From the customer view in https://admin.webex.com, go to Settings, and then scroll to Authentication.

Click Modify, click Integrate a 3rd-party identity provider. (Advanced), and then click Next.

Download the metadata file.

From your BIG-IP F5 administration interface, go to Access Policy > SAML > BIG-IP as IdP.

From External SP Connectors, select Create > From Metadata.

Enter a meaningful name for the service provider name, such as <yourorganizationname>.ciscowebex.com.

Under Security Settings, check the following checkboxes:

• Response must be signed
• Assertion must be signed

Return to Access Policy > SAML > BIG-IP as IdP, and then create a new identity provider (IdP) service.

Enter a meaningful name for the IdP service name, such as CI.

For the IdP Entity ID, use the FQDN of the Big-IP server with something in front—for example, https://bigip0a.uc8sevtlab13.com/CI.

Under Assertion Settings, select Transient Identifier for Assertion Subject Type.

For Assertion Subject Value, return the value of the email of the user %{session.ad.last.attr.mail}.

Return the attributes mail and uid with the value %{session.ad.last.attr.mail}.

Under Security Settings, pick a certificate to sign the assertion.

Save your changes, and then bind the service provider and identity provider that you created.

Select Export IDP Service.

Ensure that the Sign Metadata value is Yes.

Download the metadata file to your desktop or a location that's easy for you to find.

Go to Access Policy > Access Profiles > SAML and create a SAML Resource for the IdP that you created.

Go to your Access Profile and edit the access policy that you use for WebEx Messenger CAS.

Add a new item in the Logon tab with the name Logon Page and leave the default values.

Add a new item in the Authentication tab with the name AD Auth and specify your Active Directory as the server.

On the successful branch, add AD Query from the Authentication tab

Go to Branch Rules and changed it to AD Query is Passed.

On the successful branch of AD Query, add Advanced Resource Assign from the Assignment tab.

Click Add/Delete and add two resources SAML with all the SAML resources and the Webtop that you created.

For Select Ending, select Allow.

The access policy should look like this screenshot:

Go to Local Traffic > Virtual Servers.

Open Access Profiles to confirm that no virtual server is associated to the profile.

Select Advanced Resource Assign.

Select Add/delete to add the new SAML resource.

Close the Access Policy design windows and apply the new access policy.

Choose one:

• Return to the Cisco Webex Control Hub – Export Directory Metadata page in your browser, and then click Next.
• If Control Hub is no longer open in the browser tab, from the customer view in https://admin.webex.com, go to Settings, scroll to Authentication, choose Integrate a third-party identity provider (Advanced), and then click Next on trusted metadata file page (because you already did it before).

On the Import IdP Metadata page, either drag and drop the IdP metadata file onto the page or use the file browser option to locate and upload the metadata file. Click Next.

Select Test SSO Connection, and when a new browser tab opens, authenticate with the IdP by signing in.

If you receive an authentication error there may be a problem with the credentials. Check the username and password and try again. A Webex Teams error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

Return to the Control Hub browser tab.

• If the test was successful, select This test was successful. Enable Single Sign-On option and click Next.
• If the test was unsuccessful, select This test was unsuccessful. Disable Single Sign-On option and click Next.