Water Mark
Sep 10, 2018 | view(s) | people thought this was helpful

Configure Single Sign-On for Cisco Webex Site

Site administrators have the option to set up their organization with single sign-on (SSO). SSO lets people use one set of credentials to sign in to multiple applications.

Single Sign-On

Webex SSO uses one unique identifier to give people in your organization access to all enterprise applications. Administrators can use Webex Site Administration to configure SSO for Cisco Webex applications.

  

Single sign-on is an optional feature that must be provisioned for your site. Contact your Customer Success Manager for information.

Configure SSO

Use the following procedure to configure SSO and SAML 2.0.

Before You Begin

Obtain and set up the following requirements.

  • A standard SAML 2.0 or WS Federate 1.0 compliant Identity and Access Management (IAM) system, such as CA SiteMinder, ADFS, and Ping Identity.

  • A corporate X.509 public key certificate from a trusted Certificate Authority, such as VeriSign and Thawte.

  • An IAM configured to provide SAML assertions with the user account information and SAML system IDs.

  • An IdP XML file.

  • A URL for the corporate IAM service.

    1Sign in to Webex Site Administration and go to Configuration > Common Site Settings > SSO Configuration.
    2From the Federation Protocol drop-down list, select SAML 2.0.

    If there is an existing configuration, some fields may already be populated.

    3Select the Site Certificate Manager link.
    4In the Site Certificate Manager window, select Browse, and then navigate to the location of the CER file for your X.509 certificate.
    5Select the CER file, and then select OK.
    6Select Close.
    7Enter the required information on the SSO Configuration page and select the options that you want to enable.
    8Select Update.

    SSO Configuration Page

    The following table lists and describes the fields and options on the SSO Configuration page.

      

    The information that you use during configuration must be exact. If you require further clarification about the information required to configure SSO for your site, contact your identity provider.

    Table 1 SSO Configuration Page Fields and Options

    Field or Option

    Description

    SSO Profile

    Specify how users access the Webex site. Select SP Initiated if users start at the Webex meeting site and are redirected to the corporate IdP system for authentication. Select IdP Initiated if users access the Webex site through the corporate IAM system.

    Import SAML Metadata (link)

    Click to open the Federated Web SSO Configuration - SAML Metadata dialog box. Imported metadata fields include the following:

    • AuthnRequestSigned Destination

    • Issuer for SAML (IdP ID)

    • Customer SSO Service Login URL

    Webex SAML Issuer (SP ID)

    The URI identifies the Cisco Webex Messenger service as an SP. The configuration must match the settings in the customer Identity Access Management system. Recommended naming conventions: For Webex Meetings, enter the Webex Meetings site URL. For the Webex Messenger service, use the format "client-domain-name" (example: IM-Client-ADFS-WebexEagle-Com).

    Issuer for SAML (IdP ID)

    A URI uniquely identifies the IdP. The configuration must match the setting in the Customer IAM. Located in the IdP XML file (example: entityID=" http://adfs20-fed-srv.adfs.webexeagle.com/adfs/services/trust")

    Customer SSO Service Login URL

    URL for your enterprise's single sign-on services. Users typically sign in with this URL. Located in the IdP XML file (example: <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://adfs20-fed-srv.adfs.webexeagle.com/adfs/ls/ " index="0" isDefault="true" />)

    You can export a SAML metadata Webex configuration file

    You can export some metadata, which can then be imported in the future. Exported metadata fields include the following:

    • AuthnRequestSigned Destination

    • Issuer for SAML (IdP ID)

    • Customer SO Service Login URL

    NameID Format

    Must match the IAM configuration, with the following formats being supported:

    • Unspecified

    • Email address

    • X509 Subject Name

    • Entity Identifier

    • Persistent Identifier

    AuthnContextClassRef

    The SAML statement that describes the authentication at the IdP. This must match the IAM configuration. ADFS examples: urn:federation:authentication:windows or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Ping example: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Note: To use more than one AuthnContextClassRef value add a ";".For example: urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

    Default Webex Target page URL (optional)

    Upon authentication, displays a target page assigned for the web application only.

    Customer SSO Error URL (optional)

    If an error occurs, redirects to this URL with the error code appended in the URL.

    Single Logout (optional)

    Check to require a sign-out and set the logout URL.

      

    IdP initiated Single Logout is not supported.

    Signature Algorithm for AuthnRequest

    For enhanced security, you can now generate SHA-1, SHA-256, or SHA-512 signed certificates.

    SSO authentication for Attendees

    This feature provides additional levels of accountability to the SAML assertion user authentication for internal attendees using Webex Meetings, Webex Training, and Webex Events. When enabled, this feature supersedes the Webex Meetings "Display internal user tag in participant list" feature.

    Auto Account Creation (optional)

    Select to create a user account. UID, email, and first and last name fields must be present in the SAML assertion.

    Auto Account Update (optional)

    Webex accounts can be updated with the presence of an updateTimeStamp attribute in the SAML assertion. When modifications are made in the IAM, the new timestamp is sent to the Webex site, which updates the account with any attribute sent in the SAML assertion.

    Remove uid Domain Suffix for Active Directory UPN

    Removes the Active Directory domain from the User Principal Name (UPN) when selected.

    Was this article helpful?

    Related Articles

    Recently Viewed