Single Sign-On and Cisco Webex Teams

Single sign-on (SSO) is a session or user authentication process that permits a user to provide credentials to access one or more applications. The process authenticates users for all the applications that they are given rights to. It eliminates further prompts when users switch applications during a particular session.

The Security Assertion Markup Language (SAML 2.0) Federation Protocol is used to provide SSO authentication between the Cisco Webex cloud and your identity provider (IdP).

Profiles

Cisco Webex Teams only supports the web browser SSO profile. In the web browser SSO profile, Cisco Webex Teams supports the following bindings:

  • SP initiated POST -> POST binding

  • SP initiated REDIRECT -> POST binding

NameID Format

The SAML 2.0 Protocol supports several NameID formats for communicating about a specific user. Cisco Webex Teams supports the following NameID formats.

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

In the metadata that you load from your IdP, the first entry is configured for use in Cisco Webex.

SingleLogout

Cisco Webex Teams supports the single logout profile. In the Cisco Webex Teams app, a user can sign out of the application, which uses the SAML single logout protocol to end the session and confirm that sign out with your IdP. Ensure your IdP is configured for SingleLogout.

Integrate Cisco Webex Control Hub with Google Apps for Single Sign-On


The configuration guides show a specific example for SSO integration but do not provide exhaustive configuration for all possibilities. For example, the integration steps for nameid-format urn:oasis:names:tc:SAML:2.0:nameid-format:transient are documented. Other formats such as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress will work for SSO integration but are outside the scope of our documentation.

Set up this integration for users in your Cisco Webex organization (including Cisco Webex Teams, Cisco Webex Meetings, and other services administered in Cisco Webex Control Hub). If your Webex site is integrated in Cisco Webex Control Hub, the Webex site inherits the user management. If you can't access Cisco Webex Meetings in this way and it is not managed in Cisco Webex Control Hub, you must do a separate integration to enable SSO for Cisco Webex Meetings. (See Configure Single Sign-On for Webex for more information in SSO integration in Site Administration.)

Before you begin

For SSO and Cisco Webex Control Hub, IdPs must conform to the SAML 2.0 specification. In addition, IdPs must be configured in the following manner:
  • Set the NameID Format attribute to urn:oasis:names:tc:SAML:2.0:nameid-format:transient

  • Configure a claim on the IdP to include the uid attribute name with a value that is mapped to the attribute that is chosen in Cisco Directory Connector or the user attribute that matches the one that is chosen in the Cisco Webex identity service. (This attribute could be E-mail-Addresses or User-Principal-Name, for example.) See the custom attribute information in https://www.cisco.com/go/hybrid-services-directory for guidance.

  • Use a supported browser: we recommend the latest version of Mozilla Firefox or Google Chrome.

  • Disable any popup blockers in your browser.

Download the Cisco Webex Metadata to your Local System

1

From the customer view in https://admin.webex.com, go to Settings, and then scroll to Authentication.

2

Click Modify, click Integrate a 3rd-party identity provider. (Advanced), and then click Next.

3

Download the metadata file.

The Cisco Webex metadata filename is idb-meta-<org-ID>-SP.xml.

Configure a Custom App in Google Admin

1

Sign in to the Google Apps admin console (https://admin.google.com) using an account with administrative permissions, and then click Apps.

2

From the apps view, click SAML apps.

3

On the SAML Apps page, click the plus (+) button and on the pop-up page, select SETUP MY OWN CUSTOM APP.

4

On the Google Idp Information page under the Option 2 section, click DOWNLOAD and save the file in an easy to find location on your local system.

The Google metadata file is downloaded. The filename format is GoogleIDPMetadata-<domain name>.xml.

5

Click NEXT.

6

On the Basic information for your Custom App page, enter the application name Cisco Webex Teams and click NEXT.

7

To fill out the Service Provider Details page, in a text editor open the Cisco Webex metadata file that you downloaded earlier.

  1. Search the Cisco Webex metadata file for "AssertionConsumerService" and copy the URL that follows the Location keyword and paste it into the ACS URL field on the Service Provider Details page.

    Example:

    https://idbroker.webex.com/idb/Consumer/metaAlias/a35bfbc6-ccbd-4a17-a499-72fa46cec25c/sp
  2. Search the Cisco Webex metadata file for "entityID" and copy the URL that follows into the Entity ID field on the Service Provider Details page.

    Example:

    https://idbroker.webex.com/a35bfbc6-ccbd-4a17-a499-72fa46cec25c
  3. "Name ID" should be set to Basic Information and Primary Email

  4. "Name ID Format" should be set to UNSPECIFIED

  5. No attribute mappings are required, so on the Attribute Mapping page, click FINISH

After the Cisco Webex SAML app is created, you must enable it for users.

8

Click the vertical dots on the right side of the Cisco Webex SAML app and choose one:

  • On for everyone
  • On for some organizations (and then choose the organizations)

Import the IdP Metadata and Enable Single Sign-On After a Test

After you export the Cisco Webex metadata, configure your IdP, and download the IdP metadata to your local system, you are ready to import it into your Cisco Webex organization from Control Hub.

1

Choose one:

  • Return to the Cisco Webex Control Hub – Export Directory Metadata page in your browser, and then click Next.
  • If Control Hub is no longer open in the browser tab, from the customer view in https://admin.webex.com, go to Settings, scroll to Authentication, choose Integrate a third-party identity provider (Advanced), and then click Next on trusted metadata file page (because you already did it before).
2

On the Import IdP Metadata page, either drag and drop the IdP metadata file onto the page or use the file browser option to locate and upload the metadata file. Click Next.

If the metadata isn't signed, is signed with a self-signed certificate, or is signed with a private enterprise certificate authority (CA), we recommend that you use require certificate signed by a certificate authority in Metadata (more secure). If the certificate is self-signed, you need to choose the less secure option.

3

Select Test SSO Connection, and when a new browser tab opens, authenticate with the IdP by signing in.


 

If you receive an authentication error there may be a problem with the credentials. Check the username and password and try again.

A Webex Teams error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

4

Return to the Control Hub browser tab.

  • If the test was successful, select This test was successful. Enable Single Sign-On option and click Next.
  • If the test was unsuccessful, select This test was unsuccessful. Disable Single Sign-On option and click Next.

What to do next

You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex Teams users in your organization. The document also contains best practices for sending out communications to users in your organization.