sharing is enabled, allowing for direct authentication to BroadWorks. The image displays client and user events on the left with text on the arrows representing what the client provides for authorization. Steps 1 and 5 are user events. The right side of the image represents login services events along with what gets returned to the client.
Following is the BroadWorks Service Discovery Flow that follows immediately from the preceding Webex SAML SSO login flow. The client uses the access token that was obtained while registering to Webex Device Management to request registration from the BroadWorks deployment.
Alternative Login Flows
The images above assume that SAML SSO Login is configured using BroadWorks authentication with direct BroadWorks authentication enabled (Cross-Origin Resource Sharing). Below are some alternative SAML SSO login flows:
-
BroadWorks Authentication without direct BroadWorks authentication (Cross-Origin Resource Sharing):
-
The only difference is in step 5 and 6 of the Webex Login Flow. In step 5, the login credentials are validated by the IdP Proxy (rather than XSI) and a SAML Assertion is returned to the client.
-
The flow proceeds through the remaining steps in the two diagrams apply.
-
The SSO Token is not used in this flow.
-
-
SAML SSO Webex Authentication:
-
In step 3 of the Webex Login Flow, the Common Identity service returns the Identity Provider used by Webex authentication.
-
At this point, an alternative SAML SSO login flow for Webex is invoked.
-
User Interactions
Sign In
-
The Webex app launches a browser to Cisco Common Identity (CI) to allow users to enter their email address.
-
CI discovers that the associated customer org has the BroadWorks IDP Proxy (IDP) configured as their SAML IDP. CI redirects to the IDP which presents the user with a sign-in page. (The Service Provider can brand this sign-in page.)
-
The user enters their BroadWorks credentials.
-
Broadworks authenticates the user through the IDP. On success, the IDP redirects the browser back to CI with a SAML Success to complete the authentication flow (not shown in diagram).
-
On successful authentication, the Webex app obtains access tokens from CI (not shown in diagram). The client uses them to request a BroadWorks long-lived Jason Web Token (JWT).
-
The Webex app discovers its calling configuration from BroadWorks and other services from Webex.
-
The Webex app registers with BroadWorks.
Sign In from a User Perspective
This diagram is the typical sign-in flow, as seen by the end user or subscriber:
-
You download and install the Webex app.
-
You may have received the link from your service provider, or you can find the download on Webex downloads page.
-
You enter your email address at the Webex sign-in screen. Click Next.
-
Typically, you’re redirected to a Service Provider branded page.
-
That page may welcome you by your email address.
If there’s no email address, or if the email address is wrong, enter your BroadWorks user name instead.
-
Enter your BroadWorks password.
-
If you signed in successfully, Webex opens.
Call Flow—Corporate Directory
Call Flow—PSTN Number
Presentation and Sharing
Start a Space Meeting
Client Interactions
Retrieve Profile from DMS and SIP Register with AS
-
Client calls XSI to get a device management token and the URL to the DMS.
-
Client requests its device profile from DMS by presenting the token from step 1.
-
Client reads the device profile and retrieves the SIP credentials, addresses, and ports.
-
Client sends a SIP REGISTER to SBC using the information from step 3.
-
SBC sends the SIP REGISTER to the AS (SBC may perform a look-up in the NS to locate an AS if SBC does not already know the SIP user.)
Test and Lab Guidelines
The following guidelines apply to testing and lab organizations:
-
Service Provider partners are limited to a maximum of 50 test users that can be provisioned across multiple orgs.
-
Any users beyond the first 50 test users will be billed.
-
To ensure accurate processing on your invoice, all test orgs must include ‘test’ in the BroadWorks Org name.
-
Internal test organizations must be designated within Webex Control Hub. This is in order to prevent test users from being billed as actual users.
Designating an Organization as a Test Organization
To designate an organization as a test organziation:
-
Sign in to Partner Hub and select Customers.
-
Select the appropriate Customer.
-
In the right control bar, enable the Internal Test Organization toggle.
Voicemail Playback
For voicemail, make sure that you configure the Media Server to use one of the following codes:
-
mp3
-
wav—WAV files are supported in the following formats: PCM (supported on all platforms) and DVI-ADPCM (not supported on Android
If you are using wav files, run the following CLI commands to confiugre the application server and media server:
-
AS_CLI/Service/VoiceMsg>set vmRecordingAudioFileFormat WAV
-
MS_CLI/Applications/MediaStreaming/Services/IVR> set sendmail8kHzWavFileDefaultFormat ulaw
Terminology
- ACL
- Access Control List
- ALG
- Application Layer Gateway
- API
- Application Programming Interface
- APNS
- Apple Push Notification Service
- AS
- Application Server
- ATA
- Analog Telephone Adapter, adapter that converts analog telephony to VoIP
- BAM
- BroadSoft Application Manager
- Basic authentication
- A method of authentication where an account (username) is validated by a shared secret (password)
- BMS
- BroadSoft Messaging Server
- BOSH
- Bidirectional-streams Over Synchronous HTTP
- BRI
- Basic Rate Interface BRI is an ISDN access method
- Bundle
- A collection of services as delivered to an end user or subscriber (cf. Package)
- CA
- Certification Authority
- Carrier
- An organization that handles telephony traffic (cf. Partner, Service Provider, Value Added Reseller)
- CAPTCHA
- Completely Automated Public Turing test to tell Computers and Humans Apart
- CCXML
- Call Control eXtensible Markup Language
- CIF
- Common Intermediate Format
- CLI
- Command Line Interface
- CN
- Common Name
- CNPS
- Call Notifications Push Server. A Notification Push Server that runs on an XSP in your environment, to push call notifications to FCM and APNS. See NPS Proxy.
- CPE
- Customer Premises Equipment
- CPR
- Custom Presence Rule
- CSS
- Cascading Style Sheet
- CSV
- Comma-Separated Value
- CTI
- Computer Telephony Integration
- CUBE
- Cisco Unified Border Element
- DMZ
- Demilitarized Zone
- DN
- Directory Number
- DND
- Do Not Disturb
- DNS
- Domain Name System
- DPG
- Dial Peer Group
- DSCP
- Differentiated Services Code Point
- DTAF
- Device Type Archive File
- DTG
- Destination Trunk Group
- DTMF
- Dual-Tone Multi-Frequency
- End user
- The person who is using the services, that is making calls, joining meetings, or sending messages (cf. Subscriber)
- Enterprise
- A collection of end users (cf. Organization)
- FCM
- Firebase Cloud Messaging
- FMC
- Fixed Mobile Convergence
- Flow-through provisioning
- Creating users in the Webex identity store by assigning the “Integrated IM&P” service in BroadWorks.
- FQDN
- Fully Qualified Domain Name
- Full flow-through provisioning
- Creating and verifying users in the Webex identity store by assigning the “Integrated IM&P” service in BroadWorks and asserting that each BroadWorks user has a unique and valid email address.
- FXO
- Foreign Exchange Office is the port that receives the analog line. It is the plug on the phone or fax machine or the plugs on your analog phone system. It delivers an on-hook/off-hook indication (loop closure). Since the FXO port is attached to a device, such as a fax or a phone, the device is often called the “FXO device”.
- FXS
- Foreign Exchange Subscriber is the port that actually delivers the analog line to the subscriber. In other words, it is the "plug in the wall" that delivers a dial tone, battery current, and ring voltage.
- GCM
- Google Cloud Message
- GCM
- Galois/Counter Mode (encryption technology)
- HID
- Human Interface Device
- HTTPS
- Hypertext Transfer Protocol Secure Sockets
- IAD
- Integrated Access Device
- IM&P
- Instant Messaging and Presence
- IP PSTN
- A service provider that provides VoIP to PSTN services, interchangeable with ITSP, or a general term for internet-connected 'public' telephony, collectively provided by major telecomms providers (rather than by countries, as PSTN is)
- ITSP
- Internet Telephony Service Provider
- IVR
- Interactive Voice Response / Responder
- JID
- The native address of an XMPP entity is called a Jabber Identifier or JID localpart@domain.part.example.com/resourcepart (@ . / are separators)
- JSON
- Java Script Object Notation
- JSSE
- Java Secure Socket Extension; the underlying technology providing secure connectivity features to BroadWorks servers
- KEM
- Key Extension Module (hardware Cisco phones)
- LLT
- Long-lived (or Long Life) Token; a self-describing, secure form of bearer token that enables users to remain authenticated for longer, and is not tied to specific applications.
- MA
- Message Archival
- MIB
- Management Information Base
- MS
- Media Server
- mTLS
- Mutual authentication between two parties, using certificate exchange, when establishing a TLS connection
- MUC
- Multi-User Chat
- NAT
- Network Address Translations
- NPS
- Notification Push Server; see CNPS
- NPS Proxy
-
A service in Webex that supplies short-lived authorization tokens to your CNPS, enabling it to push call notifications to FCM and APNs, and ultimately to Android and iOS devices running Webex.
- OCI
- Open Client Interface
- Organization
- A company or organization representing a collection of end users (cf. Enterprise)
- OTG
- Outgoing Trunk Group
- Package
- A collection of services as delivered to an end user or subscriber (cf. Bundle)
- Partner
- An agent organization that works with Cisco to distribute products and services to other organizations (cf. Value Added Reseller, Service Provider, Carrier)
- PBX
- Private Branch Exchange
- PEM
- Privacy Enhanced Mail
- PLMN
- Public Land Mobile Network
- PRI
- Primary Rate Interface (PRI) is a telecommunications interface standard used on an Integrated Services Digital Network (ISDN)
- PS
- Profile Server
- PSTN
- Public Switched Telephone Network
- QoS
- Quality of Service
- Reseller portal
- A web site that enables the reseller’s administrator to configure their UC-One SaaS solution. It is sometimes referred to as BAM portal, admin portal, or management portal.
- RTCP
- Real-Time Control Protocol
- RTP
- Real-Time Transport Protocol
- SBC
- Session Border Controller
- SCA
- Shared Call Appearance
- SD
- Standard Definition
- SDP
- Session Description Protocol
- SP
- Service Provider; An organization that provides telephony or related services to other organizations (cf. Carrier, Partner, Value Added Reseller)
- SIP
- Session Initiation Protocol
- SLT
- Short-lived (or Short Life) Token (also called BroadWorks SSO Token); a single-use authenticated token that is used to gain secure access to web applications.
- SMB
- Small to Medium Business
- SNMP
- Simple Network Management Protocol
- sRTCP
- secure Realtime Transfer Control Protocol (VoIP call media)
- sRTP
- secure Realtime Transfer Protocol (VoIP call media)
- SSL
- Secure Sockets Layer
- Subscriber
- The person who is using the services, that is making calls, joining meetings, or sending messages (cf. End user)
- TCP
- Transmission Control Protocol
- TDM
- Time Division Multiplexing
- TLS
- Transport Layer Security
- ToS
- Type of Service
- UAP
- User Activation Portal
- UC
- Unified Communications
- UI
- User Interface
- UID
- Unique Identifier
- UMS
- Messaging Server
- URI
- Uniform Resource Identifier
- URL
- Uniform Resource Locator
- USS
- Sharing Server
- UTC
- Coordinated Universal Time
- UVS
- Video Server
- Value Added Reseller (VAR)
- An agent organization that works with Cisco to distribute products and services to other organizations (cf. Carrier, Partner, Service Provider)
- VGA
- Video Graphics Array
- VoIP
- Voice over Internet Protocol (IP)
- VXML
- Voice Extensible Markup Language
- WebDAV
- Web Distributed Authoring and Versioning
- WebRTC
- Web Real-Time Communications
- WRS
- WebRTC Server
- XMPP
- Extensible Messaging and Presence Protocol