Single Sign-On

Webex SSO uses one unique identifier to give people in your organization access to all enterprise applications. Administrators can use Webex Administration to configure SSO for Webex applications.


 

Single sign-on is an optional feature that must be provisioned for your site. Contact Cisco support for more information.

Configure SSO

Use the following procedure to configure SSO and SAML 2.0.

Before you begin

Obtain and set up the following requirements.

  • A standard SAML 2.0 or WS Federate 1.0 compliant Identity Provider (IdP), such as CA SiteMinder, ADFS, and Ping Identity.


     

    SAML 1.1 and WS Federate 1.0 are deprecated and no longer supported with Cisco Webex.

  • A corporate X.509 public key certificate from a trusted Certificate Authority, such as VeriSign and Thawte.

  • An IdP configured to provide SAML assertions with the user account information and SAML system IDs.

  • An IdP XML file.

  • A URL for the corporate IAM service.

1

Sign in to Webex Administration and go to Configuration > Common Site Settings > SSO Configuration.

2

From the Federation Protocol drop-down list, select SAML 2.0.

If there is an existing configuration, some fields may already be populated.

3

Select the Site Certificate Manager link.

4

In the Site Certificate Manager window, select Browse, and then navigate to the location of the CER file for your X.509 certificate.

5

Select the CER file, and then select OK.

6

Select Close.

7

Enter the required information on the SSO Configuration page and select the options that you want to enable.

8

Select Update.

SSO Configuration Page

The following table lists and describes the fields and options on the SSO Configuration page.


 

The information that you use during configuration must be exact. If you require further clarification about the information required to configure SSO for your site, contact your identity provider.

Table 1. SSO Configuration Page Fields and Options

Field or Option

Description

AuthnContextClassRef

The SAML statement that describes the authentication at the IdP. This must match the IAM configuration. ADFS examples: urn:federation:authentication:windows or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Ping example: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified


 

To use more than one AuthnContextClassRef value add a ";".For example: urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport

Auto Account Creation (optional)

Select to create a user account. UID, email, and first and last name fields must be present assertion.

Auto Account Update (optional)

Webex accounts can be updated with the presence of an updateTimeStamp attribute in t When modifications are made in the IdP, the new timestamp is sent to the Webex site, w account with any attribute sent in the SAML assertion.

Customer SSO Error URL (optional)

If an error occurs, redirects to this URL with the error code appended in the URL.

Customer SSO Service Login URL

URL for your enterprise's single sign-on services. Users typically sign in with this URL. Located in the IdP XML file (example: <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://adfs20-fed-srv.adfs.webexeagle.com/adfs/ls/ " index="0" isDefault="true" />)

Default Webex Target page URL (optional)

Upon authentication, displays a target page assigned for the web application only.

Import SAML Metadata (link)

Click to open the Federated Web SSO Configuration - SAML Metadata dialog box. Imported metadata fields include the following:

  • AuthnRequestSigned Destination

  • Issuer for SAML (IdP ID)

  • Customer SSO Service Login URL

Issuer for SAML (IdP ID)

A URI uniquely identifies the IdP. The configuration must match the setting in the Customer IAM. Located in the IdP XML file (example: entityID=" http://adfs20-fed-srv.adfs.webexeagle.com/adfs/services/trust")

NameID Format

Must match the IdP configuration, with the following formats being supported:

  • Unspecified

  • Email address

  • X509 Subject Name

  • Entity Identifier

  • Persistent Identifier

Remove uid Domain Suffix for Active Directory UPN

Removes the Active Directory domain from the User Principal Name (UPN) when selected.

SSO Profile

Specify how users access the Webex site. Select SP Initiated if users start at the Webex meeting site and are redirected to the corporate IdP system for authentication. Select IdP Initiated if users access the Webex site through the corporate IAM system.

SSO authentication for Attendees

This feature provides additional levels of accountability to the SAML assertion user authentication for internal attendees using Webex Meetings, Webex Training, and Webex Events. When enabled, this feature supersedes the Webex Meetings "Display internal user tag in participant list" feature.

Signature Algorithm for AuthnRequest

For enhanced security, you can now generate SHA-1, SHA-256, or SHA-512 signed certificates.

Single Logout (optional)

Check to require a sign-out and set the logout URL.


 

IdP initiated Single Logout is not supported.

Webex SAML Issuer (SP ID)

The URI identifies the Webex Messenger service as an SP. The configuration must match the settings in the customer Identity Access Management system. Recommended naming conventions: For Webex Meetings, enter the Webex Meetings site URL. For the Webex Messenger service, use the format "client-domain-name" (example: IM-Client-ADFS-WebexEagle-Com).

You can export a SAML metadata Webex configuration file

You can export some metadata, which can then be imported in the future. Exported metadata fields include the following:

  • AuthnRequestSigned Destination

  • Issuer for SAML (IdP ID)

  • Customer SO Service Login URL

Renew expiring certificates

Before you begin

This feature is only for administrators who have SSO configured in Webex Administration and who do not yet manage their sites in Control Hub.


 

We recommend that you update the certificate to your Identity Provider (IdP) before November 2022. If the certificate expires, users may not be able to sign in successfully.

1

Sign in to Webex Administration and go to Configuration > Common Site Settings > SSO Configuration.

2

Scroll down to Site SP Certificate Manager.

The expiring and new certificate details (serial number, expiry date, key details, status and action) are displayed. The certificate which is currently in use is marked as Active.

3

Go to the new certificate and click Export Certification.

You can also click Export Metadata at the bottom of the screen to download the metadata with the new certificate.


 

The new certificate file will expire in one year. Administrators will need to look out for any alert notifications.

4

Upload the new certificate file to your Identity Provider (IdP).

5

Select the Active radio button for the new certificate.

6

Click Update.

The new certificate is now active.

7

Test the new certificate.

Frequently asked questions when updating certificates

Q. Are all administrators affected by this feature?

A. No, only administrators who have configured SSO in Webex Administration are affected.

Q. What happens if the administrator doesn't update the certificate before the due date?

A. The certificate will expire and your users may not be able to sign in to Webex successfully. We recommend that you update the certificate before October 2023.

If the certificate expires, you can still sign in to Site Administration to update and activate the new certificate to your corresponding Identity Provider. If you face any issue when updating the certificate, contact your Webex Support team.

Q. How long is a new certificate valid for?

A. The new certificate is valid for approximately one year. The Webex operations team generates a new certificate two months before the existing certificate expires. This provides you time to plan and update the certificate before the due date.