Manage single sign-on integration in Control Hub

If your organization's certificate usage is set to None but you're still receiving an alert, we recommend that you still proceed with the upgrade. Your SSO deployment is not using the certificate today but you may need the certificate for future changes.

Webex Service Provider (SP) certificate

From time to time, you may receive an email notification or see an alert in Control Hub that the Webex single sign-on (SSO) certificate is going to expire. Follow the process in this article to retrieve the SSO cloud certificate metadata from us (the SP) and add it back to your IdP; otherwise, users won't be able to use Webex services.

If you are using the SAML Cisco (SP) SSO Certificate in your Webex organization, you must plan to update the cloud certificate during a regular scheduled maintenance window as soon as possible.

All services that are part of your Webex organization subscription are affected, including but not limited to:

Webex App (new sign-ins for all platforms: desktop, mobile, and web)
Webex services in Control Hub, including Calling
Webex Meetings sites managed through Control Hub
Cisco Jabber if it's integrated with SSO

Before you begin

Please read all directions before beginning. After you change the certificate or going through the wizard to update the certificate, new users may not be able to sign in successfully.

If your IdP does not support multiple certificates (most IdPs in the market do not support this feature), we recommend that you schedule this upgrade during a maintenance window where Webex App users are not affected. These upgrade tasks should take approximately 30 minutes in operational time and post-event validation.

To check if the SAML Cisco (SP) SSO certificate is going to expire:

You may have received an email or Webex App message from us, but you should check in Control Hub to be certain.
Sign in to https://admin.webex.com, and check your Alerts center. There may be a notification about updating the SSO Service Provider Certificate.
Sign in to https://admin.webex.com, go to Management > Organization Settings > Authentication, and note the certificate status in the Cisco SAML Certificate table (expired or expiring soon). Click Renew certificate to proceed.

You can go directly into the SSO wizard to update the certificate, too. If you decide to exit the wizard before you complete it, you can access it again any time from Management > Organization Settings > Authentication in https://admin.webex.com.

Choose the certificate type for the renewal:

Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
Signed by a public certificate authority—More secure but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.

Click Download Metadata File to download a copy of the updated metadata with the new certificate from the Webex cloud. Keep this screen open.

Navigate to your IdP management interface to upload the new Webex metadata file.

This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step.
For reference, see our SSO integration guides or contact your IdP admin for support. If on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS.

Return to the tab where you signed in to Control Hub and click Next.

Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly by your IdP. Confirm the expected results in the pop-up window, and if the test was successful, click Switch to new metadata.

To see the SSO sign-in experience directly, you can also click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

Result: You're finished and your organization's SAML Cisco (SP) SSO Certificate is now renewed. You can check the certificate status any time by opening the SAML certificate status table under Management > Organization Settings > Authentication.

Identity Provider (IdP) certificate

From time to time, you may receive an email notification or see an alert in Control Hub that the IdP certificate is going to expire. Because IdP vendors have their own specific documentation for certificate renewal, we cover what's required in Control Hub, along with generic steps to retrieve updated IdP metadata and upload it to Control Hub to renew the certificate.

To check if the IdP SAML certificate is going to expire:

You may have received an email or Webex App message from us, but you should check in Control Hub to be certain.
Sign in to https://admin.webex.com, and check your Alerts center. There may be a notification about updating the IdP SAML certificate:
Sign in to https://admin.webex.com, go to Management > Organization Settings > Authentication, and note the certificate status (expired or expiring soon) in the SAML Certificate table. Click Renew certificate to proceed.
You can go directly into the SSO wizard to update the certificate, too. If you decide to exit the wizard before you complete it, you can access it again any time from Management > Organization Settings > Authentication in https://admin.webex.com.

Navigate to your IdP management interface to retrieve the new metadata file.

This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step.
For reference, see our SSO integration guides or contact your IdP admin for support.

Return to Management > Organization Settings > Authentication in https://admin.webex.com, and then choose Actions > Import metadata.

Drag and drop your IdP metadata file into the window or click Choose a metadata file and upload it that way.

Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed.

Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly to your Control Hub organization. Confirm the expected results in the pop-up window, and if the test was successful, click Switch to new metadata.

Result: You're finished and your organization's IdP certificate is now renewed. You can check the certificate status any time by opening the SAML certificate status table under Management > Organization Settings > Authentication.

You can export the latest Webex SP metadata whenever you need to add it back to your IdP. You'll see a notice when the imported IdP SAML metadata is going to expire or has expired.

This step is useful in common IdP SAML certificate management scenarios, such as IdPs that support multiple certificates where export was not done earlier, if the metadata was not imported into the IdP because an IdP admin wasn't available, or if your IdP supports the ability to update only the certificate. This option can help minimize the change by only updating the certificate in your SSO configuration and post-event validation.

1	From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication, and then choose Actions > Export metadata. The Webex App metadata filename is idb-meta-<org-ID>-SP.xml.
2	Import the metadata into your IdP. Follow the documentation for your IdP to import the Webex SP metadata. You can use our IdP integration guides or consult the documentation for your specific IdP if not listed.
3	When you're finished, run the SSO test using the steps in Renew Webex Certificate (SP) in this article.

When your IdP environment changes or if your IdP certificate is going to expire, you can import the updated metadata into Webex at any time.

Before you begin

Gather your IdP metadata, typically as an exported xml file.

1	From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication, and then choose Actions > Import metadata.
2	Drag and drop your IdP metadata file into the window or click Choose a metadata file and upload it that way.
3	Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed.

You'll receive alerts in Control Hub before certificates are set to expire, but you can also proactively set up alert rules. These rules let you know in advance that your SP or IdP certificates are going to expire. We can send these to you through email, a space in the Webex App, or both.

Regardless of the delivery channel configured, all alerts always appear in Control Hub. See Alerts center in Control Hub for more information.

From the customer view in https://admin.webex.com, go to Alerts center.

Choose Manage then All rules.

From the Rules list, choose any of the SSO rules that you'd like to create:

SSO IDP Certificate expiry
SSO SP Certificate expiry

In the Delivery channel section, check the box for Email, Webex space, or both.

If you choose Email, enter the email address that should receive the notification.

If you choose the Webex space option, you're automatically added to a space inside of the Webex App and we deliver the notifications there.

Save your changes.

What to do next

We send certificate expiry alerts once every 15 days, starting 60 days before expiry. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.

You may see a notice that the single logout URL is not configured:

We recommend that you configure your IdP to support Single Log Out (also known as SLO). Webex supports both the redirect and post methods, available in our metadata that is downloaded from Control Hub. Not all IdPs support SLO; please contact your IdP team for assistance. In some cases, for the major IdP vendors like AzureAD, Ping Federate, ForgeRock, and Oracle, that do support SLO, we document how to configure the integration. Please consult your Identity & Security team on the specifics of your IDP and how to configure properly.

If single logout url is not configured:

An existing IdP Session remains valid. The next time users sign in, they may not be asked to reauthenticate by the IdP.
We display a warning message on sign out, so Webex App logout doesn't happen seamlessly.

You can disable single sign-on (SSO) for your Webex organization managed in Control Hub. You may want to disable SSO you're changing identity providers (IdPs).

If single sign-on has been enabled for your organization but is failing, you can engage your Cisco partner who can access your Webex organization to disable it for you.

1	From the customer view in https://admin.webex.com, go to Management > Organization Settings, and then scroll to Authentication.
2	To turn SSO off, toggle off the Single sign-on setting. A popup window appears that warns you about disabling SSO: If you disable SSO, passwords are managed by the cloud instead of your integrated IdP configuration.
3	If you understand the impact of disabling SSO and want to proceed, click Deactivate. In Control Hub, you'll see the SSO setting toggled off and all SAML certificate listings are removed. If SSO is disabled, users who have to authenticate will see a password entry field during the login process. Users who do not have a password in Webex App must either reset their password or you must send email for them to set a password. Existing authenticated users with a valid OAuth Token will continue to have access to Webex App. New users created while SSO is disabled receive an email asking them to create a password.

What to do next

If you or the customer reconfigure SSO for the customer organization, user accounts will go back to using the password policy that is set by the IdP that is integrated with the Webex organization.

If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.