SSO with multiple IdPs in Webex
Single sign-on (SSO) enables users to sign in to Webex securely by authenticating to your organization's common identity provider. An identity provider (IdP) securely stores and manages your users’ digital identities and provides the user authentication service for your Webex users.
Why you might need multiple IdPs
Many big companies undergo mergers and acquisitions, and these companies rarely have the same IT infrastructure and identity providers. Government institutions have various organizations and agencies under them. Often, these organizations have a single email address for their own IT departments and infrastructure, respectively. Major educational institutions have a central purchasing department, but different universities and colleges with different IT organizations and departments.
It’s common to see IdPs and service providers (SPs) federate with each other. The IdP is responsible for authenticating your users’ credentials and the SP trusts the authentication made by the IdP. This allows your users to access various SaaS applications and services using the same digital identity. But, if for some reason your organization can’t federate between the IdPs, then Webex provides a workaround to support multiple IdPs. For these reasons, we’re giving you the option to configure SSO for multiple IdPs in Webex and simplify your users’ authentication process.
Ograničenja
- All users must be provisioned with Directory Connector if you're using Directory Connector in your organization. Refer to the Directory Connector deployment guide for more information.
- We currently support only SAML, OpenID Connect, and Webex Identity as identity providers.
Out of scope
- Configure group assignments.
- Domain verification. Refer to Manage your domains for more information.
- User provisioning. Refer to Ways to add users to your Control Hub organization for more information.
This section covers how you can integrate your identity providers (IdP) with your Webex organization. You can choose the IdPs that best fit your organization's requirements.
If you're looking for SSO integration of a Webex Meetings site (managed in Site Administration), then refer to Configure Single Sign-On for Webex Administration.
Pre nego što počnete
Ensure that the following conditions are met:
- You must have a Full Admin role in Control Hub.
- A metadata file from the IdP to give to Webex and a metadata file from Webex, to give to the IdP. For more information, refer to Single Sign-On Integration in Control Hub. This is only applicable to the SAML configuration.
- You should plan your routing rules behavior before setting up multiple IdPs.
The default routing rule is applied once you configure your initial IdP. But you can set another IdP as the default. Refer to Add or edit routing rule in the Routing rules tab in this article.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab and click Activate SSO. |
4 |
Select SAML as your IdP and click Next. |
5 |
Odaberite tip sertifikata:
Sidra pouzdanosti su javni ključevi koji deluju kao autoritet za verifikaciju certifikata digitalnog potpisa. Za više informacija pogledajte IDP dokumentaciju. |
6 |
Kliknite na Preuzmi metapodatke i kliknite na Dalje. The Webex App metadata filename is idb-meta-<org-ID>-SP.xml. |
7 |
Upload your IdPs metadata file or fill out the configuration form. When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:
Kliknite na Dalje. |
8 |
(Optional) You can change the name of the SAML attribute for Webex Username or Primary email address from |
9 |
(Optional) Configure the Just In Time (JIT) settings and SAML mapping response. Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
|
10 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. Testirajte SSO vezu pre nego što je omogućite. Ovaj korak funkcioniše kao suvo pokretanje i ne utiče na postavke vaše organizacije dok ne omogućite SSO u sledećem koraku. If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo. Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije. |
11 |
Vratite se na karticu pregledača kontrolnog čvorišta.
The SSO configuration does not take effect in your organization unless you choose the first radio button and activate SSO. |
Šta je sledeće
You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.
You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. Dokument takođe sadrži najbolje prakse za slanje komunikacije korisnicima u vašoj organizaciji.
When setting up OpenID Connect with Entra ID or an IdP where the email isn’t a permanent identifier, we recommend you use the externalId
linking attribute to map to a Unique Identifier. For Entra ID, we suggest mapping OIDC to externalId
. If we find that the email doesn't match the linking attribute, the user is prompted to verify their identity or create a new user with the correct email address.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab and click Activate SSO. |
4 |
Select OpenID Connect as your IdP and click Next. |
5 |
Enter your IdP information.
|
6 |
Choose how to add endpoints. This can be done automatically or manually.
|
7 |
(Optional) Configure the Just In Time (JIT) settings. Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
|
8 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. Testirajte SSO vezu pre nego što je omogućite. Ovaj korak funkcioniše kao suvo pokretanje i ne utiče na postavke vaše organizacije dok ne omogućite SSO u sledećem koraku. If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo. Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije. |
9 |
Vratite se na karticu pregledača kontrolnog čvorišta.
The SSO configuration doesn’t take effect in your organization unless you choose the first radio button and activate SSO. |
Šta je sledeće
You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.
You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. Dokument takođe sadrži najbolje prakse za slanje komunikacije korisnicima u vašoj organizaciji.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab and click Activate SSO. |
4 |
Select Webex as your IdP and click Next. |
5 |
Check I've read and understood how Webex IdP works and click Next. |
6 |
Set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article. |
Once you've added a routing rule, your IdP is added and is shown under the Identity provider tab.
Šta dalje
You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex App users in your organization. Dokument takođe sadrži najbolje prakse za slanje komunikacije korisnicima u vašoj organizaciji.
Routing rules are applicable when setting up more than one IdP. Routing rules enable Webex to identify which IdP to send your users to when you have configured multiple IdPs.
When setting up more than one IdP, you can define your routing rules in the SSO configuration wizard. If you skip the routing rule step, then Control Hub adds the IdP but doesn’t activate the IdP. You must add a routing rule to activate the IdP.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Routing rules tab. When configuring your first IdP, the routing rule is automatically added and is set as the Default rule. You can choose another IdP to set as the default rule later. |
4 |
Click Add new routing rule. |
5 |
Enter the details for a routing rule:
|
6 |
Select the multi-factor authentication (MFA) method:
For more information on configuring MFA for your organization, see Enable multi-factor authentication integration in Control Hub. |
7 |
Kliknite na dugme Dodaj. |
8 |
Select the new routing rule and click Activate. |
You can change the routing rule priority order if you have routing rules for multiple IdPs.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Routing rules tab. |
4 |
Select the routing rule. |
5 |
Choose if you want to Deactivate or Delete the routing rule. It’s recommended that you have another active routing rule for the IdP. Otherwise, you may run into problems with your SSO login. |
The Default rule can’t be deactivated or deleted, but you can modify the routed IdP.
Pre nego što počnete
S vremena na vreme možete dobiti obaveštenje putem e-pošte ili videti obaveštenje u kontrolnom čvorištu da će IdP certifikat isteći. Pošto IdP prodavci imaju svoju specifičnu dokumentaciju za obnavljanje certifikata, pokrivamo ono što je potrebno u kontrolnom čvorištu , zajedno sageneričkim koracima za preuzimanje ažuriranih IdP metapodataka i otpremanje u kontrolno čvorište radi obnavljanja certifikata.
This is only applicable to the SAML configuration.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP, click To download the metadata file, click
![]() |
5 |
Dođite do IdP interfejsa za upravljanje da biste preuzeli novu datoteku metapodataka. |
6 |
Return to Control Hub and drag and drop your IdP metadata file into the upload area or click Choose a file to upload the metadata. |
7 |
Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed and click Save. |
8 |
Configure the Just In Time (JIT) settings and SAML mapping response. Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
|
9 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. Testirajte SSO vezu pre nego što je omogućite. Ovaj korak funkcioniše kao suvo pokretanje i ne utiče na postavke vaše organizacije dok ne omogućite SSO u sledećem koraku. If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo. Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije. |
10 |
Kliknite na Sačuvaj. |
Pre nego što počnete
It is recommended that you update all your IdPs in your organization when renewing your SP certificate.
This is only applicable to the SAML configuration.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP and click |
5 |
Click Review certificates and expiry date. This take you to the Service Provider (SP) certificates window.
|
6 |
Click Renew certificate. |
7 |
Choose the type of IdP in your organization:
|
8 |
Odaberite tip certifikata za obnavljanje:
Sidra pouzdanosti su javni ključevi koji deluju kao autoritet za verifikaciju certifikata digitalnog potpisa. Za više informacija pogledajte IDP dokumentaciju. |
9 |
Click Download metadata or Download certificate to download a copy of the updated metadata file or certificate from the Webex cloud. |
10 |
Navigate to your IdP management interface to upload the new Webex metadata file or certificate. Ovaj korak možete da uradite putem kartice pregledača, protokola udaljene radne površine (RDP) ili putem određene podrške dobavljača oblaka, u zavisnosti od IdP instalacije i toga da li ste vi ili zaseban IdP administrator odgovorni za ovaj korak. For more information, see our SSO integration guides or contact your IdP admin for support. If you're on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS |
11 |
Return to the Control Hub interface and click Next. |
12 |
Select Successfully updated all the IdPs and click Next. This uploads the SP metadata file or certificate to all IdPs in your organization. |
13 |
Click Finish renewal. |
Pre nego što počnete
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP and click |
5 |
Select Test IdP. |
6 |
Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in. If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo. Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju. To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije. |
7 |
Vratite se na karticu pregledača kontrolnog čvorišta.
SSO konfiguracija ne stupa na snagu u vašoj organizaciji osim ako ne odaberete prvo radio dugme i aktivirate SSO. |
Pre nego što počnete
Uverite se da su ispunjeni sledeći preduslovi:
-
SSO je već konfigurisan.
-
Domeni su već provereni.
-
The domains are claimed and turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IdP.
-
If DirSync or Entra ID are enabled, then SAML JIT create or update won’t work.
-
Omogućena je "Blokiraj ažuriranje korisničkog profila". MAPIRANJE SAML ispravki je dozvoljeno jer ova konfiguracija kontroliše mogućnost korisnika da uređuje atribute. Metodi kreiranja i ažuriranja pod kontrolom administratora su i dalje podržani.
When setting up SAML JIT with Entra ID or an IdP where the email isn’t a permanent identifier, we recommend you use the externalId
linking attribute to map to a Unique Identifier. If we find that the email doesn’t match the linking attribute, the user is prompted to verify their identity or create a new user with the correct email address.
Novokreiranim korisnicima neće automatski biti dodeljene licence osim ako organizacija nema podešen automatski predložak licence.
1 |
Prijavite se u kontrolno čvorište. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
2 |
Go to . | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
3 |
Go to the Identity provider tab. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
4 |
Go to the IdP and click | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
5 |
Select Edit SAML mapping. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 |
Configure Just-in-Time (JIT) settings.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
7 |
Configure SAML mapping required attributes.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
8 |
Configure the Linking attributes. This should be unique to the user. It is used to lookup a user so that Webex can update all profile attributes, including email for a user.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
9 |
Configure Profile attributes.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
10 |
Configure Extension attributes. Map these attributes to extended attributes in Entra ID or your directory, for tracking codes.
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
11 |
Configure Group attributes.
If user A is associated with SAML JIT provisioning does not support the removal of users from groups or any deletion of users.
Listu atributa SAML potvrde za Webex sastanke pogledajte . https://help.webex.com/article/WBX67566 |
Pre nego što počnete
It's recommended that you first deactivate or delete the IdP’s routing rules before deleting the IdP.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab. |
4 |
Go to the IdP and click |
5 |
Izaberite izbriši. |
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to . |
3 |
Go to the Identity provider tab. |
4 |
Click Deactivate SSO. Confirm SSO deactivation. |
Once confirmed, SSO is deactivated for all IdPs in your organization.
Primićete obaveštenja u kontrolnom čvorištu pre isteka certifikata, ali možete i proaktivno podesiti pravila upozorenja. Ova pravila vas unapred mogu obavestiti da će vaši SP ili IdP certifikati isteći. Ovo vam možemo poslati putem e-pošte, prostora u Webex aplikacijiili oboje.
Bez obzira na konfigurisani kanal isporuke, sva obaveštenja se uvek pojavljuju u kontrolnom čvorištu. Više informacija potražite u centru za obaveštenja u kontrolnom čvorištu.
1 |
Prijavite se u kontrolno čvorište. |
2 |
Go to Alerts center. |
3 |
Odaberite stavku Upravljanje onda sva pravila . |
4 |
Sa liste Pravila odaberite bilo koje od SSO pravila koja želite da kreirate:
|
5 |
U odeljku Kanal isporuke proverite izbor u polju za potvrdu Zae-poštu , Webexprostor ili oboje. Ako odaberete email, unesite e-adresu koja bi trebalo da primi obaveštenje. Ako odaberete opciju Webex prostora, automatski ćete biti dodati u prostor unutar Webex aplikacije i tamo isporučujemo obaveštenja. |
6 |
Sačuvajte promene. |
Šta dalje
Obaveštenja o isteku certifikata šaljemo jednom u 15 dana, počevši od 60 dana pre isteka roka važenja. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.
If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.