Use the SSO management features in Control Hub for certificate management and general SSO maintenance activities, such as updating an expiring certificate or checking on your existing SSO configuration. Each SSO management feature is covered in the individual tabs in this article.
If your organization's certificate usage is set to None but you're still receiving an alert, we recommend that you still proceed with the upgrade. Your SSO deployment is not using the certificate today but you may need the certificate for future changes. |
From time to time, you may receive an email notification or see an alert in Control Hub that the Webex single sign-on (SSO) certificate is going to expire. Follow the process in this article to retrieve the SSO cloud certificate metadata from us (the SP) and add it back to your IdP; otherwise, users won't be able to use Webex services. |
If you are using the SAML Cisco (SP) SSO Certificate in your Webex organization, you must plan to update the cloud certificate during a regular scheduled maintenance window as soon as possible.
All services that are part of your Webex organization subscription are affected, including but not limited to:
-
Webex App (new sign-ins for all platforms: desktop, mobile, and web)
-
Webex services in Control Hub, including Calling
-
Webex Meetings sites managed through Control Hub
-
Cisco Jabber if it's integrated with SSO
Before you begin
Please read all directions before beginning. After you change the certificate or going through the wizard to update the certificate, new users may not be able to sign in successfully. |
If your IdP does not support multiple certificates (most IdPs in the market do not support this feature), we recommend that you schedule this upgrade during a maintenance window where Webex App users are not affected. These upgrade tasks should take approximately 30 minutes in operational time and post-event validation.
1 | To check if the SAML Cisco (SP) SSO certificate is going to expire:
You can go directly into the SSO wizard to update the certificate, too. If you decide to exit the wizard before you complete it, you can access it again any time from https://admin.webex.com. in | ||
2 | Choose the certificate type for the renewal:
| ||
3 | Click Download Metadata File to download a copy of the updated metadata with the new certificate from the Webex cloud. Keep this screen open. | ||
4 | Navigate to your IdP management interface to upload the new Webex metadata file.
| ||
5 | Return to the tab where you signed in to Control Hub and click Next. | ||
6 | Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly by your IdP. Confirm the expected results in the pop-up window, and if the test was successful, click Switch to new metadata.
Result: You're finished and your organization's SAML Cisco (SP) SSO Certificate is now renewed. You can check the certificate status any time by opening the SAML certificate status table under . |
From time to time, you may receive an email notification or see an alert in Control Hub that the IdP certificate is going to expire. Because IdP vendors have their own specific documentation for certificate renewal, we cover what's required in Control Hub, along with generic steps to retrieve updated IdP metadata and upload it to Control Hub to renew the certificate. |
1 | To check if the IdP SAML certificate is going to expire:
| ||
2 | Navigate to your IdP management interface to retrieve the new metadata file.
| ||
3 | Return to https://admin.webex.com, and then choose . in | ||
4 | Drag and drop your IdP metadata file into the window or click Choose a metadata file and upload it that way. | ||
5 | Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed. | ||
6 | Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly to your Control Hub organization. Confirm the expected results in the pop-up window, and if the test was successful, click Switch to new metadata.
Result: You're finished and your organization's IdP certificate is now renewed. You can check the certificate status any time by opening the SAML certificate status table under . |
You can export the latest Webex SP metadata whenever you need to add it back to your IdP. You'll see a notice when the imported IdP SAML metadata is going to expire or has expired.
This step is useful in common IdP SAML certificate management scenarios, such as IdPs that support multiple certificates where export was not done earlier, if the metadata was not imported into the IdP because an IdP admin wasn't available, or if your IdP supports the ability to update only the certificate. This option can help minimize the change by only updating the certificate in your SSO configuration and post-event validation.
1 | From the customer view in https://admin.webex.com, go to , scroll to Authentication, and then choose . The Webex App metadata filename is idb-meta-<org-ID>-SP.xml. |
2 | Import the metadata into your IdP. Follow the documentation for your IdP to import the Webex SP metadata. You can use our IdP integration guides or consult the documentation for your specific IdP if not listed. |
3 | When you're finished, run the SSO test using the steps in |
When your IdP environment changes or if your IdP certificate is going to expire, you can import the updated metadata into Webex at any time.
Before you begin
Gather your IdP metadata, typically as an exported xml file.
1 | From the customer view in https://admin.webex.com, go to , scroll to Authentication, and then choose . |
2 | Drag and drop your IdP metadata file into the window or click Choose a metadata file and upload it that way. |
3 | Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed. |
You'll receive alerts in Control Hub before certificates are set to expire, but you can also proactively set up alert rules. These rules let you know in advance that your SP or IdP certificates are going to expire. We can send these to you through email, a space in the Webex App, or both.
Regardless of the delivery channel configured, all alerts always appear in Control Hub. See Alerts center in Control Hub for more information. |
1 | From the customer view in https://admin.webex.com, go to Alerts center. | ||
2 | Choose Manage then All rules. | ||
3 | From the Rules list, choose any of the SSO rules that you'd like to create:
| ||
4 | In the Delivery channel section, check the box for Email, Webex space, or both. If you choose Email, enter the email address that should receive the notification.
| ||
5 | Save your changes. |
What to do next
We send certificate expiry alerts once every 15 days, starting 60 days before expiry. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.
You may see a notice that the single logout URL is not configured:
We recommend that you configure your IdP to support Single Log Out (also known as SLO). Webex supports both the redirect and post methods, available in our metadata that is downloaded from Control Hub. Not all IdPs support SLO; please contact your IdP team for assistance. In some cases, for the major IdP vendors like AzureAD, Ping Federate, ForgeRock, and Oracle, that do support SLO, we document how to configure the integration. Please consult your Identity & Security team on the specifics of your IDP and how to configure properly. |
If single logout url is not configured:
-
An existing IdP Session remains valid. The next time users sign in, they may not be asked to reauthenticate by the IdP.
-
We display a warning message on sign out, so Webex App logout doesn't happen seamlessly.
You can disable single sign-on (SSO) for your Webex organization managed in Control Hub. You may want to disable SSO you're changing identity providers (IdPs).
If single sign-on has been enabled for your organization but is failing, you can engage your Cisco partner who can access your Webex organization to disable it for you. |
1 | From the customer view in https://admin.webex.com, go to , and then scroll to Authentication. |
2 | To turn SSO off, toggle off the Single sign-on setting. A popup window appears that warns you about disabling SSO: If you disable SSO, passwords are managed by the cloud instead of your integrated IdP configuration. |
3 | If you understand the impact of disabling SSO and want to proceed, click Deactivate. In Control Hub, you'll see the SSO setting toggled off and all SAML certificate listings are removed. If SSO is disabled, users who have to authenticate will see a password entry field during the login process.
|
What to do next
If you or the customer reconfigure SSO for the customer organization, user accounts will go back to using the password policy that is set by the IdP that is integrated with the Webex organization.
If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.