How Auto Account Creation Works with SSO

All access to Webex sites, except guest access, requires a Webex account (attendee or host account). Support for attendee accounts is an optional feature that must be provisioned for your site and enabled. When you enable Single-Sign-On (SSO) Authentication, you can optionally specify the domains from which you want to authenticate users. Participants joining from any of these domains are routed to SSO and they must supply valid credentials. Participants who are not joining from any of these domains are not authenticated and join as guests.

After a successful SSO authentication, the Security Assertion Markup Language (SAML) assertion passes the request to the Webex site to check whether the participant already has an account. If the Auto Account Creation option is enabled, and the participant does not already have an account, the system creates a new account. The type of account created (attendee or host) depends on the SAML parameter. If you do not specify the parameter, or the option to create attendee accounts is not enabled, the default is to create a host account.


If you do not enable Auto Account Creation, successfully authenticated users who do not have a Webex account cannot join.

Security Assertion Markup Language Parameter


Support for attendee accounts is an optional feature that must be provisioned for your site. You must also enable the feature to make full use of the Security Assertion Markup Language (SAML) parameter.

The SAML assertion controls whether the auto account creation feature creates an attendee or a host account. For the following example, the attendee accounts were automatically created.

 <ns2:Attribute Name="isattendeerole" 
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> 
<ns2:AttributeValue>true</ns2:AttributeValue> 
</ns2:Attribute>  

Valid entries for the AttributeValue parameter are: True, true, False, false, Yes, yes, No, and no.

Find out more about SAML assertion attributes.

Enable SSO Authentication for Attendees

You can require participants, who join from specific domains, to authenticate with Single-Sign-On (SSO). You can also create labels to identify authenticated participants and guests in the Participants Panel for

  • Meetings

  • Training Sessions

  • Events

If you prefer to not display labels, leave the label fields blank to disable the label feature.


If enabled, the SSO Authentication settings override the Display internal user tag in participant list setting for Webex Meetings.

1

Sign in to Webex Site Administration and go to Configuration > Common Site Settings > SSO Configuration.

2

(Optional) Check Auto Account Creation to automatically create accounts.


 

If you do not enable Auto Account Creation, successfully authenticated users who do not have a Webex account cannot join.

3

Check SSO authentication for Attendees to enable SSO authentication.

4

(Optional) Enter a label to display beside the names of authenticated participants (for example: Employee).

5

(Optional) Enter a label to display beside the names of nonauthenticated participants (for example: Guest).

6

In the Attendees Authenticated from Email Domains field, enter a domain (for example: my_domain.com).

7

Select Add.

8

Repeat Steps 4 and 6 for each of your company domains, from which you want to authenticate participants.

Participants who join from any of these domains are routed to SSO. All other participants join as guests.

9

Select Update.