System for Cross-Domain Identity Management (SCIM)

The integration between users in the directory and Webex Control Hub uses the System for Cross-Domain Identity Management (SCIM) API. SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make it easier to manage user identities in cloud-based applications and services. SCIM uses a standardized API through REST.

Add Cisco Webex From the Azure Application Gallery

Before configuring Webex Control Hub for automatic user provisioning with Azure AD, you need to add Cisco Webex from the Azure AD application gallery to your list of managed applications.


If you already integrated Webex Control Hub with Azure for single sign-on (SSO), Cisco Webex is already added to your enterprise applications and you can skip this procedure.

1

Sign in to the Azure portal at https://portal.azure.com with your administrator credentials.

2

Go to Azure Active Directory for your organization.

3

Go to Enterprise Applications and then click Add.

4

Click Add an application from the gallery.

5

In the search box, type Cisco Webex.

6

In the results pane, select Cisco Webex, and then click Add to add the application.

A message appears that says the application was added successfully.

Configure Azure AD for User Synchronization

Use this procedure to set up provisioning from Azure AD and obtain a bearer token for your organization. The steps cover necessary and recommended administrative settings.

Before you begin

Get your organization ID from the customer view in Control Hub: click your organization name on the bottom left and then copy the value from Organization ID into a text file. You'll need this value when you enter the tenant URL. We will use this value as an example: a35bfbc6-ccbd-4a17-a488-72gf46c5420c.

1

Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.

2

Choose Cisco Webex from your list of enterprise applications.

3

Go to Provisioning, and then change the Provisioning Mode to Automatic.

4

Enter the Tenant URL in this form:

https://api.ciscospark.com/v1/scim/{OrgId}

Replace {OrgId} with the organization ID value that you got from Control Hub, so that the tenant URL looks like this: https://api.ciscospark.com/v1/scim/a35bfbc6-ccbd-4a17-a488-72gf46c5420c

5

Follow these steps to get the bearer token value for the Secret Token:

  1. In a new browser tab or window, open this URL.

  2. From the Webex sign in page that appears, sign in with a full admin account for your organization.

    An error page appears saying that the site can't be reached, but this is normal.

    The generated bearer token is valid for 365 days (after which it expires) and is part of the URL for the page with the error message. Do not navigate away from the URL.

  3. Copy the token value between "Token=" and the "&token".

    For example, this URL has the token value highlighted: http://localhost:3000/auth/code#access_token={sample_token}&token_type=Bearer&expires_in=3887999&state=this-should-be-a-random-string-for-security-purpose


     

    We recommend that you paste this value into a text file and save it, so that you have a record of the token in case the URL is not available any more.

6

Return to the Azure portal and paste the token value into Secret Token.

7

Click Test Connection to make sure the organization and token are recognized by Azure AD.

A successful result states that the credentials are authorized to enable user provisioning.

8

Enter a Notification Email and check the check box if you want to be notified of any errors when user provisioning occurs, and then click Save to capture the configuration changes that you made.

9

Click the link under Mappings if you want to check which Azure AD attributes are mapping on to attributes in the cloud.


 

We recommend that you not change the attribute mappings and go with the default settings. In that case, userPrincipalName in Azure AD maps onto email in Control Hub. If you make changes and need to revert them, you can check Restore default mappings to bring back the default settings.

As an exception: If UPN is not the email in Control Hub, users are provisioned as new users and won't match existing users in Control Hub. If you want to use email instead of UPN, you must change that default mapping in Azure AD from UPN to Email.


 

Do not add extra attributes for this user provisioning flow. We only support the attributes that are mapped by default:

  • userName

  • displayName

  • name.family Name

  • name.givenName

10

Choose a user synchronization scope so that you determine which users are synchronized to the Webex cloud.

We recommend that you choose Sync only assigned Users and Groups.

11

Toggle Provisioning Status to On.

What to do next

If you chose to synchronize all users to the cloud, you're finished and synchronized user accounts appear in Control Hub. From the customer view in https://admin.webex.com, go to Users, and then verify that the Azure Active Directory user accounts synchronized properly.Because this synchronization happens through an API, there is no status indication in Control Hub. You can check the logs in the Azure portal to see the status of the user synchronization.

Otherwise, follow the next procedure to manually choose specific users or a group of user to synchronize.

To get a record of any changes that relate to Azure AD user synchronization and isolate any potential issues, access the audit logs: under Activity, click Audit logs. This view shows every log, and you can filter on specific categories such as Account Provisioning for the Service filter and UserManagement for a Category filter.

Add Group of Users to Application in Azure AD

If you didn't choose all users and groups for the provisioning scope, use this procedure to choose users that you want to synchronize to the Webex cloud. This option lets you create a subset of users to access any applications in your Webex organization.

Azure Active Directory uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups that are "assigned" to an application in Azure AD are synchronized to Control Hub.

1

From the Azure portal, go to Users and groups, and the choose Add Assignment.

2

Search for the group of users that you want to add to the application.

  • Add users one-by-one to add to the application.
  • Search for the group of users that you want to add to the application.
3

Click Select and then click Assign.

The list shows all the users that are assigned to your application when Azure AD runs a synchronization to the Webex cloud.

4

From the customer view in https://admin.webex.com, go to Users, and then verify that the Azure Active Directory user accounts synchronized properly.

Because this synchronization happens through an API, there is no status indication in Control Hub. You can check the logs in the Azure portal to see the status of the user synchronization.

Remove Assigned Users from an Application

You can remove user assignments from Azure AD. This retains the Azure AD user accounts but removes those accounts from being able to access applications in your Webex organization.

1

From the Azure portal, go to Enterprise applications, and then choose the Webex application that you added.

2

Choose a user or group of users from the list of those assigned to the application.

3

Click Remove, and then click Yes to confirm the removal.

Upon the next sync event, the user or group of users is removed from Webex application.

Delete User from Azure AD

1

Go to Users, check a check box next to each user account that you want to delete, and then click Delete user.

Users are moved to the Deleted users tab.

In Control Hub, users are moved into a "soft delete" state and are not deleted immediately. They are also renamed. Azure Active Directory sends these changes to the Webex cloud. Control Hub then reflects this changes and marks the user as Inactive. All tokens are revoked for the user.

2

To verify any records of the user deletion, go to Audit logs and then run a search on the User Management category or on the Delete user activity.


 

When you open a deleted user audit log and click Target(s), you'll see the User Principal Name has a string of numbers and characters before the @.

If you're performing any eDiscovery actions in Control Hub, you must get the User Principal Name from the audit logs in Azure AD. For more information on eDiscovery, see Ensure Regulatory Compliance of Cisco Webex Teams Content.

What to do next

You have 30 days to recover "soft" deleted users before they are permanently deleted. If you recover the user in Azure Active Directory, Control Hub reactivates the user and renames the user to the original email/UPN address.

If you do not recover the user, Azure Active Directory does a hard delete and the user is also removed from Control Hub. If the email address is readded to Azure Active Directory, a new user account is created.