Single Sign-On
Webex SSO uses one unique identifier to give people in your organization access to all enterprise applications. Administrators can use Webex Site Administration to configure SSO for Cisco Webex applications.
Single sign-on is an optional feature that must be provisioned for your site. Contact your Customer Success Manager for information. |
Configure SSO
Obtain and set up the following requirements.
A standard SAML 2.0 or WS Federate 1.0 compliant Identity and Access Management (IAM) system, such as CA SiteMinder, ADFS, and Ping Identity.
A corporate X.509 public key certificate from a trusted Certificate Authority, such as VeriSign and Thawte.
An IAM configured to provide SAML assertions with the user account information and SAML system IDs.
An IdP XML file.
A URL for the corporate IAM service.
SSO Configuration Page
The following table lists and describes the fields and options on the SSO Configuration page.
The information that you use during configuration must be exact. If you require further clarification about the information required to configure SSO for your site, contact your identity provider. |
Field or Option |
Description |
|||
---|---|---|---|---|
SSO Profile |
Specify how users access the Webex site. Select SP Initiated if users start at the Webex meeting site and are redirected to the corporate IdP system for authentication. Select IdP Initiated if users access the Webex site through the corporate IAM system. |
|||
Import SAML Metadata (link) |
Click to open the Federated Web SSO Configuration - SAML Metadata dialog box. Imported metadata fields include the following: |
|||
Webex SAML Issuer (SP ID) |
The URI identifies the Cisco Webex Messenger service as an SP. The configuration must match the settings in the customer Identity Access Management system. Recommended naming conventions: For Webex Meetings, enter the Webex Meetings site URL. For the Webex Messenger service, use the format "client-domain-name" (example: IM-Client-ADFS-WebexEagle-Com). |
|||
Issuer for SAML (IdP ID) |
A URI uniquely identifies the IdP. The configuration must match the setting in the Customer IAM. Located in the IdP XML file (example: entityID=" http://adfs20-fed-srv.adfs.webexeagle.com/adfs/services/trust") |
|||
Customer SSO Service Login URL |
URL for your enterprise's single sign-on services. Users typically sign in with this URL. Located in the IdP XML file (example: <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://adfs20-fed-srv.adfs.webexeagle.com/adfs/ls/ " index="0" isDefault="true" />) |
|||
You can export a SAML metadata Webex configuration file |
You can export some metadata, which can then be imported in the future. Exported metadata fields include the following: |
|||
NameID Format |
Must match the IAM configuration, with the following formats being supported: |
|||
AuthnContextClassRef |
The SAML statement that describes the authentication at the IdP. This must match the IAM configuration. ADFS examples: urn:federation:authentication:windows or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Ping example: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified Note: To use more than one AuthnContextClassRef value add a ";".For example: urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport |
|||
Default Webex Target page URL (optional) |
Upon authentication, displays a target page assigned for the web application only. |
|||
Customer SSO Error URL (optional) |
If an error occurs, redirects to this URL with the error code appended in the URL. |
|||
Single Logout (optional) |
Check to require a sign-out and set the logout URL.
|
|||
Signature Algorithm for AuthnRequest |
For enhanced security, you can now generate SHA-1, SHA-256, or SHA-512 signed certificates. |
|||
SSO authentication for Attendees |
This feature provides additional levels of accountability to the SAML assertion user authentication for internal attendees using Webex Meetings, Webex Training, and Webex Events. When enabled, this feature supersedes the Webex Meetings "Display internal user tag in participant list" feature. |
|||
Auto Account Creation (optional) |
Select to create a user account. UID, email, and first and last name fields must be present in the SAML assertion. |
|||
Auto Account Update (optional) |
Webex accounts can be updated with the presence of an updateTimeStamp attribute in the SAML assertion. When modifications are made in the IAM, the new timestamp is sent to the Webex site, which updates the account with any attribute sent in the SAML assertion. |
|||
Remove uid Domain Suffix for Active Directory UPN |
Removes the Active Directory domain from the User Principal Name (UPN) when selected. |