Cisco Spark Single Sign-On with PingFederate

Document created by Cisco Documentation Team on Jun 22, 2016Last modified by Cisco Documentation Team on Aug 29, 2017
Version 13Show Document
  • View in full screen mode

Single Sign-On and Cisco Spark

Single sign-on (SSO) is a session or user authentication process that permits a user to provide credentials to access one or more applications. The process authenticates users for all the applications that they are given rights to. It eliminates further prompts when users switch applications during a particular session.

The Security Assertion Markup Language (SAML 2.0) Federation Protocol is used to provide SSO authentication between the Cisco Collaboration Cloud platform and your identity provider (IdP).


The Cisco Spark platform only supports the web browser SSO profile. In the web browser SSO profile, the Cisco Spark platform supports the following bindings:

  • SP initiated POST->POST binding 


  • SP initiated REDIRECT->POST binding



NameID Format

The SAML 2.0 Protocol supports a number of NameID formats for the purpose of communicating about a specific user. The Cisco Collaboration Cloud platform supports the following NameID formats.

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

In the metadata that you load from your IdP, the first entry is configured for use in the Cisco Spark Platform.


The Cisco Collaboration Cloud supports the single logout profile. In the Cisco Spark or WebEx Meeting app, a user can sign out of the application, which will use the SAML single log out protocol to end the session and confirm that sign out with your IdP. Ensure your IdP is configured for SingleLogout.

Integrate Cisco Spark with PingFederate for Single Sign-On


Set up this integration for users of Cisco Spark message, meet, and call. If your WebEx Meeting Center is integrated in Cisco Spark Control Hub, WebEx Meeting Center inherits the user management. If you can't access WebEx in this way, you must do a separate integration to enable SSO for Cisco WebEx.

Before You Begin 
For SSO and Cisco Spark services, IdPs must conform to the SAML 2.0 specification. In addition, IdPs must be configured in the following manner:

    Configure the IdP to use Forms Based authentication.


    Set the NameID Format attribute to one of the following:



      Configure a claim on the IdP to include the uid attribute name with a value mapped to the user's email address in the SAML Assertion.





      Configure a claim on the IdP to include the uid attribute name with a value mapped to the user's email address in the SAML Assertion.






Download the Cisco Spark Metadata to your Local System

1    From the customer view in, go to Settings, and then scroll to Authentication.
2    Click Modify, click Integrate a 3rd-party identity provider. (Advanced), and then click Get Started.
3    Download the metadata file.  

The Cisco Spark metadata filename is idb-meta-<org-ID>-SP.xml.

4    Keep your Cisco Spark Control Hub session open in your browser.

Configure a New Service Provider Connection

1    Go to your PingFederate Administration portal (https://<FQDN of PingFederate>:9999/pingfederate/app).
2    Under SP CONNECTIONS, select Create New.
3    Select the Do not use a template for this connection radio button, then select Next.
4    Select Browser SSO Profiles, then click Next.
5    Select the Import Metadata tab.
6    Click Choose File to browse to and import the metadata file that you downloaded from Cisco Spark Control Hub, and then click Next.
7    Review the information in the General Info tab, and then click Done.

Configure Browser Single-Sign On

1    From the PingFederate Administration portal, select Configure Browser SSO.
2    Check the SP-Initiated SSO check box, then click Next.
3    Select Configure Assertion Creation.
  1. Change the NameID-format to Transient and check the Include attributes in addition to the transient identifier check box.
  2. Extend the contract attributes by adding mail and uid attributes in the format urn:oasis:names:tc:SAML:2.0:attrname-format-basic, then click Next.
  3. Select Map New Adapter Instance to pick an authentication mechanism.
  4. From the ADAPTER INSTANCE drop-down, select one of the previously configured authentication mechanisms, then click Next.
  5. Select the Retrieve additional attributes from multiple data stores using one mapping radio button, then click Next.
  6. Select Add Attribute Source to add the Active Directory Domain Controller for the domain, and then click Next.
  7. Specify the Base DN and select the root object class <Show All Attributes>.
  8. In the Filter text box, enter the LDAP filter, and then click Next.  

    The entry must contain the attribute that you expect the user to provide. It also needs to contain the value that it maps to in the LDAP sources. For example, if your active directory is set to filter on the Windows login attribute, enter sAMAccountName=${Username}.

  9. Select the source and value to map the assertion attributes with the attributes provided by the AD datastore. (Don't enter anything for Issuance Criteria.)
  10. Verify that the Assertion Configuration has Identity Mapping set to Transient, Attribute Contract set to mail, uid, and Adapter Instances set to 1.
4    Select Configure Protocol Settings.
  1. For Allowable SAML Bindings, check only the POST and Redirect checkboxes.
  2. For Signature Policy, select Always sign the SAML Assertion.

    The protocol settings should look like the following.

  3. Select Configure Credentials to configure the certificate for the assertion.
  4. Select the certificate that was already created for SAML assertions.
5    On the Activation and Summary screen, set the Connection Status to Active.

Export PingFederate Metadata

1    On the Main screen, click Manage All SP.
2    Find the connection that you just created and click Export Metadata.
3    Choose the certificate to use for signing the exported file from the drop-down.
4    Click Export.

Import the IdP Metadata and Enable Single Sign-On After a Test


After you export the Cisco Spark metadata, configure your IdP, and download the IdP metadata to your local system, you are ready to import it into your Cisco Spark organization.

1    Go back to the browser or tab where you're signed in to the Cisco Spark Control Hub – Export Directory Metadata page, and then click Next.
2    On the Import Idp Metadata page, either drag and drop the IdP metadata file onto the page or use the file browser option to locate and upload the metadata file.

We recommend that you use require certificate signed by a certificate authority in Metadata (more secure) for service providers that use publicly signed and trusted certificates.

3    Click Next.
4    Select Test SSO Connection, and when a new browser tab opens, authenticate with the IdP by signing in.

A common cause of an authentication error is a problem with the credentials. Please check the username and password and try again.

A Cisco Spark or Webex error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Cisco Spark metadata into the IdP setup.

5    Return to the Cisco Spark Control Hub browser tab.
  • If the test was successful, select This test was successful. Enable Single Sign-On option and click Next.
  • If the test was unsuccessful, select This test was unsuccessful. Disable Single Sign-On option and click Next.