System for Cross-domain Identity Management (SCIM)

The integration between users in the directory and Control Hub uses the System for Cross-domain Identity Management ( SCIM) API. SCIM is an open standard for automating the exchange of user identity information between identity domains or IT systems. SCIM is designed to make it easier to manage user identities in cloud-based applications and services. SCIM uses a standardized API through REST.


 
If your organization already uses Directory Connector to synchronize users, you cannot synchronize users from Okta.

 

The Okta integration supports the following attributes only:

  • userName
  • displayName
  • name.familyName
  • name.givenName
  • externalId
  • title

Multivalued attributes, PhoneNumber for mobile and work, as well as Address, aren’t supported by Okta because the operation for PATCH, PUT, or DELETE isn’t passed by the Okta application to Webex.

Please remove these attributes from the Okta mapping or remove the update from the sync configuration.

Supported features

This integration supports the following user synchronization features in Okta:

  • Create Users—Creates or links a user in Webex App when assigning the app to a user in Okta.

  • Update User Attributes—Okta updates a user's attributes in Webex App when the app is assigned. Future attribute changes made to the Okta user profile automatically overwrite the corresponding attribute value in the Webex cloud.

  • Deactivate Users—Deactivates a user's Webex App account when it is unassigned in Okta or their Okta account is deactivated. Accounts can be reactivated if you reassign the app to a user in Okta.


 
We do not support synchronizing groups from Okta with your Webex organization.

Add Webex to Okta

Before configuring Control Hub for automatic user provisioning with Okta, you need to add Webex from the Okta application gallery to your list of managed applications. You must also choose an authentication method. Currently, Webex services in Control Hub only supports Federated SSO with Okta.

Before you begin

  • Okta requires that you have a valid Okta tenant and a current license with their platform. You must also have a current paid subscription and a Webex organization.

  • In your Webex organization, you must configure automatic license assignment templates, otherwise newly synchronized users in Control won't be assign licenses for Webex services. For more information, see Set up automatic license assignment templates in Control Hub

  • Single Sign-On (SSO) integration in Control Hub is not covered in this document. You should start with an Okta SSO integration before you configure user provisioning. For guidance on SSO integration, see Control Hub single sign-on with Okta.

1

Sign in to the Okta Tenant (example.okta.com, where example is your company or organization name) as an administrator, go to Applications, and then click Add Application.

2

Search for Cisco Webex and add the application to your tenant.

If you already integrated Okta SSO in to your Control Hub organization, you can skip the above steps and just reopen the Cisco Webex entry in the Okta application list.

3

In a separate browser tab, go to the customer view in https://admin.webex.com, click your organization name, and then next to Company Information, copy your Organization ID.

Record the organization ID (copy and paste in a text file). You'll use the ID for the next procedure.

Configure Okta for user synchronization

Before you begin

Make sure you kept your organization ID from the previous procedure.

Make sure you have the Customer Full Administrator role when creating bearer tokens for your customers.

1

In Okta Tenant, go to Provisioning, click Configure API Integration, and then check Enable API Integration.

2

Enter the ID value in the Organization ID field.

3

Follow these steps to get the bearer token value for the Secret Token:

  1. Copy the following URL and run it in an incognito browser tab: https://idbroker.webex.com/idb/oauth2/v1/authorize?response_type=token&client_id=C4ca14fe00b0e51efb414ebd45aa88c1858c3bfb949b2405dba10b0ca4bc37402&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcode&scope=spark%3Apeople_read%20spark%3Apeople_write%20Identity%3ASCIM&state=this-should-be-a-random-string-for-security-purpose.


     
    The above URL applies to the default Webex ID broker. If you’re using Webex for Government, use the following URL to get the bearer token:

    https://idbroker-f.webex.com/idb/oauth2/v1/authorize?response_type=token&client_id=C4ca14fe00b0e51efb414ebd45aa88c1858c3bfb949b2405dba10b0ca4bc37402&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fcode&scope=spark%3Apeople_read%20spark%3Apeople_write%20Identity%3ASCIM&state=this-should-be-a-random-string-for-security-purpose

    An incognito browser is important to make sure you sign in with the correct admin credentials. If you’re already signed in as a less privileged user who can't create users, the bearer token that you return can't create users.

  2. From the Webex sign in page that appears, sign in with a full admin account for your organization.

    An error page appears saying that the site can't be reached, but this is normal.

    The error page's URL includes the generated bearer token. This token is valid for 365 days (after which it expires).

  3. From the URL in the browser's address bar, copy the bearer token value from between access_token= and &token_type=Bearer.

    For example, this URL has the token value highlighted: http://localhost:3000/auth/code#access_token={sample_token}&token_type=Bearer&expires_in=3887999&state=this-should-be-a-random-string-for-security-purpose.


     

    We recommend that you save this value in a text file as a record of the token in case the URL isn't available any more.

4

Return to Okta, paste the bearer token into the API Token field, and then clickTest API Credentials.

A message appears that says Webex was verified successfully.

5

Go to Provisioning > Settings > To App and then specify the user synchronization features that you want.

6

Click Assignments, and click Assign, and then choose one:

  • Assign to People if you want to assign Webex to individual users.
  • Assign to Groups if you want to assign Webex to multiple users in a group.
7

If you configured SSO integration, click Assign next to each user or group that you want to assign to the application, and then click Done.

Users that you chose are synchronized into the cloud and they'll appear in Control Hub under Users. Any time you move, add, change, or delete users in Okta, Control Hub picks up the changes.


 

If you didn't enable auto assign license templates, users are synchronized to Control Hub without any license assignments. To reduce administrative overhead, we recommend that you enable an auto assign license template before you synchronize Okta users into Control Hub.