In this article
Configure partner SSO with SAML
Configure partner SSO with OpenID Connect (OIDC)
October 07, 2025 | 72 view(s) | 0 people thought this was helpful

Configure Partner SSO with SAML or OpenID Connect for Wholesale RTM customers

list-menuIn this article
list-menuFeedback?

Configure Partner Single Sign-On (SSO) with SAML or OpenID Connect to provide secure customer access with a single set of Identity Provider (IdP)-managed credentials.

Configure partner SSO with SAML

Partner administrators can configure SAML SSO for newly created customer organizations. They can configure a single predefined SSO relationship and apply that configuration to the customer organizations they manage, and to their own employees.

The following partner SSO steps apply to newly created customer organizations only. If partner administrators try to add Partner SSO to an existing customer organization, the system retains the existing authentication method to prevent existing users from losing access.

1

Verify that the third-party Identity Provider (IdP) meets the requirements listed in the Requirements for Identity Providers section of Single Sign-On Integration in Control Hub.

2

Open a service request with Cisco TAC. TAC must establish a trust relationship between the third-party IdP and Cisco Common Identity service.

If your IdP requires enabling the passEmailInRequest feature, make sure to include this requirement in the service request. Check with your IdP if you’re unsure of whether this feature is required.

.

3

Upload the CI metadata file that TAC provided to your IdP.

4

Configure an onboarding template:

  • For the Authentication Mode setting, select Partner Authentication.

  • Enter the IDP Entity ID. You can find the EntityID from the SAML metadata XML of the third-party IdP.

Add a new template screen options; includes default authentication mode options: Broadworks authentication, Webex authentication, and partner authentication

Once you've completed the configuration, you can manually verify that the Partner IdP Entity ID is set up correctly.

  1. Onboard a customer that uses the template and create a new user in the customer organization.

  2. Verify that the user can sign in.

    User sign-in should redirect to the partner IdP sign-in page, and the user must be able to sign in successfully with valid credentials.

Configure partner SSO with OpenID Connect (OIDC)

Partner administrators can configure OIDC SSO for newly created customer organizations. They can configure a single predefined SSO relationship and apply that configuration to the customer organizations they manage, and to their own employees.

The following partner SSO OIDC steps apply to newly created customer organizations only. If partner administrators try to modify the default authentication type to Partner SSO OIDC in an existing template, the changes don't apply to the customer organizations already onboarded using the template.

1

Open a service request with Cisco TAC with the details of the OpenID Connect IDP.

The following table shows the mandatory and optional IDP attributes. TAC set up the IDP on the CI and provide you with the redirect URI to be configured on the IDP.

Attribute

Required

Description

IDP Name

Yes

Unique, case-insensitive name. It can include letters, numbers, hyphens, underscores, tildes, and dots. Max length: 128 characters.

OAuth client Id

Yes

Used to request OIDC IdP authentication.

OAuth client Secret

Yes

Used to request OIDC IdP authentication.

List of scopes

Yes

Used to request OIDC IdP authentication. Space-separated list of scopes (for example, openid email profile) must include openid and email.

Authorization Endpoint

Yes if discoveryEndpoint isn’t provided

URL of the IdP's OAuth 2.0 authorization endpoint.

tokenEndpoint

Yes if discoveryEndpoint isn’t provided

URL of the IdP's OAuth 2.0 token endpoint.

Discovery Endpoint

No

URL of the IdP's discovery endpoint for OpenID endpoints discovery.

userInfoEndpoint

No

URL of the IdP's UserInfo endpoint.

Key Set Endpoint

No

URL of the IdP's JSON web key set endpoint.

In addition to the above IDP attributes, you need to specify a partner organization ID in the TAC request.

2

Configure the redirect URI on the OpenID connect IDP.

3

Configure an onboarding template:

  • For the Authentication Mode setting, select Partner authentication with OpenID Connect

  • For OpenID Connect IDP Entity ID, enter the IDP name provided during the IDP setup.

Wholesale partner SSO

Once you've completed the configuration, you can manually verify that the Partner IdP Entity ID is set up correctly.

  1. Onboard a customer that uses the template and create a new user in the customer organization.

  2. Very that the user can sign in using the SSO authentication flow.

Was this article helpful?
Was this article helpful?
PricingWebex AppMeetingsCallingMessagingScreen Sharing
Webex SuiteCallingMeetingsMessagingSlidoWebinarsEventsContact CenterCPaaSSecurityControl Hub
HeadsetsCamerasDesk SeriesRoom SeriesBoard SeriesPhone SeriesAccessories
EducationHealthcareGovernmentFinanceSports & EntertainmentFrontlineNonprofitsStartupsHybrid Work
DownloadsJoin a Test MeetingOnline ClassesIntegrationsAccessibilityInclusivityLive & On-Demand WebinarsWebex CommunityWebex DevelopersNews & Innovations
CiscoContact SupportContact SalesWebex BlogWebex Thought LeadershipWebex Merch StoreCareers
  • X
  • LinkedIn
  • Facebook
  • Youtube
  • Instagram
Terms & ConditionsPrivacy StatementCookiesTrademarks
©2026 Cisco and/or its affiliates. All rights reserved.
Terms & ConditionsPrivacy StatementCookiesTrademarks