If you are using the SAML SSO certificate in your Cisco Webex organization, you must plan to update the cloud certificate during a regular scheduled maintenance window as soon as possible.

All services that are part of your Cisco Webex organization subscription are affected, including but not limited to:

  • Cisco Webex services in Cisco Webex Control Hub, including Calling

  • Cisco Webex Meetings managed through Cisco Webex Control Hub

  • Cisco Jabber if it's integrated with Single Sign-On

Before you begin


Please read all directions before beginning. After you change the certificate or going through the wizard to update the certificate, new users may not be able to sign in successfully.

If your IdP does not support multiple certificates (most IdPs in the market do not support this feature), we also recommend that you schedule this upgrade during a maintenance window where Cisco Webex Teams users are not affected.

Scheduled Maintenance Not Needed
If you are using one of the following IdP products that use multiple certificates, you may be able to proceed without the scheduled maintenance window:
  • ADFS 2.0 or later

  • Ping Identity Federation

  • ForgeRock OpenAM 12.0 or later

Certificate Update Needed Under Certain Conditions

If you are using any of the following features, you must update the IdP with the new Webex cloud certificate:

  • Signing AuthN Requests

  • Signing SLO Request

  • Encrypt Assertion Response to SP

Certificate Update Not Needed

If you use Google G Suite, OKTA, or Microsoft Azure, but are not using any of the features listed above, you do not need to update the IdP with the new Webex cloud certificate.

1

Choose one:

  • From the email notification with the subject line "Update Metadata in your IdP," click Update Certificate to launch Cisco Webex Control Hub in your browser, and then sign in using your administrator credentials.
  • From the customer view in https://admin.webex.com, click Update SSO Certificate.

    This is an example notification that you see in Control Hub when it's time to update the cloud certificate:

If you decide to exit the wizard before you complete it, you can access it again from Settings in https://admin.webex.com.

2

Choose the first radio button if any of these features apply to your Identity Provider (IdP), and then click Next:

  • Signing AuthN Requests
  • Signing SLO Request
  • Encrypt Assertion Response to SP
Things to Keep in Mind
  • ADFS—Certificate expiration may be monitored and sign-in may be stopped at the IdP if the certificate is not upgraded within 30 days of expiration. If you're using any of the three features above, upgrade the certificate as soon as possible.

  • Shibboleth—SLO is not supported. If you're using any of the other two features above, upgrade the certificate as soon as possible.


 

If you are unsure whether you are using any of the features, we recommend updating your IdP configuration with the new Webex certificate so that that there is no interruption of service.

If you are sure you're not using any of the above services, choose None of these apply to my IdP, and then click Submit.

3

Choose the type of IdP that your organization uses and then click Next:

  • IdP that supports multiple certificates
  • IdP that supports a single certificate

 

If your IdP supports a single certificate, we recommend that you wait to perform these steps during scheduled downtime. While the Webex certificate is being updated, new user sign-ins briefly won't work; existing sign-ins are preserved.

4

Click Download Metadata File to download a copy of the updated metadata with the new certificate from the Webex cloud. Keep this screen open.

5

In a new browser tab or window, navigate to your IdP management interface to upload the new Webex metadata file:

6

Return to the tab where you signed in to Cisco Webex Control Hub and click Next.

7

Click Test SSO Update to confirm that the new metadata file was uploaded and interpreted correctly by your IdP. Confirm the expected results in the pop-up window, and if the test was successful, click Switch to new metadata.