Update Webex relying party trust in ADFS

This task is specifically about updating ADFS with new SAML metadata from Webex. There are related articles if you need to configure SSO with ADFS, or if you need to update (a different) IdP with SAML metadata for a new Webex SSO certificate.

Before you begin

You need to export the SAML metadata file from Control Hub before you can update the Webex Relying Party Trust in ADFS.

1

Sign in to the ADFS server with administrator permissions.

2

Upload the SAML metadata file from Webex to a temporary local folder on the ADFS server, eg. //ADFS_servername/temp/idb-meta-<org-ID>-SP.xml.

3

Open Powershell.

4

Run Get-AdfsRelyingPartyTrust to read all relying party trusts.

Note the TargetName parameter of the Webex relying party trust. We use the example "Webex" but it could be different in your ADFS.

5

Run Update-AdfsRelyingPartyTrust -MetadataFile "//ADFS_servername/temp/idb-meta-<org-ID>-SP.xml" -TargetName "Webex".

Make sure to replace the file name and target name with the correct values from your environment.

See https://docs.microsoft.com/powershell/module/adfs/update-adfsrelyingpartytrust.

If you've downloaded the Webex SP 5 year certificate and have Signing or Encryption Certificate Revocation turned on, you need need to run these two commands: Set-AdfsRelyingPartyTrust -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None -TargetName "Webex".

6

Sign in to Control Hub, then test the SSO integration:

  1. Go to Management > Security > Authentication.

  2. In the Identity provider tab, go to the IdP and click More menu.

  3. Select Test IdP.

  4. Test the SSO connection before you enable it. This step works like a dry run and doesn't affect your organization settings until you enable SSO in the next step.

    To see the SSO sign-in experience directly, you can also click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This helps to remove any information cached in your web browser that could provide a false positive result when testing your SSO configuration.

  5. Sign in to complete the test.