Single sign-on (SSO) enables users to sign in to Webex securely by authenticating to your organization's common identity provider. An identity provider (IdP) securely stores and manages your users’ digital identities and provides the user authentication service for your Webex users.

Why you might need multiple IdPs

Many big companies undergo mergers and acquisitions, and these companies rarely have the same IT infrastructure and identity providers. Government institutions have various organizations and agencies under them. Often, these organizations have a single email address for their own IT departments and infrastructure, respectively. Major educational institutions have a central purchasing department, but different universities and colleges with different IT organizations and departments.

It’s common to see IdPs and service providers (SPs) federate with each other. The IdP is responsible for authenticating your users’ credentials and the SP trusts the authentication made by the IdP. This allows your users to access various SaaS applications and services using the same digital identity. But, if for some reason your organization can’t federate between the IdPs, then Webex provides a workaround to support multiple IdPs. For these reasons, we’re giving you the option to configure SSO for multiple IdPs in Webex and simplify your users’ authentication process.

Ograničenja

  • All users must be provisioned with Directory Connector if you're using Directory Connector in your organization. Refer to the Directory Connector deployment guide for more information.
  • We currently support only SAML, OpenID Connect, and Webex Identity as identity providers.

Out of scope

  • Configure group assignments.

This section covers how you can integrate your identity providers (IdP) with your Webex organization. You can choose the IdPs that best fit your organization's requirements.

If you're looking for SSO integration of a Webex Meetings site (managed in Site Administration), then refer to Configure Single Sign-On for Webex Administration.

Preduslovi

Pre nego što počnete

Ensure that the following conditions are met:

    • You must have a Full Admin role in Control Hub.
    • A metadata file from the IdP to give to Webex and a metadata file from Webex, to give to the IdP. For more information, refer to Single Sign-On Integration in Control Hub. This is only applicable to the SAML configuration.
    • You should plan your routing rules behavior before setting up multiple IdPs.

    The default routing rule is applied once you configure your initial IdP. But you can set another IdP as the default. Refer to Add or edit routing rule in the Routing rules tab in this article.

Configure SAML
1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab and click Activate SSO.

4

Select SAML as your IdP and click Next.

5

Odaberite tip sertifikata:

  • Self-signed by Cisco—We recommend this choice. Hajde da potpišemo sertifikat tako da je potrebno da ga obnovite samo jednom u pet godina.
  • Signed by a public certificate authority—More secure, but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

Sidra pouzdanosti su javni ključevi koji deluju kao autoritet za verifikaciju certifikata digitalnog potpisa. Za više informacija pogledajte IDP dokumentaciju.

6

Kliknite na Preuzmi metapodatke i kliknite na Dalje.

The Webex App metadata filename is idb-meta-<org-ID>-SP.xml.

7

Upload your IdPs metadata file or fill out the configuration form.

When uploading the metadata file, there are two ways to validate the metadata from the Customer IdP:

  • IdP kupca pruža potpis u metapodacima koji je potpisao javni vrhovni CA.
  • IdP kupca pruža samopotpisani privatni CA ili ne obezbeđuje potpis za svoje metapodatke. Ova opcija je manje bezbedna.
Else, in the configuration form, enter the IdP information.

Kliknite na Dalje.

8

(Optional) You can change the name of the SAML attribute for Webex Username or Primary email address from uid to something agreed on with the IdP manager such as email, upn, etc.

9

(Optional) Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
10

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Testirajte SSO vezu pre nego što je omogućite. Ovaj korak funkcioniše kao suvo pokretanje i ne utiče na postavke vaše organizacije dok ne omogućite SSO u sledećem koraku.

If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo.

Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije.

11

Vratite se na karticu pregledača kontrolnog čvorišta.

  • Ako je test bio uspešan, izaberite Uspešan test. Activate SSO and IdP and click Activate.
  • Ako test nije uspeo, izaberite Neuspešni test. Go back to previous steps to fix errors.

The SSO configuration does not take effect in your organization unless you choose the first radio button and activate SSO.

Šta je sledeće

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. Dokument takođe sadrži najbolje prakse za slanje komunikacije korisnicima u vašoj organizaciji.

Configure OpenID Connect

When setting up OpenID Connect with Entra ID or an IdP where the email isn’t a permanent identifier, we recommend you use the externalId linking attribute to map to a Unique Identifier. For Entra ID, we suggest mapping OIDC to externalId. If we find that the email doesn't match the linking attribute, the user is prompted to verify their identity or create a new user with the correct email address.

1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab and click Activate SSO.

4

Select OpenID Connect as your IdP and click Next.

5

Enter your IdP information.

  • Name—The name to identify your IdP.
  • Client ID—The unique ID to identify you and your IdP.
  • Client Secret—The password that you and your IdP know.
  • Scopes—The scopes to be associated with your IdP.

6

Choose how to add endpoints. This can be done automatically or manually.

  • Use the discovery URL to add endpoints automatically.

    • Enter the Discovery URL for your IdP. This URL will automatically populate the necessary endpoints for OIDC single logout (SLO).
    • Turn on Allow the session to automatically sign out to ensure users are signed out across all connected applications and services when they log out of Webex.

  • If you prefer to Manually add all endpoint information, then add the following details.

    • Issuer—Enter the Issuer URL as specified by your IdP.
    • Authorization endpoint—Enter the URL for the authorization endpoint.
    • Token endpoint—Enter the URL for the token endpoint.
    • JWKS endpoint—Enter the JSON Web Key Set (JWKS) URL.
    • Userinfo endpoint—Enter the URL for the user information endpoint.
    • If Allow the session to automatically sign out is turned on, then you must enter the Session sign out endpoint URL to enable single logout (SLO) across all connected applications.
    For more information, refer to the OpenID Connect configuration guide.

7

(Optional) Configure the Just In Time (JIT) settings.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
8

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Testirajte SSO vezu pre nego što je omogućite. Ovaj korak funkcioniše kao suvo pokretanje i ne utiče na postavke vaše organizacije dok ne omogućite SSO u sledećem koraku.

If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo.

Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije.

9

Vratite se na karticu pregledača kontrolnog čvorišta.

  • Ako je test bio uspešan, izaberite Uspešan test. Activate SSO and IdP and click Activate.
  • Ako test nije uspeo, izaberite Neuspešni test. Go back to previous steps to fix errors.

The SSO configuration doesn’t take effect in your organization unless you choose the first radio button and activate SSO.

Šta je sledeće

You can set up a routing rule. Refer to Add or edit routing rule in the Routing rules tab in this article.

You can follow the procedure in Suppress Automated Emails to disable emails sent to new Webex App users in your organization. Dokument takođe sadrži najbolje prakse za slanje komunikacije korisnicima u vašoj organizaciji.

Configure Webex Identity
1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab and click Activate SSO.

4

Select Webex as your IdP and click Next.

5

Check I've read and understood how Webex IdP works and click Next.

6

Set up a routing rule.

Refer to Add or edit routing rule in the Routing rules tab in this article.

Once you've added a routing rule, your IdP is added and is shown under the Identity provider tab.

Šta dalje

You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex App users in your organization. Dokument takođe sadrži najbolje prakse za slanje komunikacije korisnicima u vašoj organizaciji.

Routing rules are applicable when setting up more than one IdP. Routing rules enable Webex to identify which IdP to send your users to when you have configured multiple IdPs.

When setting up more than one IdP, you can define your routing rules in the SSO configuration wizard. If you skip the routing rule step, then Control Hub adds the IdP but doesn’t activate the IdP. You must add a routing rule to activate the IdP.

Add or edit routing rules
1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Routing rules tab.

When configuring your first IdP, the routing rule is automatically added and is set as the Default rule. You can choose another IdP to set as the default rule later.

4

Click Add new routing rule.

5

Enter the details for a routing rule:

  • Rule name—Enter the name for the routing rule.
  • Select a routing type—Select domain or group.
  • If these are your domains/groups—Enter the domains/groups within your organization.
  • Then use this identity provider—Select the IdP.

6

Select the multi-factor authentication (MFA) method:

  • Keep the current MFA status—Allows you to maintain the existing MFA method without making changes.
  • Override the current MFA status—Allows you to change the existing MFA method to a new configuration.
  • Allow MFA for this rule only—Turn on to enable MFA specifically for the current routing rule.

For more information on configuring MFA for your organization, see Enable multi-factor authentication integration in Control Hub.

7

Kliknite na dugme Dodaj.

8

Select the new routing rule and click Activate.

You can change the routing rule priority order if you have routing rules for multiple IdPs.

Deactivate or delete routing rules
1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Routing rules tab.

4

Select the routing rule.

5

Choose if you want to Deactivate or Delete the routing rule.

It’s recommended that you have another active routing rule for the IdP. Otherwise, you may run into problems with your SSO login.

The Default rule can’t be deactivated or deleted, but you can modify the routed IdP.

Manage your Identity Provider (IdP) certificates

Pre nego što počnete

S vremena na vreme možete dobiti obaveštenje putem e-pošte ili videti obaveštenje u kontrolnom čvorištu da će IdP certifikat isteći. Pošto IdP prodavci imaju svoju specifičnu dokumentaciju za obnavljanje certifikata, pokrivamo ono što je potrebno u kontrolnom čvorištu , zajedno sageneričkim koracima za preuzimanje ažuriranih IdP metapodataka i otpremanje u kontrolno čvorište radi obnavljanja certifikata.

This is only applicable to the SAML configuration.

1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab.

4

Go to the IdP, click upload and select Upload Idp metadata.

To download the metadata file, click Preuzmi and select Download Idp metadata.
5

Dođite do IdP interfejsa za upravljanje da biste preuzeli novu datoteku metapodataka.

6

Return to Control Hub and drag and drop your IdP metadata file into the upload area or click Choose a file to upload the metadata.

7

Choose Less secure (self-signed) or More secure (signed by a public CA), depending on how your IdP metadata is signed and click Save.

8

Configure the Just In Time (JIT) settings and SAML mapping response.

Refer to Configure Just In Time (JIT) and SAML mapping in the Manage your IdPs tab in this article.
9

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

Testirajte SSO vezu pre nego što je omogućite. Ovaj korak funkcioniše kao suvo pokretanje i ne utiče na postavke vaše organizacije dok ne omogućite SSO u sledećem koraku.

If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo.

Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije.

10

Kliknite na Sačuvaj.

Manage your Service Provider (SP) certificates

Pre nego što počnete

It is recommended that you update all your IdPs in your organization when renewing your SP certificate.

This is only applicable to the SAML configuration.

1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab.

4

Go to the IdP and click .

5

Click Review certificates and expiry date.

This take you to the Service Provider (SP) certificates window.
6

Click Renew certificate.

7

Choose the type of IdP in your organization:

  • An IdP that supports multiple certificates
  • An IdP that supports a single certificate
8

Odaberite tip certifikata za obnavljanje:

  • Self-signed by Cisco—We recommend this choice. Hajde da potpišemo sertifikat tako da je potrebno da ga obnovite samo jednom u pet godina.
  • Signed by a public certificate authority—More secure but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).

Sidra pouzdanosti su javni ključevi koji deluju kao autoritet za verifikaciju certifikata digitalnog potpisa. Za više informacija pogledajte IDP dokumentaciju.

9

Click Download metadata or Download certificate to download a copy of the updated metadata file or certificate from the Webex cloud.

10

Navigate to your IdP management interface to upload the new Webex metadata file or certificate.

Ovaj korak možete da uradite putem kartice pregledača, protokola udaljene radne površine (RDP) ili putem određene podrške dobavljača oblaka, u zavisnosti od IdP instalacije i toga da li ste vi ili zaseban IdP administrator odgovorni za ovaj korak.

For more information, see our SSO integration guides or contact your IdP admin for support. If you're on Active Directory Federation Services (AD FS), you can see how to update Webex Metadata in AD FS

11

Return to the Control Hub interface and click Next.

12

Select Successfully updated all the IdPs and click Next.

This uploads the SP metadata file or certificate to all IdPs in your organization.

13

Click Finish renewal.

Testirajte SSO podešavanje

Pre nego što počnete

1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab.

4

Go to the IdP and click Meni „Još“.

5

Select Test IdP.

6

Click Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

If you receive an authentication error, there may be a problem with the credentials. Proverite korisničko ime i lozinku i pokušajte ponovo.

Greška webex aplikacije obično znači problem sa SSO instalacijom. U tom slučaju, ponovo hodajte kroz korake, posebno korake u kojima kopirate i lepite metapodatke kontrolnog čvorišta u IdP instalaciju.

To see the SSO sign-in experience, we recommend that you click Copy URL to clipboard from this screen and paste it in a private browser window. Odatle možete da prođete kroz prijavu pomoću jedinstvenog prijavljivanja (SSO). Ovo pomaže u uklanjanju bilo kojih informacija keširanih u vašem veb-pregledaču koje bi mogle da pruže lažni pozitivan rezultat prilikom testiranja vaše SSO konfiguracije.

7

Vratite se na karticu pregledača kontrolnog čvorišta.

  • Ako je test bio uspešan, izaberite Uspešan test. Activate SSO and IdP and click Save.
  • Ako test nije uspeo, izaberite Neuspešni test. Go back to previous steps to fix errors.

SSO konfiguracija ne stupa na snagu u vašoj organizaciji osim ako ne odaberete prvo radio dugme i aktivirate SSO.

Configure Just In Time (JIT) and SAML mapping

Pre nego što počnete

Uverite se da su ispunjeni sledeći preduslovi:

  • SSO je već konfigurisan.

  • Domeni su već provereni.

  • The domains are claimed and turned on. This feature ensures users from your domain are created and updated once each time they authenticate with your IdP.

  • If DirSync or Entra ID are enabled, then SAML JIT create or update won’t work.

  • Omogućena je "Blokiraj ažuriranje korisničkog profila". MAPIRANJE SAML ispravki je dozvoljeno jer ova konfiguracija kontroliše mogućnost korisnika da uređuje atribute. Metodi kreiranja i ažuriranja pod kontrolom administratora su i dalje podržani.

When setting up SAML JIT with Entra ID or an IdP where the email isn’t a permanent identifier, we recommend you use the externalId linking attribute to map to a Unique Identifier. If we find that the email doesn’t match the linking attribute, the user is prompted to verify their identity or create a new user with the correct email address.

Novokreiranim korisnicima neće automatski biti dodeljene licence osim ako organizacija nema podešen automatski predložak licence.

1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab.

4

Go to the IdP and click Meni „Još“.

5

Select Edit SAML mapping.

6

Configure Just-in-Time (JIT) settings.

  • Kreirajte ili aktivirajte korisnika: if no active user is found, then Webex Identity creates the user and update the attributes after the user has authenticated with the IdP.
  • Ažurirajte korisnika SAML atributima: ako je korisnik sa e-adresom pronađen, Webex Identitet ažurira korisnika atributima mapiranim u SAML tvrdnji.
Confirm users can sign in with a different, unidentifiable email address.

7

Configure SAML mapping required attributes.

Table 1. Potrebni atributi

Ime atributa Webex identiteta

Ime SAML atributa

Opis atributa

Korisničko ime / Primarna e-adresa

Primer: uid

Mapirajte UID atribut e-adresi, UPN-u ili atributu eduPersonPrincipalName korisnika kom su dodeljene privilegije.

8

Configure the Linking attributes.

This should be unique to the user. It is used to lookup a user so that Webex can update all profile attributes, including email for a user.
Tabela 2. Linking attributes

Ime atributa Webex identiteta

Ime SAML atributa

Opis atributa

spoljni ID

Primer: korisnik.objectid

U cilju razlikovanja ovog korisnika od drugih pojedinačnih profila. Ovo je neophodno u slučaju mapiranja između direktorijuma ili u slučaju promene drugih atributa profila.

broj zaposlenih

Primer: user.employeeid

The user's employee number, or an identification number within their HR system. Note that this isn't for externalid, because you can reuse or recycle employeenumber for other users.

Atribut proširenja 1

Primer: korisnik.extensionattribute1

Map these custom attributes to extended attributes in Entra ID or your directory, for tracking codes.

Atribut proširenja 2

Primer: korisnik.extensionattribute2

Atribut proširenja 3

Primer: korisnik.extensionattribute3

Atribut proširenja 4

Primer: user.extensionlattribute4

Atribut proširenja 5

Primer: korisnik.extensionattribute5

9

Configure Profile attributes.

Sto 3. Atributi profila

Ime atributa Webex identiteta

Ime SAML atributa

Opis atributa

spoljni ID

Primer: korisnik.objectid

U cilju razlikovanja ovog korisnika od drugih pojedinačnih profila. Ovo je neophodno u slučaju mapiranja između direktorijuma ili u slučaju promene drugih atributa profila.

broj zaposlenih

Primer: user.employeeid

Broj zaposlenog ovog korisnika ili identifikacioni broj u okviru svog HR sistema. Imajte na kraju da ovo nije za "eksterni", jer možete ponovo da koristite ili reciklirate "broj zaposlenih" za druge korisnike.

preferredLanguage

Primer: korisnik.preferredlanguage

Željeni jezik korisnika.

Lokalne

Primer: korisnik.locale

Primarna radna lokacija korisnika.

vremenska zona

Primer: korisnik.timezone

Primarna vremenska zona korisnika.

displayName

Primer: korisničko.displayname

Ime za prikaz korisnika u usluzi Webex.

ime.dato Ime

Primer: korisnik.givenname

Ime korisnika.

ime.familyName

Primer: korisnik.prezime

Prezime korisnika.

adrese.streetAddress

Primer: user.streetaddress

Ulica i broj njegove/njene primarne radne lokacije.

adrese.drzava

Primer: korisnik.stanje

Stanje njihove primarne radne lokacije.

adrese.region

Primer: korisnik.region

Region njegove/njene primarne radne lokacije.

adrese.poštanski broj

Primer: korisnički.poštanski broj

Poštanski broj njegove/njene primarne radne lokacije.

adrese.zemlja

Primer: korisnik.zemlja

Zemlja njegove/njene primarne radne lokacije.

phoneNumbers.work

Primer: broj telefona na poslu

Poslovni broj telefona njegove/njene primarne radne lokacije. Koristite isključivo međunarodni format E.164 (najviše 15 cifara).

phoneNumbers.extension

Primer: broj mobilnog telefona

Poslovni lokal njegovog/njenog primarnog poslovnog broja telefona. Koristite isključivo međunarodni format E.164 (najviše 15 cifara).

zamenica

Primer: korisnik.pronoun

Zamenice korisnika. Ovo je opcionalan atribut i korisnik ili administrator mogu da ga ukaћu vidljivim na svom profilu.

naslov

Primer: user.jobtitle

Radno mesto korisnika.

department

Primer: user.department

Poslovno odeljenje ili poslovni tim korisnika.

zamenica

Primer: korisnik.pronoun

Ovo je zamenica korisnika. Vidljivost ovog atributa kontrolišu Admin i korisnik

manager

Primer: manager

Menadžer korisnika ili njihov tim vode.

centar troškova

Primer: centar troškova

Ovo je prezime korisnika poznato i kao prezime ili porodično ime

email.alternate1

Primer: korisničko.mailnickime

Alternativna e-adresa za korisnika. Ako želite da korisnik bude u mogućnosti da se prijavi koristeći ga, mapiraj ga na uid.

email.alternate2

Primer: korisnik.primaryauthoritativemail

Alternativna e-adresa za korisnika. Ako želite da korisnik bude u mogućnosti da se prijavi koristeći ga, mapiraj ga na uid.

email.alternate3

Primer: user.alternativeauthoritativemail

Alternativna e-adresa za korisnika. Ako želite da korisnik bude u mogućnosti da se prijavi koristeći ga, mapiraj ga na uid.

email.alternate4

Primer: korisnik.othermail

Alternativna e-adresa za korisnika. Ako želite da korisnik bude u mogućnosti da se prijavi koristeći ga, mapiraj ga na uid.

email.alternate5

Primer: korisnik.othermail

Alternativna e-adresa za korisnika. Ako želite da korisnik bude u mogućnosti da se prijavi koristeći ga, mapiraj ga na uid.
10

Configure Extension attributes.

Map these attributes to extended attributes in Entra ID or your directory, for tracking codes.
Sto 4. Atributi proširenja

Ime atributa Webex identiteta

Ime SAML atributa

Atribut proširenja 1

Primer: korisnik.extensionattribute1

Atribut proširenja 2

Primer: korisnik.extensionattribute2

Atribut proširenja 3

Primer: korisnik.extensionattribute3

Atribut proširenja 4

Primer: korisnik.extensionattribute4

Atribut proširenja 5

Primer: korisnik.extensionattribute5

Atribut proširenja 6

Primer: korisnik.extensionattribute6

Atribut proširenja 7

Primer: korisnik.extensionattribute7

Atribut proširenja 8

Primer: korisnik.extensionattribute8

Atribut proširenja 9

Primer: korisnik.extensionattribute9

Atribut proširenja 10

Primer: korisnik.extensionattribute10

11

Configure Group attributes.

  1. Create a group in Control Hub and note the Webex group ID.
  2. Go to your user directory or IdP and set up an attribute for users who will be assigned to the Webex group ID.
  3. Update your IdP's configuration to include a claim that carries this attribute name along with the Webex Group ID (e.g. c65f7d85-b691-42b8-a20b-12345xxxx). You can also use the External ID for managing changes to group names or for future integration scenarios. For example, syncing with Entra ID or implementing SCIM group synchronization.
  4. Specify the exact name of the attribute that will be sent in the SAML Assertion with the group ID. This is used to add the user to a group.
  5. Specify the exact name of the external ID of the group object if you are using a group from your directory to send members in the SAML Assertion.

If user A is associated with groupID 1234 and user B with groupID 4567, they are assigned to separate groups. This scenario indicates that a single attribute allows users to associate with multiple group IDs. While this is uncommon, it is possible and can be considered as an additive change. For example, if user A initially signs in using groupID 1234, they become a member of the corresponding group. If user A later signs in using groupID 4567, they are also added to this second group.

SAML JIT provisioning does not support the removal of users from groups or any deletion of users.

Sto 5. Group attributes

Ime atributa Webex identiteta

Ime SAML atributa

Opis atributa

groupId

Primer: groupId

Mapirajte atribute grupe pružaoca usluge identiteta na atribute grupe Webex Identity u svrhu mapiranja tog korisnika grupi za uslugu licenciranja ili podešavanja.

groupexternalId

Primer: groupexternalId

Mapirajte atribute grupe pružaoca usluge identiteta na atribute grupe Webex Identity u svrhu mapiranja tog korisnika grupi za uslugu licenciranja ili podešavanja.

Listu atributa SAML potvrde za Webex sastanke pogledajte . https://help.webex.com/article/WBX67566

Delete your Identity Provider (IdP)

Pre nego što počnete

It's recommended that you first deactivate or delete the IdP’s routing rules before deleting the IdP.

1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab.

4

Go to the IdP and click Meni „Još“.

5

Izaberite izbriši.

1

Prijavite se u kontrolno čvorište.

2

Go to Management > Security > Authentication.

3

Go to the Identity provider tab.

4

Click Deactivate SSO.

Confirm SSO deactivation.

Once confirmed, SSO is deactivated for all IdPs in your organization.

Primićete obaveštenja u kontrolnom čvorištu pre isteka certifikata, ali možete i proaktivno podesiti pravila upozorenja. Ova pravila vas unapred mogu obavestiti da će vaši SP ili IdP certifikati isteći. Ovo vam možemo poslati putem e-pošte, prostora u Webex aplikacijiili oboje.

Bez obzira na konfigurisani kanal isporuke, sva obaveštenja se uvek pojavljuju u kontrolnom čvorištu. Više informacija potražite u centru za obaveštenja u kontrolnom čvorištu.

1

Prijavite se u kontrolno čvorište.

2

Go to Alerts center.

3

Odaberite stavku Upravljanje onda sva pravila .

4

Sa liste Pravila odaberite bilo koje od SSO pravila koja želite da kreirate:

  • Isteka roka važenja SSO IDP certifikata
  • Isteka sertifikata SSO SP
5

U odeljku Kanal isporuke proverite izbor u polju za potvrdu Zae-poštu , Webexprostor ili oboje.

Ako odaberete email, unesite e-adresu koja bi trebalo da primi obaveštenje.

Ako odaberete opciju Webex prostora, automatski ćete biti dodati u prostor unutar Webex aplikacije i tamo isporučujemo obaveštenja.

6

Sačuvajte promene.

Šta dalje

Obaveštenja o isteku certifikata šaljemo jednom u 15 dana, počevši od 60 dana pre isteka roka važenja. (You can expect alerts on day 60, 45, 30, and 15.) Alerts stop when you renew the certificate.

If you run into problems with your SSO login, you can use the SSO self recovery option to get access to your Webex organization managed in Control Hub. The self recovery option allows you to update or disable SSO in Control Hub.