- Single Sign-On and Webex Control Hub
- SingleLogout
- Integrate F5 Big IP with Cisco Webex Control Hub for Single Sign-On
- Download the Cisco Webex Metadata to your Local System
- Configure the External Service Provider and Identity Provider
- Download the F5 Big-IP Metadata
- Add an Access Policy
- Associate the Access Profile with the Virtual Server
- Import the IdP Metadata and Enable Single Sign-On After a Test
Single Sign-On and Webex Control Hub
Single sign-on (SSO) is a session or user authentication process that permits a user to provide credentials to access one or more applications. The process authenticates users for all the applications that they are given rights to. It eliminates further prompts when users switch applications during a particular session.
The Security Assertion Markup Language (SAML 2.0) Federation Protocol is used to provide SSO authentication between the Cisco Webex cloud and your identity provider (IdP).
Profiles
Cisco Webex Teams only supports the web browser SSO profile. In the web browser SSO profile, Cisco Webex Teams supports the following bindings:
-
SP initiated POST -> POST binding
-
SP initiated REDIRECT -> POST binding
NameID Format
The SAML 2.0 Protocol supports several NameID formats for communicating about a specific user. Cisco Webex Teams supports the following NameID formats.
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
In the metadata that you load from your IdP, the first entry is configured for use in Cisco Webex.
SingleLogout
Cisco Webex Teams supports the single logout profile. In the Cisco Webex Teams app, a user can sign out of the application, which uses the SAML single logout protocol to end the session and confirm that sign out with your IdP. Ensure your IdP is configured for SingleLogout.
Integrate F5 Big IP with Cisco Webex Control Hub for Single Sign-On
The configuration guides show a specific example for SSO integration but do not provide exhaustive configuration for all possibilities. For example, the integration steps for nameid-format urn:oasis:names:tc:SAML:2.0:nameid-format:transient are documented. Other formats such as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress will work for SSO integration but are outside the scope of our documentation. |
Set up this integration for users in your Cisco Webex organization (including Cisco Webex Teams, Cisco Webex Meetings, and other services administered in Cisco Webex Control Hub). If your Webex site is integrated in Cisco Webex Control Hub, the Webex site inherits the user management. If you can't access Cisco Webex Meetings in this way and it is not managed in Cisco Webex Control Hub, you must do a separate integration to enable SSO for Cisco Webex Meetings. (See Configure Single Sign-On for Webex for more information in SSO integration in Site Administration.)
Before you begin
For SSO and Cisco Webex Control Hub, IdPs must conform to the SAML 2.0 specification. In addition, IdPs must be configured in the following manner:
Download the Cisco Webex Metadata to your Local System
1 |
From the customer view in https://admin.webex.com, go to Settings, and then scroll to Authentication. |
2 |
Click Modify, click Integrate a 3rd-party identity provider. (Advanced), and then click Next. |
3 |
Download the metadata file. The Cisco Webex metadata filename is idb-meta-<org-ID>-SP.xml. |
Configure the External Service Provider and Identity Provider
1 |
From your BIG-IP F5 administration interface, go to . |
2 |
From External SP Connectors, select . |
3 |
Enter a meaningful name for the service provider name, such as <yourorganizationname>.ciscowebex.com. |
4 |
Under Security Settings, check the following checkboxes:
|
5 |
Return to , and then create a new identity provider (IdP) service. |
6 |
Enter a meaningful name for the IdP service name, such as CI. |
7 |
For the IdP Entity ID, use the FQDN of the Big-IP server with something in front—for example, https://bigip0a.uc8sevtlab13.com/CI. |
8 |
Under Assertion Settings, select Transient Identifier for Assertion Subject Type. |
9 |
For Assertion Subject Value, return the value of the email of the user %{session.ad.last.attr.mail}. |
10 |
Return the attributes mail and uid with the value %{session.ad.last.attr.mail}. |
11 |
Under Security Settings, pick a certificate to sign the assertion. |
12 |
Save your changes, and then bind the service provider and identity provider that you created. |
Download the F5 Big-IP Metadata
1 |
Select Export IDP Service. |
2 |
Ensure that the Sign Metadata value is Yes. |
3 |
Download the metadata file to your desktop or a location that's easy for you to find. |
Add an Access Policy
1 |
Go to Access Policy > Access Profiles > SAML and create a SAML Resource for the IdP that you created. |
2 |
Go to your Access Profile and edit the access policy that you use for WebEx Messenger CAS. |
3 |
Add a new item in the Logon tab with the name Logon Page and leave the default values. |
4 |
Add a new item in the Authentication tab with the name AD Auth and specify your Active Directory as the server. |
5 |
On the successful branch, add AD Query from the Authentication tab |
6 |
Go to Branch Rules and changed it to AD Query is Passed. |
7 |
On the successful branch of AD Query, add Advanced Resource Assign from the Assignment tab. |
8 |
Click Add/Delete and add two resources SAML with all the SAML resources and the Webtop that you created. |
9 |
For Select Ending, select Allow. The access policy should look like this screenshot: ![]() |
Associate the Access Profile with the Virtual Server
You must associate the access profile with the virtual server that you created.
1 |
Go to . |
2 |
Open Access Profiles to confirm that no virtual server is associated to the profile. |
3 |
Select Advanced Resource Assign. |
4 |
Select Add/delete to add the new SAML resource. |
5 |
Close the Access Policy design windows and apply the new access policy. |
Import the IdP Metadata and Enable Single Sign-On After a Test
After you export the Cisco Webex metadata, configure your IdP, and download the IdP metadata to your local system, you are ready to import it into your Cisco Webex organization from Control Hub.
Before you begin
Do not test SSO integration from the identity provider (IdP) interface. We only support Service Provider-initiated (SP-initiated) flows, so you must use the Control Hub SSO test for this integration.
1 |
Choose one:
|
||
2 |
On the Import IdP Metadata page, either drag and drop the IdP metadata file onto the page or use the file browser option to locate and upload the metadata file. Click Next. If the metadata isn't signed, is signed with a self-signed certificate, or is signed with a private enterprise certificate authority (CA), we recommend that you use require certificate signed by a certificate authority in Metadata (more secure). If the certificate is self-signed, you need to choose the less secure option. |
||
3 |
Select Test SSO Connection, and when a new browser tab opens, authenticate with the IdP by signing in.
|
||
4 |
Return to the Control Hub browser tab.
|
What to do next
You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex Teams users in your organization. The document also contains best practices for sending out communications to users in your organization.