Configure Single Sign-On for Webex Administration
Single Sign-On (SSO) is an option that is available to site administrators to implement within their organizations. People are able to login in to a variety of applications with just one set of credentials thanks to SSO.
Single Sign-On
Access to all enterprise apps can be granted to anyone in your company through the use of a single, distinguishable identifier through Webex SSO. Webex Administration is the tool that administrators can use to configure Single Sign-On for Webex applications.
A single sign-on is a feature that is completely optional but still needs to be provisioned for your website. For further information, please contact Cisco support.
Configure SSO
To configure SSO and SAML 2.0, follow the steps outlined in this procedure.
Before you begin
make sure you have the following prerequisites met and set them up.
An Identity Provider (IdP) that complies with SAML 2.0 or WS Federate 1.0 standards, such as CA SiteMinder, ADFS, or Ping Identity.
- A corporate X.509 public key certificate issued by a reputable Certificate Authority, such as VeriSign or Thawte, is required.
- An Identity Provider that has been set up to supply SAML assertions with the user account information as well as SAML system IDs.
- An IdP XML file.
- A URL that can be used to access the company’s IAM service.
1. After logging in, navigate to Webex Administration’s Configuration menu, then Common Site Settings, and finally SSO Configuration.
2 Choose SAML 2.0 from the drop-down menu located next to the Federation Protocol option.
Some of the fields might already have data entered into them if there is an existing setup.
3 Choose the “Site Certificate Manager” link from the menu.
4 Select Browse in the drop-down menu of the Site Certificate Manager window, and then navigate to the location of the CER file that corresponds to your X.509 certificate.
5 First choose the CER file, and then click the OK button.
6 Choose the Close button.
7 On the page labeled “SSO Configuration,” in addition to entering the essential information, you will need to pick the options that you want to enable.
8 Select Update.
SSO Configuration Page
The table that follows provides a list and explanation of the fields and choices that may be found on the SSO Configuration page.
It is imperative that the information utilized during the setting process be accurate. Get in touch with your identity provider if you have questions or need further explanation about the information required to configure SSO for your site.
| Field or Option | Description |
|---|---|
| AuthnContextClassRef | The SAML statement that describes the authentication at the Identity Provider (IdP). This value must match the IAM configuration. Examples for ADFS: urn:federation:authentication:windows or urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. Example for Ping: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified. To use multiple values, separate them with a “;”. For example: urn:federation:authentication:windows;urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. |
| Auto Account Creation (optional) | Select this option to create a user account. The UID, email, and first and last name fields must be present in the assertion. |
| Auto Account Update (optional) | Webex accounts can be updated with the presence of an updateTimeStamp attribute in the IdP. When modifications are made in the IdP, the new timestamp is sent to the Webex site, updating the account with any attribute sent in the SAML assertion. |
| Customer SSO Error URL (optional) | If an error occurs, users will be redirected to this URL with the error code appended to the URL. |
| Customer SSO Service Login URL | The URL for your enterprise’s single sign-on services. Users typically sign in using this URL. This information is located in the IdP XML file. Example: <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://adfs20-fed-srv.adfs.webexeagle.com/adfs/ls/" index="0" isDefault="true" />. |
| Default Webex Target page URL (optional) | Upon authentication, users will be directed to a target page assigned specifically for the web application. |
| Import SAML Metadata (link) | Clicking this link will open the Federated Web SSO Configuration – SAML Metadata dialog box. Imported metadata includes the following fields: AuthnRequestSigned Destination, Issuer for SAML (IdP ID), Customer SSO Service Login URL, Issuer for SAML (IdP ID). |
| NameID Format | This field must match the IdP configuration. Supported formats include: Unspecified, Email address, X509 Subject Name, Entity Identifier, Persistent Identifier. |
| Remove uid Domain Suffix for Active Directory UPN | When selected, this option removes the Active Directory domain from the User Principal Name (UPN). |
| SSO Profile | Specify how users access the Webex site. Select “SP Initiated” if users start at the Webex meeting site and are redirected to the corporate IdP system for authentication. Select “IdP Initiated” if users access the Webex site through the corporate IAM system. |
| SSO authentication for Attendees | This feature provides additional levels of accountability to the SAML assertion user authentication for internal attendees using Webex Meetings, Webex Training, and Webex Events. When enabled, this feature supersedes the Webex Meetings “Display internal user tag in participant list” feature. |
| Signature Algorithm for AuthnRequest | For enhanced security, you can choose to generate SHA-1, SHA-256, or SHA-512 signed certificates for the authentication request. |
| Single Logout (optional) | Check this option to require a sign-out and set the logout URL. Note that IdP initiated Single Logout is not supported. |
| Webex SAML Issuer (SP ID) | The URI that identifies the Webex Messenger service as a Service Provider (SP). This configuration must match the settings in the customer Identity Access Management (IAM) system. Recommended naming conventions: For Webex Meetings, enter the Webex Meetings site URL. For the Webex Messenger service, use the format “client-domain-name” (example: IM-Client-ADFS-WebexEagle-Com). |
| Export SAML Metadata Webex configuration file | This option allows you to export metadata, which can then be imported in the future. The exported metadata includes the following fields: AuthnRequestSigned Destination, Issuer for SAML (IdP ID), Customer SSO Service Login URL. |
Renew expiring certificates
Before you begin
Only administrators who have already set up SSO in Webex Administration but have not yet managed their sites using Control Hub can use this capability.
Before November 2022 arrives, it is strongly suggested that you bring the certificate for your Identity Provider (IdP) up to date. It is possible that users will be unable to successfully sign in if the certificate is allowed to expire.
1 After logging in, navigate to Webex Administration’s Configuration menu, then Common Site Settings, and finally SSO Configuration.
2 Navigate to the Site SP Certificate Manager by scrolling down.
The information of the expired certificate as well as the new one are displayed here. These include the serial number, expiration date, key data, status, and action. Active is the status that has been given to the certificate that is being used right now.
3 Navigate to the new certificate, and then select Export Certification from the drop-down menu.
You can also download the metadata that goes along with the new certificate by clicking the Export Metadata button at the bottom of the screen.
The newly created certificate file has a validity period of one year. Administrators will be responsible for keeping an eye out for any notifications of alerts.
4 Publish the newly created certificate file to the Identity Provider (IdP) that you use.
5 Make sure that the radio button labeled Active is selected for the new certificate.
6 To update, click the button.
The replacement certificate can now be used.
7 Put the new certificate through its paces.
Frequently asked questions when updating certificates
Q. Are all administrators affected by this feature?
A. Not at all; the only people who are impacted are administrators who have set up SSO in the Webex Administration interface.
Q. What happens if the administrator doesn’t update the certificate before the due date?
A. The certificate will become invalid, and it is possible that your users may be unable to securely sign in to Webex. It is strongly suggested that the certificate be brought up to date prior to November 2022.
In the event that the certificate is allowed to expire, you will still be able to sign in to Site Administration in order to update and activate the new certificate to the Identity Provider that corresponds to it. Please get in touch with the Webex Support team if you run into any problems while updating the certificate.
Q. How long is a new certificate valid for?
A. The new certificate will remain valid for roughly one year after it has been issued. Two months before the validity of the current certificate is set to expire, the Webex operations team will generate a new certificate. This affords you the opportunity to prepare ahead and get the certificate up to date before the deadline.