Modify Single sign-on authentication in Control Hub

Before you begin

Ensure that the following preconditions are met:

  • SSO is already configured. For information on using the SSO configuration wizard, see the section "SSO Setup" here: https://help.webex.com/article/lfu88u/.

  • The domains have already been verified.

  • The domains are claimed and turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IdP.

  • If DirSync or AzureAD are enabled then SAML JIT create or update will not work.

  • "Block user profile update" is enabled. SAML Update Mapping is allowed because this configuration controls the user’s ability to edit the attributes. Admin-controlled methods of creation and update are still supported.


 

Newly created users won't automatically get assigned licenses unless the organization has an automatic license template set up.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP and click .

4

Select Edit SAML mapping.

5

Configure Just-In-Time (JIT) settings.

  1. Create or activate user: if no active user is found, then Webex Identity creates the user and update the attributes after the user has authenticated with the IdP.

  2. Update user with SAML attributes: if a user with email address is found, then Webex Identity updates the user with the attributes mapped in the SAML Assertion.

  3. Confirm users can sign in with a different, unidentifiable email address.

6

Configure SAML mapping.

  1. Set the required attributes.

    Table 1. Required attributes

    Webex Identity attribute name

    SAML attribute name

    Attribute description

    Username / Primary email address

    Example: uid

    Map the UID attribute to the provisioned user's email, upn, or edupersonprincipalname.

  2. Set the linking attributes. This should be unique to the user. It is used to lookup a user so that Webex can update all profile attributes, including email for a user.

    Table 2. Linking attributes

    Webex Identity attribute name

    SAML attribute name

    Attribute description

    externalId

    Example: user.objectid

    To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.

    employeenumber

    Example: user.employeeid

    The user's employee number, or an identification number within their HR system. Note that this isn't for externalid, because you can re-use or recycle employeenumber for other users.

    Extension Attribute 1

    Example: user.extensionattribute1

    Map these custom attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.

    Extension Attribute 2

    Example: user.extensionattribute2

    Extension Attribute 3

    Example: user.extensionattribute3

    Extension Attribute 4

    Example: user.extensionlattribute4

    Extension Attribute 5

    Example: user.extensionattribute5

  3. Set the profile attributes.

    Table 3. Profile attributes

    Webex Identity attribute name

    SAML attribute name

    Attribute description

    externalId

    Example: user.objectid

    To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes.

    employeenumber

    Example: user.employeeid

    This user's employee number, or an identification number within their HR system. Note that this isn't for "externalid," because you can re-use or recycle "employeenumber" for other users.

    preferredLanguage

    Example: user.preferredlanguage

    The user's preferred language.

    locale

    Example: user.locale

    The user's primary work location.

    timezone

    Example: user.timezone

    The user's primary time zone.

    displayName

    Example: user.displayname

    The user's display name in Webex.

    name.givenName

    Example: user.givenname

    The user's first name.

    name.familyName

    Example: user.surname

    The user's last name.

    addresses.streetAddress

    Example: user.streetaddress

    The street address of their primary work location.

    addresses.state

    Example: user.state

    The state of their primary work location.

    addresses.region

    Example: user.region

    The region of their primary work location.

    addresses.postalCode

    Example: user.postalcode

    The zip code of their primary work location.

    addresses.country

    Example: user.country

    The country of their primary work location.

    phoneNumbers.work

    Example: work phonenumber

    The work phone number of their primary work location. Use the international E.164 format only (15 digits maximum).

    phoneNumbers.extension

    Example: mobile phonenumber

    The work extension of their primary work phone number. Use the international E.164 format only (15 digits maximum).

    pronoun

    Example: user.pronoun

    The user's pronouns. This is an optional attribute, and the user or admin can make it visible on their profile.

    title

    Example: user.jobtitle

    The user's job title.

    department

    Example: user.department

    The user's job department or team.

    pronoun

    Example: user.pronoun

    This is the pronoun of the user. The visibility of this attribute is controlled by the Admin and the user

    manager

    Example: manager

    The user's manager or their team lead.

    costcenter

    Example: cost center

    This is the last name of the user also known as surname or familyname

    email.alternate1

    Example: user.mailnickname

    An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate2

    Example: user.primaryauthoritativemail

    An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate3

    Example: user.alternativeauthoritativemail

    An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate4

    Example: user.othermail

    An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.

    email.alternate5

    Example: user.othermail

    An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid.
  4. Set the extension attributes. Map these attributes to extended attributes in Active Directory, Azure, or your directory, for tracking codes.

    Table 4. Extension attributes

    Webex Identity attribute name

    SAML attribute name

    Extension Attribute 1

    Example: user.extensionattribute1

    Extension Attribute 2

    Example: user.extensionattribute2

    Extension Attribute 3

    Example: user.extensionattribute3

    Extension Attribute 4

    Example: user.extensionattribute4

    Extension Attribute 5

    Example: user.extensionattribute5

    Extension Attribute 6

    Example: user.extensionattribute6

    Extension Attribute 7

    Example: user.extensionattribute7

    Extension Attribute 8

    Example: user.extensionattribute8

    Extension Attribute 9

    Example: user.extensionattribute9

    Extension Attribute 10

    Example: user.extensionattribute10

    For a list of SAML assertion attributes for Webex Meetings, see https://help.webex.com/article/WBX67566.