Single sign-on (SSO) enables users to sign in to Webex securely by authenticating to your organization's common identity provider. An identity provider (IdP) securely stores and manages your users’ digital identities and provides the user authentication service for your Webex users.

Why you might need multiple IdPs

Many big companies undergo mergers and acquisitions, and these companies rarely have the same IT infrastructure and identity providers. Government institutions have various organizations and agencies under them. Often, these organizations have a single email address for their own IT departments and infrastructure, respectively. Major educational institutions have a central purchasing department, but different universities and colleges with different IT organizations and departments.

It’s common to see IdPs and service providers (SPs) federate with each other. The IdP is responsible for authenticating your users’ credentials and the SP trusts the authentication made by the IdP. This allows your users to access various SaaS applications and services using the same digital identity. But, if for some reason your organization can’t federate between the IdPs, then Webex provides a workaround to support multiple IdPs. For these reasons, we’re giving you the option to configure SSO for multiple IdPs in Webex and simplify your users’ authentication process.

Limitations

  • This feature is only available if you have purchased Webex Extended Security Pack.
  • All users must be provisioned with Directory Connector if you're using Directory Connector in your organization. Refer to the Directory Connector deployment guide for more information.
  • We currently support only SAML, OpenID Connect, and Webex Identity as identity providers.

Out of scope

  • Configure group assignments.

This section covers how you can integrate your identity providers (IdP) with your Webex organization. You can choose the IdPs that best fit your organization's requirements.

If you're looking for SSO integration of a Webex Meetings site (managed in Site Administration), then refer to Configure Single Sign-On for Webex Administration.

Prerequisites

Before you begin

Ensure that the following conditions are met:

  • You must have Webex Extended Security Pack to configure SSO with multiple IdPs in Control Hub.
  • You must have a Full Admin role in Control Hub.
  • A metadata file from the IdP to give to Webex and a metadata file from Webex, to give to the IdP. For more information, refer to Single Sign-On Integration in Control Hub. This is only applicable to the SAML configuration.
  • You should plan your routing rules behavior before setting up multiple IdPs.

 
The default routing rule is applied once you configure your initial IdP. But you can set another IdP as the default. Refer to Add or edit routing rule in the Routing rules tab in this article.

Configure SAML

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Activate SSO to start the configuration wizard.

2

Select SAML as your IdP and click Next.

3

Choose the certificate type:

  • Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
  • Signed by a public certificate authority—More secure, but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

 
Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.
4

Click Download metadata and click Next.

The Webex App metadata filename is idb-meta-<org-ID>-SP.xml.

5

Upload your IdPs metadata file or fill out the configuration form.

When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:

  • Customer IdP provides a signature in the metadata that is signed by a Public Root CA.
  • Customer IdP provides a self-signed private CA or doesn’t provide a signature for their metadata. This option is less secure.
Else, in the configuration form, enter the IdP information.

Click Next.

6

(Optional) Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
7

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.


 

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.


 

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

8

Return to the Control Hub browser tab.

  • If the test was successful, select Successful test. Activate SSO and IdP and click Activate.
  • If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.

 
The SSO configuration does not take effect in your organization unless you choose the first radio button and activate SSO.

What to do next

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

Configure OpenID Connect

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Activate SSO to start the configuration wizard.

2

Select OpenID Connect as your IdP and click Next.

3

Enter your IdP information.

  • Name—The name to identify your IdP.
  • Client ID—The unique ID to identify you and your IdP.
  • Client Secret—The password that you and your IdP know.
  • Scopes—The scopes to be associated with your IdP.

4

Choose how to add endpoints. This can be done automatically or manually.

  • Use the discovery URL—Enter the configuration URL for your IdP.
  • Manually add endpoints information—Enter the following details.

    • Issuer
    • Authorization endpoint
    • Token endpoint
    • JWKS endpoint
    • Userinfo endpoint
    For more information, refer to the OpenID Connect configuration guide.

5

(Optional) Configure the Just In Time (JIT) settings.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
6

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.


 

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.


 

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

7

Return to the Control Hub browser tab.

  • If the test was successful, select Successful test. Activate SSO and IdP and click Activate.
  • If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.

 
The SSO configuration does not take effect in your organization unless you choose the first radio button and activate SSO.

What to do next

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

Configure Webex Identity

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Activate SSO to start the configuration wizard.

2

Select Webex as your IdP and click Next.

3

Check I've read and understood how Webex IdP works and click Next.

4

Set up a routing rule.

Refer to Add or edit routing rule in the Routing rules tab in this article.

Once you've added a routing rule, your IdP is added and is shown under the Identity provider tab.

What to do next

You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

Routing rules are applicable when setting up more than one IdP. Routing rules enable Webex to identify which IdP to send your users to when you have configured multiple IdPs.

When setting up more than one IdP, you can define your routing rules in the SSO configuration wizard. If you skip the routing rule step, then Control Hub adds the IdP but doesn’t activate the IdP. You must add a routing rule to activate the IdP.

Add or edit routing rules

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Routing rules tab.


 

When configuring your first IdP, the routing rule is automatically added and is set as the Default rule. You can choose another IdP to set as the default rule later.

3

Click Add new routing rule.

4

Enter the details for a new rule:

  • Rule name—Enter the name for the routing rule.
  • Select a routing type—Select domain or group.
  • If these are your domains/groups—Enter the domains/groups within your organization.
  • Then use this identity provider—Select the IdP.

5

Click Add.

6

Select the new routing rule and click Activate.


 
You can change the routing rule priority order if you have routing rules for multiple IdPs.

Deactivate or delete routing rules

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Routing rules tab.

3

Select the routing rule.

4

Choose if you want to Deactivate or Delete the routing rule.

It’s recommended that you have another active routing rule for the IdP. Otherwise, you may run into problems with your SSO login.


 
The Default rule can’t be deactivated or deleted, but you can modify the routed IdP.

Manage your Identity Provider (IdP) certificates

Before you begin


 

From time to time, you may receive an email notification or see an alert in Control Hub that the IdP certificate is going to expire. Because IdP vendors have their own specific documentation for certificate renewal, we cover what's required in Control Hub, along with generic steps to retrieve updated IdP metadata and upload it to Control Hub to renew the certificate.

This is only applicable to the SAML configuration.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP, click upload and select Upload Idp metadata.

To download the metadata file, click Download and select Download Idp metadata.
4

Navigate to your IdP management interface to retrieve the new metadata file.

5

Return to Control Hub and drag and drop your IdP metadata file into the upload area or click Choose a file to upload the metadata.

6

Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed and click Save.

7

Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
8

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.


 

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.


 

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

9

Click Save.

Manage your Service Provider (SP) certificates

Before you begin


 

It is recommended that you update all your IdPs in your organization when renewing your SP certificate.

This is only applicable to the SAML configuration.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP and click .

4

Click Review certificates and expiry date.

This take you to the Service Provider (SP) certificates window.
5

Click Renew certificate.

6

Choose the type of IdP in your organization:

  • An IdP that supports multiple certificates
  • An IdP that supports a single certificate
7

Choose the certificate type for the renewal:

  • Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
  • Signed by a public certificate authority—More secure but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

 
Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.
8

Click Download metadata or Download certificate to download a copy of the updated metadata file or certificate from the Webex cloud.

9

Navigate to your IdP management interface to upload the new Webex metadata file or certificate.

This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step.

For more information, see our SSO integration guides or contact your IdP admin for support. If you're on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS

10

Return to the Control Hub interface and click Next.

11

Select Successfully updated all the IdPs and click Next.

This uploads the SP metadata file or certificate to all IdPs in your organization.

12

Click Finish renewal.

Test your SSO setup

Before you begin

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP and click .

4

Select Test IdP.

5

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.


 

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.


 

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

6

Return to the Control Hub browser tab.

  • If the test was successful, select Successful test. Activate SSO and IdP and click Save.
  • If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.

 
The SSO configuration does not take effect in your organization unless you choose first radio button and activate SSO.

Configure Just In Time (JIT) and SAML mapping

Before you begin

Ensure that the following preconditions are met:

  • SSO is already configured.

  • The domains have already been verified.

  • The domains are claimed and turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IdP.

  • If DirSync or AzureAD are enabled then SAML JIT create or update will not work.

  • "Block user profile update" is enabled. SAML Update Mapping is allowed because this configuration controls the user’s ability to edit the attributes. Admin-controlled methods of creation and update are still supported.


 

Newly created users won't automatically get assigned licenses unless the organization has an automatic license template set up.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP and click .

4

Select Edit SAML mapping.

5

Configure Just-In-Time (JIT) settings.

  1. Create or activate user: if no active user is found, then Webex Identity creates the user and update the attributes after the user has authenticated with the IdP.

  2. Update user with SAML attributes: if a user with email address is found, then Webex Identity updates the user with the attributes mapped in the SAML Assertion.

  3. Confirm users can sign in with a different, unidentifiable email address.

6

Configure SAML mapping.

  1. Set the required attributes.

    Table 1. Required attributes

    Webex Identity attribute name

    SAML attribute name

    Attribute description

    Username / Primary email address

    Example: uid

    Map the UID attribute to the provisioned user's email, upn, or edupersonprincipalname.

  2. Set the linking attributes. This should be unique to the user. It is used to lookup a user so that Webex can update all profile attributes, including email for a user.

    Table 2. Linking attributes

    Webex Identity attribute name

    SAML attribute name

    Attribute description

    externalId

    Example: user.objectid

    To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.

    employeenumber

    Example: user.employeeid

    The user's employee number, or an identification number within their HR system. Note that this isn't for externalid, because you can re-use or recycle employeenumber for other users.

    Extension Attribute 1

    Example: user.extensionattribute1

    Map these custom attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.

    Extension Attribute 2

    Example: user.extensionattribute2

    Extension Attribute 3

    Example: user.extensionattribute3

    Extension Attribute 4

    Example: user.extensionlattribute4

    Extension Attribute 5

    Example: user.extensionattribute5

  3. Set the profile attributes.

    Table 3. Profile attributes

    Webex Identity attribute name

    SAML attribute name

    Attribute description

    externalId

    Example: user.objectid

    To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.

    employeenumber

    Example: user.employeeid

    This user's employee number, or an identification number within their HR system. Note that this isn't for "externalid," because you can re-use or recycle "employeenumber" for other users.

    preferredLanguage

    Example: user.preferredlanguage

    The user's preferred language.

    locale

    Example: user.locale

    The user's primary work location.

    timezone

    Example: user.timezone

    The user's primary time zone.

    displayName

    Example: user.displayname

    The user's display name in Webex.

    name.givenName

    Example: user.givenname

    The user's first name.

    name.familyName

    Example: user.surname

    The user's last name.

    addresses.streetAddress

    Example: user.streetaddress

    The street address of their primary work location.

    addresses.state

    Example: user.state

    The state of their primary work location.

    addresses.region

    Example: user.region

    The region of their primary work location.

    addresses.postalCode

    Example: user.postalcode

    The zip code of their primary work location.

    addresses.country

    Example: user.country

    The country of their primary work location.

    phoneNumbers.work

    Example: work phonenumber

    The work phone number of their primary work location. Use the international E.164 format only (15 digits maximum).

    phoneNumbers.extension

    Example: mobile phonenumber

    The work extension of their primary work phone number. Use the international E.164 format only (15 digits maximum).

    pronoun

    Example: user.pronoun

    The user's pronouns. This is an optional attribute, and the user or admin can make it visible on their profile.

    title

    Example: user.jobtitle

    The user's job title.

    department

    Example: user.department

    The user's job department or team.

    pronoun

    Example: user.pronoun

    This is the pronoun of the user. The visibility of this attribute is controlled by the Admin and the user

    manager

    Example: manager

    The user's manager or their team lead.

    costcenter

    Example: cost center

    This is the last name of the user also known as surname or familyname

    email.alternate1

    Example: user.mailnickname

    An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate2

    Example: user.primaryauthoritativemail

    		An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate3

    Example: user.alternativeauthoritativemail

    An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate4

    Example: user.othermail

    		An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate5

    Example: user.othermail

    		An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

  4. Set the extension attributes. Map these attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.

    Table 4. Extension attributes

    Webex Identity attribute name

    SAML attribute name

    Extension Attribute 1

    Example: user.extensionattribute1

    Extension Attribute 2

    Example: user.extensionattribute2

    Extension Attribute 3

    Example: user.extensionattribute3

    Extension Attribute 4

    Example: user.extensionattribute4

    Extension Attribute 5

    Example: user.extensionattribute5

    Extension Attribute 6

    Example: user.extensionattribute6

    Extension Attribute 7

    Example: user.extensionattribute7

    Extension Attribute 8

    Example: user.extensionattribute8

    Extension Attribute 9

    Example: user.extensionattribute9

    Extension Attribute 10

    Example: user.extensionattribute10

    For a list of SAML assertion attributes for Webex Meetings, see https://help.webex.com/article/WBX67566.

Delete your Identity Provider (IdP)

Before you begin


 
It's recommended that you first deactivate or delete the IdP’s routing rules before deleting the IdP.
1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP and click .

4

Select Delete.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Click Deactivate SSO.

Confirm SSO deactivation.

Once confirmed, SSO is deactivated for all IdPs in your organization.

You'll receive alerts in Control Hub before certificates are set to expire, but you can also proactively set up alert rules. These rules let you know in advance that your SP or IdP certificates are going to expire. We can send these to you through email, a space in the Webex App, or both.


 

Regardless of the delivery channel configured, all alerts always appear in Control Hub. See Alerts center in Control Hub for more information.

1

From the customer view in https://admin.webex.com, go to Alerts center.

2

Choose Manage then All rules.

3

From the Rules list, choose any of the SSO rules that you'd like to create:

  • SSO IDP Certificate expiry
  • SSO SP Certificate expiry
4

In the Delivery channel section, check the box for Email, Webex space, or both.

If you choose Email, enter the email address that should receive the notification.


 

If you choose the Webex space option, you're automatically added to a space inside of the Webex App and we deliver the notifications there.

5

Save your changes.

What to do next

We send certificate expiry alerts once every 15 days, starting 60 days before expiry. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.

If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.