Single sign-on is an optional feature that must be provisioned for your site.
Enable Cisco WebEx single sign-on (SSO) to make it easier for users to manage their credentials. With SSO, one unique identifier provides access all enterprise applications, such as WebEx Meeting Center and Jabber. As an administrator, you use WebEx Site Administration to configure single sign-on for Cisco WebEx Messenger and Cisco WebEx meeting applications.
Terms and Definitions
The following table lists and defines important terms that are related to SSO configuration.
Identity and Access Management systems such as CA SiteMinder, ADFS, Ping Identity.
Identity provider—The authority for user access and password management.
Security Assertion Markup Language—Used to exchange authentication and authorization between entities.
Allows employees and affiliates of a WebEx customer organization to authenticate with a WebEx site using SAML.
The SAML assertions sent to the Cisco WebEx system are signed with the private key. Obtain an X.509 digital certificate from a trusted Certificate Authority, including some government agencies and companies such as VeriSign and Thawte.
Obtain and set up the following requirements before you begin this procedure.
SSO Configuration Page
The following table lists and describes the fields and options on the SSO Configuration page.
The information that you use during configuration must be exact. If you require further clarification about the information required to configure SSO for your site, contact your identity provider.
Field or Option
Specify how users access WebEx. Select SP Initiated if users start at the WebEx meeting site and are redirected to the corporate IdP system for authentication. Select IdP Initiated if users access WebEx through the corporate IAM system.
Import SAML Metadata (link)
Click to open the Federated Web SSO Configuration - SAML Metadata dialog box. Imported metadata fields include the following:
WebEx SAML Issuer (SP ID)
The URI identifies the Cisco WebEx Messenger service as an SP. The configuration must match the settings in the customer Identity Access Management system. Recommended naming conventions: For Meeting Center, enter the Meeting Center site URL. For the WebEx Messenger service, use the format "client-domain-name" (example: IM-Client-ADFS-WebExEagle-Com).
Issuer for SAML (IdP ID)
A URI uniquely identifies the IdP. The configuration must match the setting in the Customer IAM. Located in the IdP XML file (example: entityID=" http://adfs20-fed-srv.adfs.webexeagle.com/adfs/services/trust")
Customer SSO Service Login URL
URL for your enterprise's single sign-on services. Users typically sign in with this URL. Located in the IdP XML file (example: <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://adfs20-fed-srv.adfs.webexeagle.com/adfs/ls/ " index="0" isDefault="true" />)
You can export a SAML metadata WebEx configuration file
You can export some metadata, which can then be imported in the future. Exported metadata fields include the following:
Must match the IAM configuration, with the following formats being supported:
The SAML statement that describes the authentication at the IdP. This must match the IAM configuration. ADFS examples: urn:federation:authentication:windows or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Ping example: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Note: To use more than one AuthnContextClassRef value add a ";".For example: urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Default WebEx Target page URL (optional)
Upon authentication, displays a target page assigned for the web application only.
Customer SSO Error URL (optional)
If an error, redirects to this URL with the error code appended in the URL.
Single Logout (optional)
Check to require a sign-out and set the logout URL.
Auto Account Creation (optional)
Select to create a user account. UID, email, and first and last name fields must be present in the SAML assertion.
Auto Account Update (optional)
Accounts in WebEx can be updated with the presence of an updateTimeStamp attribute in the SAML assertion. When modifications are made in the IAM, the new time stamp is sent to WebEx. WebEx updates the account with any attribute sent in the SAML assertion.
Remove uid Domain Suffix for Active Directory UPN
Removes the Active Directory domain from the User Principal Name (UPN) when selected.