SSO with multiple IdPs in Webex
Single sign-on (SSO) enables users to sign in to Webex securely by authenticating to your organization's common identity provider. An identity provider (IdP) securely stores and manages your users’ digital identities and provides the user authentication service for your Webex users.
Why you might need multiple IdPs
Many big companies undergo mergers and acquisitions, and these companies rarely have the same IT infrastructure and identity providers. Government institutions have various organizations and agencies under them. Often, these organizations have a single email address for their own IT departments and infrastructure, respectively. Major educational institutions have a central purchasing department, but different universities and colleges with different IT organizations and departments.
It’s common to see IdPs and service providers (SPs) federate with each other. The IdP is responsible for authenticating your users’ credentials and the SP trusts the authentication made by the IdP. This allows your users to access various SaaS applications and services using the same digital identity. But, if for some reason your organization can’t federate between the IdPs, then Webex provides a workaround to support multiple IdPs. For these reasons, we’re giving you the option to configure SSO for multiple IdPs in Webex and simplify your users’ authentication process.
Limitations
- This feature is only available if you have purchased Webex Extended Security Pack.
- All users must be provisioned with Directory Connector if you're using Directory Connector in your organization. Refer to the Directory Connector deployment guide for more information.
- We currently support only SAML, OpenID Connect, and Webex Identity as identity providers.
Out of scope
- Configure group assignments.
- Domain verification. Refer to Manage your domains for more information.
- User provisioning. Refer to Ways to add users to your Control Hub organization for more information.
This section covers how you can integrate your identity providers (IdP) with your Webex organization. You can choose the IdPs that best fit your organization's requirements.
If you're looking for SSO integration of a Webex Meetings site (managed in Site Administration), then refer to Configure Single Sign-On for Webex Administration.
Before you begin
Ensure that the following conditions are met:
- You must have Webex Extended Security Pack to configure SSO with multiple IdPs in Control Hub.
- You must have a Full Admin role in Control Hub.
- A metadata file from the IdP to give to Webex and a metadata file from Webex, to give to the IdP. For more information, refer to Single Sign-On Integration in Control Hub. This is only applicable to the SAML configuration.
- You should plan your routing rules behavior before setting up multiple IdPs.
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs to start the configuration wizard. , scroll to |
3 |
Select SAML as your IdP and click Next. |
4 |
Choose the certificate type:
Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation. |
5 |
Click Download metadata and click Next. The Webex App metadata filename is idb-meta-<org-ID>-SP.xml. |
6 |
Upload your IdPs metadata file or fill out the configuration form. When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:
Click Next. |
7 |
(Optional) You can change the name of the SAML attribute for Webex Username or Primary email address from |
8 |
(Optional) Configure the Just In Time (JIT) settings and SAML mapping response. Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this
article.
|
9 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step. If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again. A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration. |
10 |
Return to the Control Hub browser tab.
The SSO configuration does not take effect in your organization unless you choose
the first radio button and activate SSO. |
What to do next
You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.
You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs to start the configuration wizard. , scroll to |
3 |
Select OpenID Connect as your IdP and click Next. |
4 |
Enter your IdP information.
|
5 |
Choose how to add endpoints. This can be done automatically or manually.
|
6 |
(Optional) Configure the Just In Time (JIT) settings. Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this
article.
|
7 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step. If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again. A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration. |
8 |
Return to the Control Hub browser tab.
The SSO configuration doesn’t take effect in your organization unless you choose
the first radio button and activate SSO. |
What to do next
You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.
You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs to start the configuration wizard. , scroll to |
3 |
Select Webex as your IdP and click Next. |
4 |
Check I've read and understood how Webex IdP works and click Next. |
5 |
Set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article. |
Once you've added a routing rule, your IdP is added and is shown under the Identity provider tab.
What to do next
You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.
Routing rules are applicable when setting up more than one IdP. Routing rules enable Webex to identify which IdP to send your users to when you have configured multiple IdPs.
When setting up more than one IdP, you can define your routing rules in the SSO configuration wizard. If you skip the routing rule step, then Control Hub adds the IdP but doesn’t activate the IdP. You must add a routing rule to activate the IdP.
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to |
3 |
Go to the Routing rules tab. When configuring your first IdP, the routing rule is automatically added and is set as the Default rule. You can choose another IdP to set as the default rule later. |
4 |
Click Add new routing rule. |
5 |
Enter the details for a new rule:
|
6 |
Click Add. |
7 |
Select the new routing rule and click Activate. |
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to |
3 |
Go to the Routing rules tab. |
4 |
Select the routing rule. |
5 |
Choose if you want to Deactivate or Delete the routing rule. It’s recommended that you have another active routing rule for the IdP. Otherwise, you may run into problems with your SSO login. |
Before you begin
From time to time, you may receive an email notification or see an alert in Control Hub that the IdP certificate is going to expire. Because IdP vendors have their own specific documentation for certificate renewal, we cover what's required in Control Hub, along with generic steps to retrieve updated IdP metadata and upload it to Control Hub to renew the certificate.
This is only applicable to the SAML configuration.
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP, click and select Upload Idp metadata. To download the metadata file, click and select Download Idp metadata.
|
5 |
Navigate to your IdP management interface to retrieve the new metadata file. |
6 |
Return to Control Hub and drag and drop your IdP metadata file into the upload area or click Choose a file to upload the metadata. |
7 |
Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed and click Save. |
8 |
Configure the Just In Time (JIT) settings and SAML mapping response. Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this
article.
|
9 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step. If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again. A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration. |
10 |
Click Save. |
Before you begin
It is recommended that you update all your IdPs in your organization when renewing your SP certificate.
This is only applicable to the SAML configuration.
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP and click . |
5 |
Click Review certificates and expiry date. This take you to the Service Provider (SP) certificates
window.
|
6 |
Click Renew certificate. |
7 |
Choose the type of IdP in your organization:
|
8 |
Choose the certificate type for the renewal:
Trust anchors are public keys that act as an authority to verify a digital
signature's certificate. For more information, refer to your IdP documentation. |
9 |
Click Download metadata or Download certificate to download a copy of the updated metadata file or certificate from the Webex cloud. |
10 |
Navigate to your IdP management interface to upload the new Webex metadata file or certificate. This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step. For more information, see our SSO integration guides or contact your IdP admin for support. If you're on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS |
11 |
Return to the Control Hub interface and click Next. |
12 |
Select Successfully updated all the IdPs and click Next. This uploads the SP metadata file or certificate to all IdPs in your organization. |
13 |
Click Finish renewal. |
Before you begin
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP and click . |
5 |
Select Test IdP. |
6 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. If you receive an authentication error, there may be a problem with the credentials. Check the username and password and try again. A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration. |
7 |
Return to the Control Hub browser tab.
The SSO configuration does not take effect in your organization unless you choose
first radio button and activate SSO. |
Before you begin
Ensure that the following preconditions are met:
-
SSO is already configured.
-
The domains have already been verified.
-
The domains are claimed and turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IdP.
-
If DirSync or Azure AD are enabled, then SAML JIT create or update won’t work.
-
"Block user profile update" is enabled. SAML Update Mapping is allowed because this configuration controls the user’s ability to edit the attributes. Admin-controlled methods of creation and update are still supported.
When setting up SAML JIT with Azure AD or an IdP where the email isn’t a permanent
identifier, we recommend you use the externalId
linking attribute to map
to a Unique Identifier. If we find that the email doesn’t match the linking attribute, the
user is prompted to verify their identity or create a new user with the correct email
address.
Newly created users won't automatically get assigned licenses unless the organization has an automatic license template set up.
1 |
Sign in to Control Hub. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Go to the Identity provider tab. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Go to the IdP and click . | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Select Edit SAML mapping. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Configure Just-in-Time (JIT) settings.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Configure SAML mapping required attributes.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 |
Configure the Linking attributes. This should be unique to the user. It is used to lookup a user so that Webex can
update all profile attributes, including email for a user.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
9 |
Configure Profile attributes.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
10 |
Configure Extension attributes. Map these attributes to extended attributes in Active Directory, Azure, or your
directory, for tracking codes.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
11 |
Configure Group attributes.
If user A is associated with SAML JIT provisioning does not support the removal of users from groups or any deletion of users.
For a list of SAML assertion attributes for Webex Meetings, see https://help.webex.com/article/WBX67566. |
Before you begin
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP and click . |
5 |
Select Delete. |
1 |
Sign in to Control Hub. |
2 |
Go to Single Sign-On and click Manage SSO and IdPs. , scroll to |
3 |
Go to the Identity provider tab. |
4 |
Click Deactivate SSO. Confirm SSO deactivation. |
Once confirmed, SSO is deactivated for all IdPs in your organization.
You'll receive alerts in Control Hub before certificates are set to expire, but you can also proactively set up alert rules. These rules let you know in advance that your SP or IdP certificates are going to expire. We can send these to you through email, a space in the Webex App, or both.
Regardless of the delivery channel configured, all alerts always appear in Control Hub. See Alerts center in Control Hub for more information.
1 |
Sign in to Control Hub. |
2 |
Go to Alerts center. |
3 |
Choose Manage then All rules. |
4 |
From the Rules list, choose any of the SSO rules that you'd like to create:
|
5 |
In the Delivery channel section, check the box for Email, Webex space, or both. If you choose Email, enter the email address that should receive the notification. If you choose the Webex space option, you're automatically added to a space inside of the Webex App and we deliver the notifications there. |
6 |
Save your changes. |
What to do next
We send certificate expiry alerts once every 15 days, starting 60 days before expiry. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.
If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.