Single sign-on (SSO) enables users to sign in to Webex securely by authenticating to your organization's common identity provider. An identity provider (IdP) securely stores and manages your users’ digital identities and provides the user authentication service for your Webex users.

Why you might need multiple IdPs

Many big companies undergo mergers and acquisitions, and these companies rarely have the same IT infrastructure and identity providers. Government institutions have various organizations and agencies under them. Often, these organizations have a single email address for their own IT departments and infrastructure, respectively. Major educational institutions have a central purchasing department, but different universities and colleges with different IT organizations and departments.

It’s common to see IdPs and service providers (SPs) federate with each other. The IdP is responsible for authenticating your users’ credentials and the SP trusts the authentication made by the IdP. This allows your users to access various SaaS applications and services using the same digital identity. But, if for some reason your organization can’t federate between the IdPs, then Webex provides a workaround to support multiple IdPs. For these reasons, we’re giving you the option to configure SSO for multiple IdPs in Webex and simplify your users’ authentication process.

Limitations

  • This feature is only available if you have purchased Webex Extended Security Pack.
  • All users must be provisioned with Directory Connector if you're using Directory Connector in your organization. Refer to the Directory Connector deployment guide for more information.
  • We currently support only SAML, OpenID Connect, and Webex Identity as identity providers.

Out of scope

  • Configure group assignments.

This section covers how you can integrate your identity providers (IdP) with your Webex organization. You can choose the IdPs that best fit your organization's requirements.

If you're looking for SSO integration of a Webex Meetings site (managed in Site Administration), then refer to Configure Single Sign-On for Webex Administration.

Before you begin

Ensure that the following conditions are met:

  • You must have Webex Extended Security Pack to configure SSO with multiple IdPs in Control Hub.
  • You must have a Full Admin role in Control Hub.
  • A metadata file from the IdP to give to Webex and a metadata file from Webex, to give to the IdP. For more information, refer to Single Sign-On Integration in Control Hub. This is only applicable to the SAML configuration.
  • You should plan your routing rules behavior before setting up multiple IdPs.
The default routing rule is applied once you configure your initial IdP. But you can set another IdP as the default. Refer to Add or edit routing rule in the Routing rules tab in this article.
1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs to start the configuration wizard.

3

Select SAML as your IdP and click Next.

4

Choose the certificate type:

  • Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
  • Signed by a public certificate authority—More secure, but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).
Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.
5

Click Download metadata and click Next.

The Webex App metadata filename is idb-meta-<org-ID>-SP.xml.

6

Upload your IdPs metadata file or fill out the configuration form.

When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:

  • Customer IdP provides a signature in the metadata that is signed by a Public Root CA.
  • Customer IdP provides a self-signed private CA or doesn’t provide a signature for their metadata. This option is less secure.
Else, in the configuration form, enter the IdP information.

Click Next.

7

(Optional) You can change the name of the SAML attribute for Webex Username or Primary email address from uid to something agreed on with the IdP manager such as email, upn, etc.

8

(Optional) Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
9

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

10

Return to the Control Hub browser tab.

  • If the test was successful, select Successful test. Activate SSO and IdP and click Activate.
  • If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.
The SSO configuration does not take effect in your organization unless you choose the first radio button and activate SSO.

What to do next

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs to start the configuration wizard.

3

Select OpenID Connect as your IdP and click Next.

4

Enter your IdP information.

  • Name—The name to identify your IdP.
  • Client ID—The unique ID to identify you and your IdP.
  • Client Secret—The password that you and your IdP know.
  • Scopes—The scopes to be associated with your IdP.

5

Choose how to add endpoints. This can be done automatically or manually.

  • Use the discovery URL—Enter the configuration URL for your IdP.
  • Manually add endpoints information—Enter the following details.

    • Issuer
    • Authorization endpoint
    • Token endpoint
    • JWKS endpoint
    • Userinfo endpoint
    For more information, refer to the OpenID Connect configuration guide.

6

(Optional) Configure the Just In Time (JIT) settings.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
7

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

8

Return to the Control Hub browser tab.

  • If the test was successful, select Successful test. Activate SSO and IdP and click Activate.
  • If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.
The SSO configuration doesn’t take effect in your organization unless you choose the first radio button and activate SSO.

What to do next

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs to start the configuration wizard.

3

Select Webex as your IdP and click Next.

4

Check I've read and understood how Webex IdP works and click Next.

5

Set up a routing rule.

Refer to Add or edit routing rule in the Routing rules tab in this article.

Once you've added a routing rule, your IdP is added and is shown under the Identity provider tab.

What to do next

You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.

Routing rules are applicable when setting up more than one IdP. Routing rules enable Webex to identify which IdP to send your users to when you have configured multiple IdPs.

When setting up more than one IdP, you can define your routing rules in the SSO configuration wizard. If you skip the routing rule step, then Control Hub adds the IdP but doesn’t activate the IdP. You must add a routing rule to activate the IdP.

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Routing rules tab.

When configuring your first IdP, the routing rule is automatically added and is set as the Default rule. You can choose another IdP to set as the default rule later.

4

Click Add new routing rule.

5

Enter the details for a new rule:

  • Rule name—Enter the name for the routing rule.
  • Select a routing type—Select domain or group.
  • If these are your domains/groups—Enter the domains/groups within your organization.
  • Then use this identity provider—Select the IdP.

6

Click Add.

7

Select the new routing rule and click Activate.

You can change the routing rule priority order if you have routing rules for multiple IdPs.
1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Routing rules tab.

4

Select the routing rule.

5

Choose if you want to Deactivate or Delete the routing rule.

It’s recommended that you have another active routing rule for the IdP. Otherwise, you may run into problems with your SSO login.

The Default rule can’t be deactivated or deleted, but you can modify the routed IdP.

Before you begin

From time to time, you may receive an email notification or see an alert in Control Hub that the IdP certificate is going to expire. Because IdP vendors have their own specific documentation for certificate renewal, we cover what's required in Control Hub, along with generic steps to retrieve updated IdP metadata and upload it to Control Hub to renew the certificate.

This is only applicable to the SAML configuration.

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Identity provider tab.

4

Go to the IdP, click upload and select Upload Idp metadata.

To download the metadata file, click Download and select Download Idp metadata.
5

Navigate to your IdP management interface to retrieve the new metadata file.

6

Return to Control Hub and drag and drop your IdP metadata file into the upload area or click Choose a file to upload the metadata.

7

Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed and click Save.

8

Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
9

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

10

Click Save.

Before you begin

It is recommended that you update all your IdPs in your organization when renewing your SP certificate.

This is only applicable to the SAML configuration.

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Identity provider tab.

4

Go to the IdP and click .

5

Click Review certificates and expiry date.

This take you to the Service Provider (SP) certificates window.
6

Click Renew certificate.

7

Choose the type of IdP in your organization:

  • An IdP that supports multiple certificates
  • An IdP that supports a single certificate
8

Choose the certificate type for the renewal:

  • Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
  • Signed by a public certificate authority—More secure but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).
Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.
9

Click Download metadata or Download certificate to download a copy of the updated metadata file or certificate from the Webex cloud.

10

Navigate to your IdP management interface to upload the new Webex metadata file or certificate.

This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step.

For more information, see our SSO integration guides or contact your IdP admin for support. If you're on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS

11

Return to the Control Hub interface and click Next.

12

Select Successfully updated all the IdPs and click Next.

This uploads the SP metadata file or certificate to all IdPs in your organization.

13

Click Finish renewal.

Before you begin

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Identity provider tab.

4

Go to the IdP and click More menu.

5

Select Test IdP.

6

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again.

A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

7

Return to the Control Hub browser tab.

  • If the test was successful, select Successful test. Activate SSO and IdP and click Save.
  • If the test was unsuccessful, select Unsuccessful test. Go back to previous steps to fix errors.
The SSO configuration does not take effect in your organization unless you choose first radio button and activate SSO.

Before you begin

Ensure that the following preconditions are met:

  • SSO is already configured.

  • The domains have already been verified.

  • The domains are claimed and turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IdP.

  • If DirSync or Azure AD are enabled, then SAML JIT create or update won’t work.

  • "Block user profile update" is enabled. SAML Update Mapping is allowed because this configuration controls the user’s ability to edit the attributes. Admin-controlled methods of creation and update are still supported.

When setting up SAML JIT with Azure AD or an IdP where the email isn’t a permanent identifier, we recommend you use the externalId linking attribute to map to a Unique Identifier. If we find that the email doesn’t match the linking attribute, the user is prompted to verify their identity or create a new user with the correct email address.

Newly created users won't automatically get assigned licenses unless the organization has an automatic license template set up.

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Identity provider tab.

4

Go to the IdP and click More menu.

5

Select Edit SAML mapping.

6

Configure Just-in-Time (JIT) settings.

  • Create or activate user: if no active user is found, then Webex Identity creates the user and update the attributes after the user has authenticated with the IdP.
  • Update user with SAML attributes: if a user with email address is found, then Webex Identity updates the user with the attributes mapped in the SAML Assertion.
Confirm users can sign in with a different, unidentifiable email address.

7

Configure SAML mapping required attributes.

Table 1. Required attributes

Webex Identity attribute name

SAML attribute name

Attribute description

Username / Primary email address

Example: uid

Map the UID attribute to the provisioned user's email, upn, or edupersonprincipalname.

8

Configure the Linking attributes.

This should be unique to the user. It is used to lookup a user so that Webex can update all profile attributes, including email for a user.
Table 2. Linking attributes

Webex Identity attribute name

SAML attribute name

Attribute description

externalId

Example: user.objectid

To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.

employeenumber

Example: user.employeeid

The user's employee number, or an identification number within their HR system. Note that this isn't for externalid, because you can reuse or recycle employeenumber for other users.

Extension Attribute 1

Example: user.extensionattribute1

Map these custom attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.

Extension Attribute 2

Example: user.extensionattribute2

Extension Attribute 3

Example: user.extensionattribute3

Extension Attribute 4

Example: user.extensionlattribute4

Extension Attribute 5

Example: user.extensionattribute5

9

Configure Profile attributes.

Table 3. Profile attributes

Webex Identity attribute name

SAML attribute name

Attribute description

externalId

Example: user.objectid

To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.

employeenumber

Example: user.employeeid

This user's employee number, or an identification number within their HR system. Note that this isn't for "externalid," because you can re-use or recycle "employeenumber" for other users.

preferredLanguage

Example: user.preferredlanguage

The user's preferred language.

locale

Example: user.locale

The user's primary work location.

timezone

Example: user.timezone

The user's primary time zone.

displayName

Example: user.displayname

The user's display name in Webex.

name.givenName

Example: user.givenname

The user's first name.

name.familyName

Example: user.surname

The user's last name.

addresses.streetAddress

Example: user.streetaddress

The street address of their primary work location.

addresses.state

Example: user.state

The state of their primary work location.

addresses.region

Example: user.region

The region of their primary work location.

addresses.postalCode

Example: user.postalcode

The zip code of their primary work location.

addresses.country

Example: user.country

The country of their primary work location.

phoneNumbers.work

Example: work phonenumber

The work phone number of their primary work location. Use the international E.164 format only (15 digits maximum).

phoneNumbers.extension

Example: mobile phonenumber

The work extension of their primary work phone number. Use the international E.164 format only (15 digits maximum).

pronoun

Example: user.pronoun

The user's pronouns. This is an optional attribute, and the user or admin can make it visible on their profile.

title

Example: user.jobtitle

The user's job title.

department

Example: user.department

The user's job department or team.

pronoun

Example: user.pronoun

This is the pronoun of the user. The visibility of this attribute is controlled by the Admin and the user

manager

Example: manager

The user's manager or their team lead.

costcenter

Example: cost center

This is the last name of the user also known as surname or familyname

email.alternate1

Example: user.mailnickname

An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate2

Example: user.primaryauthoritativemail

An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate3

Example: user.alternativeauthoritativemail

An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate4

Example: user.othermail

An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate5

Example: user.othermail

An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.
10

Configure Extension attributes.

Map these attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.
Table 4. Extension attributes

Webex Identity attribute name

SAML attribute name

Extension Attribute 1

Example: user.extensionattribute1

Extension Attribute 2

Example: user.extensionattribute2

Extension Attribute 3

Example: user.extensionattribute3

Extension Attribute 4

Example: user.extensionattribute4

Extension Attribute 5

Example: user.extensionattribute5

Extension Attribute 6

Example: user.extensionattribute6

Extension Attribute 7

Example: user.extensionattribute7

Extension Attribute 8

Example: user.extensionattribute8

Extension Attribute 9

Example: user.extensionattribute9

Extension Attribute 10

Example: user.extensionattribute10

11

Configure Group attributes.

  1. Create a group in Control Hub and note the Webex group ID.
  2. Go to your user directory or IdP and set up an attribute for users who will be assigned to the Webex group ID.
  3. Update your IdP's configuration to include a claim that carries this attribute name along with the Webex Group ID (e.g. c65f7d85-b691-42b8-a20b-12345xxxx). You can also use the External ID for managing changes to group names or for future integration scenarios. For example, syncing with Azure AD or implementing SCIM group synchronization.
  4. Specify the exact name of the attribute that will be sent in the SAML Assertion with the group ID. This is used to add the user to a group.
  5. Specify the exact name of the external ID of the group object if you are using a group from your directory to send members in the SAML Assertion.

If user A is associated with groupID 1234 and user B with groupID 4567, they are assigned to separate groups. This scenario indicates that a single attribute allows users to associate with multiple group IDs. While this is uncommon, it is possible and can be considered as an additive change. For example, if user A initially signs in using groupID 1234, they become a member of the corresponding group. If user A later signs in using groupID 4567, they are also added to this second group.

SAML JIT provisioning does not support the removal of users from groups or any deletion of users.

Table 5. Group attributes

Webex Identity attribute name

SAML attribute name

Attribute description

groupId

Example: groupId

Map group attributes from IdP to Webex Identity group Attributes for the purpose of mapping that user to a group for licensing or the setting service.

groupexternalId

Example: groupexternalId

Map group attributes from IdP to Webex Identity group Attributes for the purpose of mapping that user to a group for licensing or the setting service.

For a list of SAML assertion attributes for Webex Meetings, see https://help.webex.com/article/WBX67566.

Before you begin

It's recommended that you first deactivate or delete the IdP’s routing rules before deleting the IdP.
1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Identity provider tab.

4

Go to the IdP and click More menu.

5

Select Delete.

1

Sign in to Control Hub.

2

Go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

3

Go to the Identity provider tab.

4

Click Deactivate SSO.

Confirm SSO deactivation.

Once confirmed, SSO is deactivated for all IdPs in your organization.

You'll receive alerts in Control Hub before certificates are set to expire, but you can also proactively set up alert rules. These rules let you know in advance that your SP or IdP certificates are going to expire. We can send these to you through email, a space in the Webex App, or both.

Regardless of the delivery channel configured, all alerts always appear in Control Hub. See Alerts center in Control Hub for more information.

1

Sign in to Control Hub.

2

Go to Alerts center.

3

Choose Manage then All rules.

4

From the Rules list, choose any of the SSO rules that you'd like to create:

  • SSO IDP Certificate expiry
  • SSO SP Certificate expiry
5

In the Delivery channel section, check the box for Email, Webex space, or both.

If you choose Email, enter the email address that should receive the notification.

If you choose the Webex space option, you're automatically added to a space inside of the Webex App and we deliver the notifications there.

6

Save your changes.

What to do next

We send certificate expiry alerts once every 15 days, starting 60 days before expiry. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.

If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.