System for Cross-domain Identity Management (SCIM)

The integration between users in the directory and Control Hub uses the System for Cross-domain Identity Management ( SCIM) API. SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make it easier to manage user identities in cloud-based applications and services. SCIM uses a standardized API through REST.


 

Azure AD doesn't synchronize null values. If you set an attribute value to NULL, it is not deleted or patched with a NULL value in Webex. If this limitation affects your users, contact Microsoft for support.

Azure AD Wizard App

Use the Azure AD Wizard App in Control Hub to simplify the synchronization of users and groups with Webex. The Wizard App allows you to easily configure which attributes, users, and groups to synchronize, and to decide whether to synchronize user's avatars to Webex. See Set up Azure AD Wizard App in Control Hub to learn more about the benefits of using the wizard.

Before configuring Webex Control Hub for automatic user provisioning with Azure AD, you need to add Cisco Webex from the Azure AD application gallery to your list of managed applications.


 

If you already integrated Webex Control Hub with Azure for single sign-on (SSO), Cisco Webex is already added to your enterprise applications and you can skip this procedure.

1

Sign in to the Azure portal at https://portal.azure.com with your administrator credentials.

2

Go to Azure Active Directory for your organization.

3

Go to Enterprise Applications and then click Add.

4

Click Add an application from the gallery.

5

In the search box, type Cisco Webex.

6

In the results pane, select Cisco Webex, and then click Add to add the application.

A message appears that says the application was added successfully.

7

To make sure that the Webex application you've added for synchronization doesn't show up in the user portal, open the new application, go to Properties, and set Visible to users? to No.

This procedure lets you choose users to synchronize to the Webex cloud.

Azure AD uses a concept called "assignments" to determine which users should receive access to selected apps. In the context of automatic user provisioning, only the users and/or groups of users that are "assigned" to an application in Azure AD are synchronized to Control Hub.


 

Webex can synchronize the users in an Azure AD group, but doesn't synchronize the group object itself.

If you are configuring your integration for the first time, we recommend you assign one user for testing, and then add other users and groups after a successful test.

1

Open the Cisco Webex application in the Azure portal, then go to Users and groups.

2

Click Add Assignment.

3

Find the users/groups you want to add to the application:

  • Find individual users to assign to the application.
  • Find a group of users to assign to the application.
4

Click Select and then click Assign.

Repeat these steps until you have all the groups and users you want to synchronize with Webex.

Use this procedure to set up provisioning from Azure AD and obtain a bearer token for your organization. The steps cover necessary and recommended administrative settings.


 
If your organization enforces that all users must have a verified domain, then future sync doesn't allow user creation for unverified domains. Most Webex for Government organizations require verified domains.

Before you begin

Get your organization ID from the customer view in Control Hub. Click your organization name on the bottom left and then copy the Organization ID into a text file. You need this value when you enter the tenant URL. We use this value as an example in this article: a35bfbc6-ccbd-4a17-a488-72gf46c5420c

1

Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.

2

Choose Cisco Webex from your list of enterprise applications.

3

Go to Provisioning, and then change the Provisioning Mode to Automatic.

The Webex App includes some default mappings between Azure AD user attributes and Webex user attributes. These attributes are enough to create users, but you can add more as described later in this article.

4

Enter the Tenant URL.

The following table shows the URL for your Webex offer. Replace OrgId with your specific value.

Table 1. Tenant URLs for Webex
Webex offerTenant URL to use
Webex (default) https://api.ciscospark.com/v1/scim/OrgId
Webex for Government https://api-usgov.webex.com/v1/scim/OrgId

For example, your tenant URL might look like this: https://api.ciscospark.com/v1/scim/a35bfbc6-ccbd-4a17-a488-72gf46c5420c.

5

Follow these steps to get the bearer token value for the Secret Token:

  1. Copy the following URL and run it in an incognito browser tab: https://idbroker.webex.com/idb/oauth2/v1/authorize?response_type=token&client_id=C4ca14fe00b0e51efb414ebd45aa88c1858c3bfb949b2405dba10b0ca4bc37402&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcode&scope=spark%3Apeople_read%20spark%3Apeople_write%20Identity%3ASCIM&state=this-should-be-a-random-string-for-security-purpose.


     
    The above URL applies to the default Webex ID broker. If you’re using Webex for Government, use the following URL to get the bearer token:

    https://idbroker-f.webex.com/idb/oauth2/v1/authorize?response_type=token&client_id=C4ca14fe00b0e51efb414ebd45aa88c1858c3bfb949b2405dba10b0ca4bc37402&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcode&scope=spark%3Apeople_read%20spark%3Apeople_write%20Identity%3ASCIM&state=this-should-be-a-random-string-for-security-purpose

    An incognito browser is important to make sure you sign in with the correct admin credentials. If you’re already signed in as a less privileged user who can't create users, the bearer token that you return can't create users.

  2. From the Webex sign in page that appears, sign in with a full admin account for your organization.

    An error page appears saying that the site can't be reached, but this is normal.

    The error page's URL includes the generated bearer token. This token is valid for 365 days (after which it expires).

  3. From the URL in the browser's address bar, copy the bearer token value from between access_token= and &token_type=Bearer.

    For example, this URL has the token value highlighted: http://localhost:3000/auth/code#access_token={sample_token}&token_type=Bearer&expires_in=3887999&state=this-should-be-a-random-string-for-security-purpose.


     

    We recommend that you save this value in a text file as a record of the token in case the URL isn't available any more.

6

Return to the Azure portal and paste the token value into Secret Token.

7

Click Test Connection to make sure that Azure AD recognizes the organization and token.

A successful result states that the credentials are authorized to enable user provisioning.

8

Enter a Notification Email and check the box to get email when there are provisioning errors.

9

Click Save.

At this point, you've successfully authorized Azure AD to provision and synchronize Webex users, and completed the steps to set up synchronization.

What to do next

If you want to map more Azure AD user attributes to Webex attributes, continue to the next section.

For info on making changes to the synchronized organization, see the Manage Synchronized Azure Active Directory Users help article.

Follow this procedure to map additional user attributes from Azure to Webex, or to change existing user attribute mappings.


 

Azure to Webex mapping does not synchronize every single user detail. Some aspects of user data are not synchronized:

  • Avatars

  • Rooms

  • Attributes not listed in the table below

We recommend that you do not change the default attribute mappings unless absolutely necessary. The value that you map as the username is particularly important. Webex uses the user's email address as their username. By default, we map userPrincipalName (UPN) in Azure AD to email address (username) in Control Hub.

If the userPrincipalName does not map to the email in Control Hub, users are provisioned into Control Hub as new users instead of matching existing users. If you want to use another Azure user attribute that is in email address format instead of UPN, you must change that default mapping in Azure AD from userPrincipalName to the appropriate Azure AD user attribute.

Before you begin

You have added and configured the Cisco Webex app to your Azure Active Directory, and tested the connection.

You can modify the user attribute mappings before or after you start synchronizing users.

1

Sign in to the Azure portal and then go to Azure Active Directory > Enterprise applications > All applications.

2

Open the Cisco Webex application.

3

Select the Provisioning page, expand the Mappings section, and click Provision Azure Active Directory Users.

4

Check the Show advanced options check box and then click Edit attribute list for CiscoWebEx.

5

Choose the Webex attributes to be populated from Azure user attributes. The attributes and mappings are shown later in this procedure.

6

After selecting the Webex attributes, click Save, and then Yes to confirm.

The Attribute Mapping page opens, so you can map Azure AD user attributes to the Webex user attributes you chose.

7

Near the bottom of the page, click Add new mapping.

8

Choose Direct mapping. Select the Source attribute (Azure attribute) and the Target attribute (Webex attribute), and then click OK.

Table 2. Azure to Webex Mappings

Azure Active Directory Attribute (source)

Webex User Attribute (target)

Attributes Populated by Default

userPrincipalName

userName

Switch([IsSoftd], , "False", "True", "True", "False")

active

displayName

displayName

surname

name.familyName

givenName

name.givenName

objectId

externalId

Additional Available Attributes

jobTitle

title

usageLocation

addresses[type eq "work"].country

city

addresses[type eq "work"].locality

streetAddress

addresses[type eq "work"].streetAddress

state

addresses[type eq "work"].region

postalCode

addresses[type eq "work"].postalCode

telephoneNumber

phoneNumbers[type eq "work"].value

mobile

phoneNumbers[type eq "mobile"].value

facsimileTelephoneNumber

phoneNumbers[type eq "fax"].value

9

Repeat the previous two steps until you have added or modified all the mappings you need, then click Save and Yes to confirm your new mappings.


 

You can Restore default mappings if you want to start again.

Your mappings are done and the Webex users will be created or updated on the next synchronization.