How do I change the certificate on my Single Sign On provider?
How do I update the ADFS certificate?
Cisco Webex does not provide documentation or guidance on performing regular maintenance for specific Single Sign On Providers.
Webex technical support has found that ADFS customers needing this information have found the following Microsoft Support Article helpful:
- Cisco Webex does not guarantee the accuracy of this information or its relevance to your specific deployment.
- For additional assistance you should contact your Single Sign On vendor for specific assistance.
General Guidance around Certificates and Webex’s implementation of the SAML 2.0 Specification:
In general, for SSO to work you must have a current and valid trust relationship between the Identity Management Service, commonly referred to as an IDP, and Webex Site Administration or Webex Messenger administration portals. (For Cisco Webex Meetings Suite or Cisco Webex Messenger Customers respectively)
This is accomplished in SAML by having the SAML asserting party sign the SAML response. Webex does not require the SAML assertion to contain the Public Signing Certificate however it is good practice for troubleshooting to include this in the SAML response. Webex does require the assertion to be signed. Please note that the response can also be signed but this is not required and Webex will not inherit the certificate signature from the response to the assertion.
Key points to remember:
- The Certificate used to sign the SAML Assertion must be current and match the certificate uploaded to the Administration page of the Webex service you are using.
- The Certificate does not need to be signed by a CA as the trust relationship is established through manual upload of the certificate rather than over a protocol negotiation like HTTPS.
- The Certificate uploaded to the Webex Administration should be in a base-64 encoded PEM formatted .cer file for best results.
Best Practices for performing a certificate upgrade:
Cisco Webex recommends that you schedule a small downtime window for this Maintenance. During the time between the change of the certificate on the IDP and the change of the certificate Webex Administration Portal users will be unable to log in. Hosts/Attendees already authenticated and Jabber users with current authentication sessions will not be affected. Note: Jabber Users using Jabber to Jabber calling must authenticate to the Webex service every 24 hours regardless of length of Authentication Session for other services. Jabber users attempting to authenticate to the Webex service during the maintenance will receive an "Invalid Response message (29)” message and Webex Business Suite hosts and attendees with accounts attempting to authenticate will receive an error "Incorrect X.509 certificate to validate SAML assertion (8)".
- Please have the private key and public key certificates ready for upload to your IDP and Webex Administration Page.
- Webex Business Suite Site Administrators have a password for their Admin accounts.
- You can set your password prior to beginning the maintenance.
- Should you forget your password after beginning the maintenance you will lose access to log into your account and will only be able to regain access with the assistance of another Site Administrator or Webex Technical Support.
- Administrators of Webex Messenger also have usernames and passwords that can be used to log in should you need to authenticate during the time when SSO is inoperable.
If you are unable to authenticate after updating the new certificate, try the following:
- Ensure that the Certificate has been uploaded successfully to the IDP.
- Ensure the Webex Administration Portal is showing the correct certificate.
- Ensure that the IDP is providing a SAML response.
- Webex Technical Support commonly uses the built in developer tools in Chrome, Firefox and Internet Explorer to verify a SAMLResponse is being provided by the IDP.
- Webex Technical support commonly uses a third party application called Fiddler to collect logs of the HTTPS transactions being made from the application or browser.
- Ensure the Certificate contained in the SAML Response contains the correct Certificate.
If you need assistance, please contact Cisco Webex Technical Support.
Webex Technical Support cannot provide IDP Vendor specific instructions on SSO configuration or implementation however, can provide general guidance on error messaging and debugging.