SSO in Control Hub

If you want to set up SSO for multiple identity providers in your organization, refer to SSO with multiple IdPs in Webex.

If your organization's certificate usage is set to None but you're still receiving an alert, we recommend that you still proceed with the upgrade. Your SSO deployment is not using the certificate today but you may need the certificate for future changes.

Webex Service Provider (SP) certificate

From time to time, you may receive an email notification or see an alert in Control Hub that the Webex single sign-on (SSO) certificate is going to expire. Follow the process in this article to retrieve the SSO cloud certificate metadata from us (the SP) and add it back to your IdP; otherwise, users won't be able to use Webex services.

If you’re using the SAML Cisco (SP) SSO Certificate in your Webex organization, you must plan to update the cloud certificate during a regular scheduled maintenance window as soon as possible.

All services that are part of your Webex organization subscription are affected, including but not limited to:

  • Webex App (new sign-ins for all platforms: desktop, mobile, and web)

  • Webex services in Control Hub, including Calling

  • Webex Meetings sites managed through Control Hub

  • Cisco Jabber if it's integrated with SSO

Before you begin

Please read all directions before beginning. After you change the certificate or going through the wizard to update the certificate, new users may not be able to sign in successfully.

If your IdP doesn’t support multiple certificates (most IdPs in the market don’t support this feature), we recommend that you schedule this upgrade during a maintenance window where Webex App users aren’t affected. These upgrade tasks should take approximately 30 minutes in operational time and postevent validation.

1

To check if the SAML Cisco (SP) SSO certificate is going to expire:

  • You may have received an email or Webex App message from us, but you should check in Control Hub to be certain.

  • Sign in to https://admin.webex.com, and check your Alerts center. There may be a notification about updating the SSO Service Provider Certificate.

  • Sign in to https://admin.webex.com, go to Management > Organization Settings > Single Sign-On, and click Manage SSO and IdPs.
  • Go to the Identity provider tab and note the Cisco SP certificate status and expiry date.

You can go directly into the SSO wizard to update the certificate, too. If you decide to exit the wizard before you complete it, you can access it again any time from Management > Organization Settings > Single Sign-On in https://admin.webex.com.

2

Go to the IdP and click .

3

Click Review certificates and expiry date.

4

Click Renew certificate.

5

Choose the type of IdP that your organization uses.

  • An IdP that supports multiple certificates
  • An IdP that supports a single certificate

If your IdP supports a single certificate, we recommend that you wait to perform these steps during scheduled downtime. While the Webex certificate is being updated, new user sign-ins briefly won't work; existing sign-ins are preserved.

6

Choose the certificate type for the renewal:

  • Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
  • Signed by a public certificate authority—More secure but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

    Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.

    Before proceeding to the next steps, ensure you’re ready to renew your certificate and are operating within your organizations change window. Selecting the Self-signed Cisco or Signed by a public certificate authority immediately creates a new certificate. Once the certificate changes for a single IdP, SSO stops until the certificate or metadata is uploaded on the IdP. Therefore, it is important to complete the renewal process.

7

Click Download Metadata File to download a copy of the updated metadata with the new certificate from the Webex cloud. Keep this screen open.

8

Navigate to your IdP management interface to upload the new Webex metadata file.

  • This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step.
  • For reference, see our SSO integration guides or contact your IdP admin for support. If on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS.
9

Return to the tab where you signed in to Control Hub and click Next.

10

Update the IdP with the new SP certificate and metadata and click Next.

  • Updated all the IdPs
  • If you need more time to update, save the renewed certificate as the secondary option
11

Click Finish renewal.

Identity Provider (IdP) certificate

From time to time, you may receive an email notification or see an alert in Control Hub that the IdP certificate is going to expire. Because IdP vendors have their own specific documentation for certificate renewal, we cover what's required in Control Hub, along with generic steps to retrieve updated IdP metadata and upload it to Control Hub to renew the certificate.

1

To check if the IdP SAML certificate is going to expire:

  • You may have received an email or Webex App message from us, but you should check in Control Hub to be certain.
  • Sign in to https://admin.webex.com, and check your Alerts center. There may be a notification about updating the IdP SAML certificate:

  • Sign in to https://admin.webex.com, go to Management > Organization Settings > Single Sign-On, and click Manage SSO and IdPs.
  • Go to the Identity provider tab and note the IdP certificate status (expired or expiring soon) and expiry date.

  • You can go directly into the SSO wizard to update the certificate, too. If you decide to exit the wizard before you complete it, you can access it again any time from Management > Organization Settings > Single Sign-On in https://admin.webex.com.

2

Navigate to your IdP management interface to retrieve the new metadata file.

  • This step may be done through a browser tab, remote desktop protocol (RDP), or through specific cloud provider support, depending on your IdP setup and whether you or a separate IdP admin are responsible for this step.
  • For reference, see our SSO integration guides or contact your IdP admin for support.
3

Return to the Identity provider tab.

4

Go to the IdP, click upload and select Upload Idp metadata.

5

Drag and drop your IdP metadata file into the window or click Choose a file and upload it that way.

6

Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed.

7

Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly to your Control Hub organization. Confirm the expected results in the pop-up window, and if the test was successful, select Successful test: Activate SSO and the IdP and click Save.

To see the SSO sign-in experience directly, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

Result: You're finished and your organization's IdP certificate is now renewed. You can check the certificate status at any time under the Identity provider tab.

You can export the latest Webex SP metadata whenever you need to add it back to your IdP. You'll see a notice when the imported IdP SAML metadata is going to expire or has expired.

This step is useful in common IdP SAML certificate management scenarios, such as IdPs that support multiple certificates where export was not done earlier, if the metadata was not imported into the IdP because an IdP admin wasn't available, or if your IdP supports the ability to update only the certificate. This option can help minimize the change by only updating the certificate in your SSO configuration and post-event validation.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP, click Download and select Download SP metadata.

The Webex App metadata filename is idb-meta-<org-ID>-SP.xml.

4

Import the metadata into your IdP.

Follow the documentation for your IdP to import the Webex SP metadata. You can use our IdP integration guides or consult the documentation for your specific IdP if not listed.

5

When you're finished, run the SSO test using the steps in Renew Webex Certificate (SP) in this article.

When your IdP environment changes or if your IdP certificate is going to expire, you can import the updated metadata into Webex at any time.

Before you begin

Gather your IdP metadata, typically as an exported xml file.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Go to the IdP, click upload and select Upload Idp metadata.

4

Drag and drop your IdP metadata file into the window or click Choose a metadata file and upload it that way.

5

Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed.

6

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

You'll receive alerts in Control Hub before certificates are set to expire, but you can also proactively set up alert rules. These rules let you know in advance that your SP or IdP certificates are going to expire. We can send these to you through email, a space in the Webex App, or both.

Regardless of the delivery channel configured, all alerts always appear in Control Hub. See Alerts center in Control Hub for more information.

1

Sign in to Control Hub.

2

Go to Alerts center.

3

Choose Manage then All rules.

4

From the Rules list, choose any of the SSO rules that you'd like to create:

  • SSO IDP Certificate expiry
  • SSO SP Certificate expiry
5

In the Delivery channel section, check the box for Email, Webex space, or both.

If you choose Email, enter the email address that should receive the notification.

If you choose the Webex space option, you're automatically added to a space inside of the Webex App and we deliver the notifications there.

6

Save your changes.

What to do next

We send certificate expiry alerts once every 15 days, starting 60 days before expiry. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.

You may see a notice that the single logout URL isn’t configured:

We recommend that you configure your IdP to support Single Log Out (also known as SLO). Webex supports both the redirect and post methods, available in our metadata that is downloaded from Control Hub. Not all IdPs support SLO; please contact your IdP team for assistance. Sometimes, for the major IdP vendors like AzureAD, Ping Federate, ForgeRock, and Oracle, that do support SLO, we document how to configure the integration. Consult your Identity & Security team on the specifics of your IDP and how to configure it properly.

If single logout url isn’t configured:

  • An existing IdP Session remains valid. The next time users sign in, they may not be asked to reauthenticate by the IdP.

  • We display a warning message on sign out, so Webex App logout doesn't happen seamlessly.

You can disable single sign-on (SSO) for your Webex organization managed in Control Hub. You may want to disable SSO if you're changing identity providers (IdPs).

If single sign-on has been enabled for your organization but is failing, you can engage your Cisco partner who can access your Webex organization to disable it for you.

1

From the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Single Sign-On and click Manage SSO and IdPs.

2

Go to the Identity provider tab.

3

Click Deactivate SSO.

A popup window appears that warns you about disabling SSO:

Deactivate SSO

If you disable SSO, passwords are managed by the cloud instead of your integrated IdP configuration.

4

If you understand the impact of disabling SSO and want to proceed, click Deactivate.

SSO is deactivated and all SAML certificate listings are removed.

If SSO is disabled, users who have to authenticate will see a password entry field during the sign-in process.

  • Users who don’t have a password in Webex App must either reset their password or you must send an email for them to set a password.

  • Existing authenticated users with a valid OAuth Token will continue to have access to Webex App.

  • New users created while SSO is disabled receive an email asking them to create a password.

What to do next

If you or the customer reconfigure SSO for the customer organization, user accounts go back to using the password policy that is set by the IdP that is integrated with the Webex organization.

If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.