Single Sign-On and Control Hub

Single sign-on (SSO) is a session or user authentication process that permits a user to provide credentials to access one or more applications. The process authenticates users for all the applications that they are given rights to. It eliminates further prompts when users switch applications during a particular session.

The Security Assertion Markup Language (SAML 2.0) Federation Protocol is used to provide SSO authentication between the Webex cloud and your identity provider (IdP).

Profiles

Webex only supports the web browser SSO profile. In the web browser SSO profile, Webex supports the following bindings:

  • SP initiated POST -> POST binding

  • SP initiated REDIRECT -> POST binding

NameID Format

The SAML 2.0 Protocol supports several NameID formats for communicating about a specific user. Webex supports the following NameID formats.

  • urn:oasis:names:tc:SAML:2.0:nameid-format:transient

  • urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

  • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

In the metadata that you load from your IdP, the first entry is configured for use in Webex.

Integrate Control Hub with Microsoft Azure


The configuration guides show a specific example for SSO integration but do not provide exhaustive configuration for all possibilities. For example, the integration steps for nameid-format urn:oasis:names:tc:SAML:2.0:nameid-format:transient are documented. Other formats such as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress will work for SSO integration but are outside the scope of our documentation.

Set up this integration for users in your Webex organization (including Webex, Webex Meetings, and other services administered in Control Hub). If your Webex site is integrated in Control Hub, the Webex site inherits the user management. If you can't access Webex Meetings in this way and it is not managed in Control Hub, you must do a separate integration to enable SSO for Webex Meetings. (See Configure Single Sign-On for Webex for more information in SSO integration in Site Administration.)

Before you begin

For SSO and Control Hub, IdPs must conform to the SAML 2.0 specification. In addition, IdPs must be configured in the following manner:


In Azure Active Directory, provisioning is only supported in manual mode. This document only covers single sign-on (SSO) integration.

Download the Webex Metadata to your Local System

1

From the customer view in https://admin.webex.com, go to Settings, and then scroll to Authentication.

2

Click Modify, click Integrate a 3rd-party identity provider. (Advanced), and then click Next.

3

Download the metadata file.

The Webex metadata filename is idb-meta-<org-ID>-SP.xml.

Configure Single-Sign On Application Settings in Azure

Before you begin

1

Sign in to the Azure portal at https://portal.azure.com with your administrator credentials.

2

Go to Azure Active Directory for your organization.

3

Go to Enterprise Applications and then click Add.

4

Click Add an application from the gallery.

5

In the search box, type Cisco Webex.

6

In the results pane, select Cisco Webex, and then click Add to add the application.

A message appears that says the application was added successfully.

7

To make sure that the Webex application you've added for single sign-on doesn't show up in the user portal, open the new application, go to Properties, and set Visible to users? to No.

8

Configure Single-Sign On:

  1. After you create the application agreement, go to the Single sign-on tab, and then under Select a single-sign on method, choose SAML.

  2. On the Set up Single Sign-On with SAML page, click Edit icon to open Basic SAML Configuration.

  3. Click Upload metadata file and then choose the metadata file that you downloaded from Control Hub.

    Some fields are automatically filled out for you.

  4. Copy the Reply URL value and paste it into Sign on URL, and then save your changes.

9

Go to Manage > Users and groups, and then choose the applicable users and groups that you want to grant access to Webex.

10

On the Set up Single Sign-On with SAML page, in the SAML Signing Certificatesection, click Download to download the Federation Metadata XML and save it on your computer.

11

On the Properties page, make sure that Visible to users? is set to No.

We don't support making Webex app visible to users.

Import the IdP Metadata and Enable Single Sign-On After a Test

After you export the Webex metadata, configure your IdP, and download the IdP metadata to your local system, you are ready to import it into your Webex organization from Control Hub.

Before you begin

Do not test SSO integration from the identity provider (IdP) interface. We only support Service Provider-initiated (SP-initiated) flows, so you must use the Control Hub SSO test for this integration.

1

Choose one:

  • Return to the Control Hub – Export Directory Metadata page in your browser, and then click Next.
  • If Control Hub is no longer open in the browser tab, from the customer view in https://admin.webex.com, go to Settings, scroll to Authentication, choose Integrate a third-party identity provider (Advanced), and then click Next on trusted metadata file page (because you already did it before).
2

On the Import IdP Metadata page, either drag and drop the IdP metadata file onto the page or use the file browser option to locate and upload the metadata file. Click Next.

You should use the more secure option if you can (Require certificate signed by a certificate authority in Metadata). This is only possible if your IdP used a public CA to sign its metadata.

In all other cases you must use the less secure option (Allow self-signed certificate in Metadata). This includes if the metadata is not signed, self-signed, or signed by a private CA.

3

Select Test SSO Connection, and when a new browser tab opens, authenticate with the IdP by signing in.


 

If you receive an authentication error there may be a problem with the credentials. Check the username and password and try again.

A Webex error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.

4

Return to the Control Hub browser tab.

  • If the test was successful, select This test was successful. Enable Single Sign-On option and click Next.
  • If the test was unsuccessful, select This test was unsuccessful. Disable Single Sign-On option and click Next.

What to do next

You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex users in your organization. The document also contains best practices for sending out communications to users in your organization.

Troubleshoot Azure Active Directory Integration

When doing the SAML test, make sure that you use Mozilla Firefox and you install the SAML tracer from https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/

Check the assertion that comes from Azure to make sure that it has the correct nameid format and has an attribute uid that match a user in Webex.