System for Cross-Domain Identity Management (SCIM)

The integration between users in the directory and Webex Control Hub uses the System for Cross-Domain Identity Management (SCIM) API. SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make it easier to manage user identities in cloud-based applications and services. SCIM uses a standardized API through REST.

Supported Features

This integration supports the following user synchronization features in Okta:

  • Create Users—Creates or links a user in Webex Teams when assigning the app to a user in Okta.

  • Update User Attributes—Okta updates a user's attributes in Webex Teams when the app is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in the Webex cloud.

  • Deactivate Users—Deactivates a user's Webex Teams account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if you reassign the app to a user in Okta.

Add Webex to Okta

Before configuring Webex Control Hub for automatic user provisioning with Okta, you need to add Webex from the Okta application gallery to your list of managed applications. You must also choose an authentication method. Currently, Webex services in Control Hub only supports Federated SSO with Okta.

Before you begin

  • Okta requires that you have a valid Okta tenant and a current license with their platform. You must also have a current paid subscription and a Webex organization.

  • In your Webex organization, you must configure automatic license assignment templates, otherwise newly synchronized users in Control won't be assign licenses for Webex services. For more information, see Set Up Automatic License Assignment Templates in Cisco Webex Control Hub

  • Single Sign-On (SSO) integration in Webex Control Hub is not covered in this document. You should start with an Okta SSO integration before you configure user provisioning. For guidance on SSO integration, see Cisco Webex Control Hub Single Sign-On with Okta.

1

Sign in to the Okta Tenant (example.okta.com, where example is your company or organization name) as an administrator, go to Applications, and then click Add Application.

2

Search for "Cisco Webex" and add the application to your tenant.

If you already integrated Okta SSO in to your Control Hub organization, you can skip the above steps and just reopen the Cisco Webex entry in the Okta application list.

3

In a separate browser tab, go to the customer view in https://admin.webex.com, click your organization name, and then next to Company Information, copy your Organization ID.

Record the organization ID (copy and paste in a text file). You'll use the ID for the next procedure.

Configure Okta for User Synchronization

Before you begin

Make sure you kept your organization ID from the previous procedure.

1

In Okta Tenant, go to Provisioning, click Configure API Integration, and then check Enable API Integration.

2

Enter the ID value in the Organization ID field.

3

Follow these steps to get the bearer token value for the Secret Token:

  1. In a new browser tab or window, open this URL.

  2. From the Webex sign in page that appears, sign in with a full admin account for your organization.

    An error page appears saying that the site can't be reached, but this is normal.

    The generated bearer token is valid for 365 days (after which it expires) and is part of the URL for the page with the error message. Do not navigate away from the URL.

  3. Copy the token value between "Token=" and the "&token".

    For example, this URL has the token value highlighted: http://localhost:3000/auth/code#access_token={sample_token}&token_type=Bearer&expires_in=3887999&state=this-should-be-a-random-string-for-security-purpose


     

    We recommend that you paste this value into a text file and save it, so that you have a record of the token in case the URL is not available any more.

4

Return to Okta, paste the bearer token into the API Token field, and then clickTest API Credentials.

A message appears that says Webex was verified successfully.

5

Go to Provisioning > Settings > To App and then specify the user synchronization features that you want.

6

Click Assignments, and click Assign, and then choose one:

  • Assign to People if you want to assign Webex to individual users.
  • Assign to Groups if you want to assign Webex to multiple users in a group.
7

If you configured SSO integration, click Assign next to each user or group that you want to assign to the application, and then click Done.

Users that you chose are synchronized into the cloud and they'll appear in Control Hub under Users. Any time you move, add, change, or delete users in Okta, Control Hub picks up the changes.


 

If you didn't enable auto assign license templates, users are synchronized to Control Hub without any license assignments. To reduce administrative overhead, we recommend that you enable an auto assign license template before you synchronize Okta users into Control Hub.