Cisco Spark Single Sign-On with Microsoft Azure

Document created by Cisco Documentation Team on Sep 23, 2016Last modified by Cisco Documentation Team on Nov 17, 2016
Version 10Show Document
  • View in full screen mode

Single Sign-On and Cisco Spark Overview

Single sign-on (SSO) is a session or user authentication process that permits a user to provide credentials to access one or more applications. The process authenticates users for all the applications that they are given rights to. It eliminates further prompts when users switch applications during a particular session.

The Security Assertion Markup Language (SAML 2.0) Federation Protocol is used to provide SSO authentication between the Cisco Collaboration Cloud platform and your identity provider (IdP).


SAML 2.0 is an industry protocol for the securely handling user authentication, sharing of user attributes, and user authorization between partners across domains.


For further information about SSO capabilities, see this article.


The SAML 2 Protocol supports a number of profiles of which the Spark Platform only supports the Web Browser SSO Profile. In the Web Browser SSO Profile the Spark Platform supports the following bindings:

  • SP initiated POST->POST binding 


  • SP initiated REDIRECT->POST binding



NameID Format

The SAML 2 Protocol supports a number of NameID formats for the purpose of communicating about a specific user. The Cisco Collaboration Cloud platform supports the following NameID formats.

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

In the metadata that you load from your IdP, the first entry is configured for use in the Spark Platform.


The Cisco Collaboration Cloud supports the single logout profile. In the Cisco Spark or WebEx app, a user can sign out of the application, which will use the SAML Single Log Out protocol to end the session and confirm that sign out with your IdP.

Integrate Cisco Spark with Microsoft Azure


Follow the tasks in this article to configure Single Sign-On (SSO) integration between Cisco Spark services and a deployment that uses Microsoft Azure as an identity provider (IdP).


This integration covers users of Cisco Spark message, meet, and call. A separate integration is required to enable SSO for Cisco WebEx.

Before You Begin 
For Single Sign-On and Cisco Spark services, IdPs must conform to the SAML 2.0 specification. In addition, IdPs must be configured in the following manner:
  • Configure the IdP to use Forms Based authentication.


  • Set the NameID Format attribute to "urn:oasis:names:tc:SAML:2.0:nameid-format:transient"—We also support unspecified.


  • Configure a claim on the IdP to include the following attribute in the SAML Assertion:


    • The "uid" attribute name with a value mapped to the user's email address.



Download the Cisco Spark Metadata to your Local System

1    Sign in to Cisco Cloud Collaboration Management with your full administrator credentials.
2    Select Settings, and then select Modify from the Authentication section.
3    Select Integrate a 3rd-party identity provider. (Advanced) and go to the next screen.
4    Download the trusted metadata file and save the file in an easy-to-find location on your local system.  

The Cisco Spark metadata filename is idb-meta-<org-ID>-SP.xml.

5    Keep your Cisco Cloud Collaboration Management session open in a browser tab; you will return to it later to upload your IdP metadata.

Configure Single-Sign On Application Settings in Azure

Before You Begin 

    To activate the IdP capabilities in Microsoft Azure, obtain an Azure Active Directory Premium License.



    Configure Azure Active directory.



    Create local users or synchronize with an on-premises active directory system.



    Open the Cisco Spark metadata file that you downloaded from Cisco Cloud Collaboration Management.


1    Sign in to the Azure AD Access Panel.
2    Choose the Azure Active Directory for your organization.
3    Go to Applications and then click Add.
4    Click Add an application from the gallery.
5    In the search box, type Cisco Spark.
6    In the results pane, select Cisco Spark, and then click Complete to add the application.
7    Configure Single-Sign On:
  1. After you create the application agreement, go to the Configure tab, and then click Configure single sign-on.
  2. Choose Microsoft Azure AD Single Sign-On and then click the arrow button.
  3. Check the box for advanced options.
  4. Enter the following values from the Cisco Spark metadata file, and then click the arrow button:  

      Sign On URL






      Reply URL



      The identifier takes the value of the entityID attribute in the EntityDescriptor tag.



      The sign on and reply URLs take the value of the Location attribute in the AssertionConsumerService tag.


  5. Download the Azure metadata in XML format, and then click the arrow button.
  6. On the confirmation page, enter an email address to receive notices of any changes to the Microsoft Azure configuration.
  7. Click the checkmark button.
8    Modify the attributes:
  1. From the Cisco Spark application page in the Azure Access Panel, click Attributes.
  2. Keep nameidentifier and remove all of the other entries.
  3. Add a new user attribute called uid with the value user.mail.
9    Assign users:
  1. Go to Users and Groups, and then choose Show All Users from the drop-down list.
  2. Click Assign, and then choose the users you want to grant access to Cisco Spark.

Import the IdP Metadata and Enable Single Sign-On After a Test


After you export the Cisco Spark metadata, configure your IdP, and download the IdP metadata to your local system, you are ready to import it into your Cisco Spark organization.

1    Go back to the browser or tab where you're signed in to the Cloud Collaboration Management – Export Directory Metadata page, and then click Next.
2    On the Import Idp Metadata page, either drag and drop the IdP metadata file onto the page or use the file browser option to locate and upload the metadata file.

We recommend that you use require certificate signed by a certificate authority in Metadata (more secure) for service providers that use publicly signed and trusted certificates.

3    Click Next.
4    Select Test SSO Connection, and when a new browser tab opens, authenticate with the IdP by signing in.

A common cause of an authentication error is a problem with the credentials. Please check the username and password and try again.

A Cisco Spark or Webex error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Cisco Spark metadata into the IdP setup.

5    Return to the Cisco Cloud Collaboration Management browser tab.
  • If the test was successful, select This test was successful. Enable Single Sign-On option and click Next.
  • If the test was unsuccessful, select This test was unsuccessful. Disable Single Sign-On option and click Next.