Modify Single sign-on authentication in Control Hub

Before you begin

Ensure that the following preconditions are met:

  • SSO is already configured. For information on using the SSO configuration wizard, see the section "SSO Setup" here: https://help.webex.com/article/lfu88u/.

  • The domains have already been verified.

  • The domains are claimed, turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IDP.

  • If DirSync or AzureAD are enabled then SAML JIT create or update will not work.

  • "Block user profile update" is enabled. SAML Update Mapping is allowed because this configuration controls the user’s ability to edit the attributes. Admin-controlled methods of creation and update are still supported.


 

Newly created users won't automatically get assigned licenses unless the organization has an automatic license template set up.

Set up SSO

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, and then scroll to Authentication.

2

The switch Modify your organization's SSO authentication should already be toggled on, and the SSO setup wizard should already have been followed. If it has not, follow the instructions in the section "SSO Setup" in: https://help.webex.com/article/lfu88u/, otherwise go to the next step.

3

Select Actions to expand the next section.

SAML response mapping


 

The value you should enter in the SAML Attribute Name should be taken from the <saml attribute name: “displayname”> like in the example from a sample SAML Assertion that follows:

Mapping SAML attributes from the SAML assertion

In the example above, you would enter firstname for the attribute you wish to map “firstname” which in most cases would be the Webex Identity attribute name.givenName. When the SAML Assertion is presented in this particular case the givenName of the user has the value of “Paulo Jorge”.


 

You can also find the attribute names in the Metadata Export from the IDP.

1

Select Configure SAML mapping to open the SAML response map.

2

Set the required attributes.

Table 1. Required attributes

Webex Identity attribute name

SAML attribute name

Attribute description

Username / Primary email address

Example: uid

Map the UID attribute to the provisioned user's email, upn, or edupersonprincipalname.
3

Set the profile attributes.

Table 2. Profile attributes

Webex Identity attribute name

SAML attribute name

Attribute description

externalId

Example: user.objectid

To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.

employeenumber

Example: user.employeeid

This user's employee number, or an identification number within their HR system. Note that this isn't for "externalid," because you can re-use or recycle "employeenumber" for other users.

preferredLanguage

Example: user.preferredlanguage

The user's preferred language.

locale

Example: user.locale

The user's primary work location.

timezone

Example: user.timezone

The user's primary time zone.

displayName

Example: user.displayname

The user's display name in Webex.

name.givenName

Example: user.givenname

The user's first name.

name.familyName

Example: user.surname

The user's last name.

addresses.streetAddress

Example: user.streetaddress

The street address of their primary work location.

addresses.state

Example: user.state

The state of their primary work location.

addresses.region

Example: user.region

The region of their primary work location.

addresses.postalCode

Example: user.postalcode

The zip code of their primary work location.

addresses.country

Example: user.country

The country of their primary work location.

phoneNumbers.work

Example: work phonenumber

The work phone number of their primary work location. Use the international E.164 format only (15 digits maximum).

phoneNumbers.extension

Example: mobile phonenumber

The work extension of their primary work phone number. Use the international E.164 format only (15 digits maximum).

pronoun

Example: user.pronoun

The user's pronouns. This is an optional attribute, and the user or admin can make it visible on their profile.

title

Example: user.jobtitle

The user's job title.

department

Example: user.department

The user's job department or team.

pronoun

Example: user.pronoun

This is the pronoun of the user. The visibility of this attribute is controlled by the Admin and the user

manager

Example: manager

The user's manager or their team lead.

costcenter

Example: cost center

This is the last name of the user also known as surname or familyname

email.alternate1

Example: user.mailnickname

An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate2

Example: user.primaryauthoritativemail

 An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate3

Example: user.alternativeauthoritativemail

An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate4

Example: user.othermail

 An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

email.alternate5

Example: user.othermail

 An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.
4

Set the extension attributes. Map these attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.

Table 3. Extension attributes

Webex Identity attribute name

SAML attribute name

Extension Attribute 1

Example: user.extensionattribute1

Extension Attribute 2

Example: user.extensionattribute2

Extension Attribute 3

Example: user.extensionattribute3

Extension Attribute 4

Example: user.extensionattribute4

Extension Attribute 5

Example: user.extensionattribute5

Extension Attribute 6

Example: user.extensionattribute6

Extension Attribute 7

Example: user.extensionattribute7

Extension Attribute 8

Example: user.extensionattribute8

Extension Attribute 9

Example: user.extensionattribute9

Extension Attribute 10

Example: user.extensionattribute10

For a list of SAML assertion attributes for Webex Meetings, see https://help.webex.com/article/WBX67566.

Just in time (JIT) settings

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, and then scroll to Authentication.

2

Select Actions to view the just in time settings.

3

Configure the just in time settings:

  • Create or activate user: if no active user is found, then Webex Identity creates the user and update the attributes after the user has authenticated with the IDP.

  • Update user with SAML attributes: if a user with email address is found, then Webex Identity updates the user with the attributes mapped in the SAML Assertion.

4

Confirm users can log in with a different, unidentifiable email address.