Configure single sign-on in Control Hub with Microsoft Azure in webex
If you use Microsoft Azure as an identity provider (IDP) for your Control Hub deployment and your customer organization is configured to use it as part of a single sign-on integration, you can configure a single sign-on integration between the two.
Single sign-on and Control Hub
In fact, single sign-on or SSO (single sign-on) is a procedure that enables a user to provide credentials for accessing a set of applications by using one or more single sign-on sessions. In this process, users are authenticated against all applications for which they have been granted access rights. As a result, users will no longer have to prompt further whenever they switch from one application to another during the same session.
In order to provide Single Sign-On (SSO) authentication between your identity provider (IdP) and the Webex cloud, the Security Assertion Markup Language (SAML 2.0) Federation Protocol must be used.
Profiles
It is only the web browser SSO profile that is supported by Webex App. Webex App supports the following bindings when it comes to the web browser SSO profile:
-
SP initiated POST -> POST binding
-
SP initiated REDIRECT -> POST binding
NameID format
It is possible to communicate about a specific user through a number of NameID formats supported by the SAML 2.0 Protocol. There are several types of NameID formats that are supported by the Webex App.
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
In the metadata that you load from your IDP, the first entry is configured for use in Webex.
Integrate Control Hub with Microsoft Azure
As part of the configuration guides, additional examples are shown of how SSO integration can be configured, however these don’t provide a complete configuration of all possible combinations. For example, the integration steps for nameid-format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
are documented. Other formats such as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
will work for SSO integration but are outside the scope of our documentation.
This integration can be used by users within your Webex organization (including users of Webex Meetings, Webex Apps, and other services that are administered through Control Hub). A Webex site integrated with Control Hub inherits user management from Control Hub if the Webex site is integrated with it. Unless Webex Meetings is managed in Control Hub, you will not be able to access Webex Meetings in this way. A separate integration will be required if Webex Meetings are not managed in Control Hub. In the Site Administration, you will find more information about the SSO integration with Webex by viewing Configure Single Sign-On for Webex.
Before you begin
It is important that IdPs comply with the SAML 2.0 specifications in order to support SSO and Control Hub. Furthermore, in order for IDPs to operate smoothly, the following configuration process must be followed:
It is only possible to perform provisioning manually in Azure Active Directory. The purpose of this document is only to describe how to integrate single sign-on (SSO) with your website.
Download the Webex metadata to your local system
- If you want to set up a single sign on for your organization from the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll down to Authentication, and then toggle on that setting, and start the setup wizard from the customer view.
- Depending on your organization’s needs, you can choose between the following certificate types:
-
Self-signed by Cisco—Our recommendation would be to choose this option. If you want to have us sign the certificate for you, then you will only need to renew it every five years at most.
-
Signed by a public certificate authority—If you use a third party IDP vendor that does not support trust anchors, then you will have to update the metadata frequently.
It is important to understand that trust anchors are public keys that act as a means of verifying the authenticity of digital signatures. It is recommended that you refer to the documentation provided by your IDP for more information.
- The metadata file can be downloaded here.
In the Webex metadata file, the name of the file is idb-meta-<org-ID>-SP.xml.
Configure SSO application settings in Azure
Before you begin
-
The purpose of this article is to give you a better understanding of what Azure Active Directory provides for IDP capabilities.
-
Create an Azure Active Directory account and configure it.
-
Users can be created locally or synced with an Active Directory system on-premises.
-
If you have downloaded Webex metadata files from Control Hub, you can open them in a text editor.
-
The Microsoft documentation site has a tutorial that is related to this topic.
- The Azure portal can be accessed by signing in with your administrator credentials at https://portal.azure.com.
- Click More services if you do not see the Azure Active Directory icon on the left side of the screen.
- If your organization is using Azure Active Directory, you can access it here.
- Firstly, go to the Enterprise Applications section and click on the Add button.
- Choose one of the applications from the gallery and click Add to cart.
- Search for Cisco Webex in the search box at the top of the page.
- If you are using Cisco Webex, simply select it from the results pane and click Create in order to add it.
- It would be best if the new Webex application that you have added for single sign-on does not appear in the user portal when you open it so that you can ensure that it does not appear there. You can set Visible to users in the Properties section of Manage, under the Manage tab. In the case of No.
The Webex app is not visible to users through the Webex app.
- The configuration of one-time passwords is as follows:
-
Choose SAML as an authentication method under the left pane of the Manage page under Single sign-on, and click OK.
-
You can upload the metadata file from Control Hub by clicking Upload metadata file and then selecting the metadata file you have downloaded.
You will be able to automatically fill out some fields when you click on the submit button.
-
In the Manage page, click on Set up Single Sign-On with SAML. Once the Basic SAML Configuration window appears, click on the Edit icon.
-
I suggest you copy and paste the Reply URL into the Sign on URL and then you need to save the changes.
You can grant Webex App access to any users or groups you choose by going to Manage > Users and groups.
Save Federation Metadata XML on your computer by clicking Download under the SAML Signing Certificate section on the Set up Single Sign-On with SAML page.
Import the IdP metadata and enable single sign-on after a test
You can import Webex metadata into your Webex organization from Control Hub once you export the metadata, configure your IdP, and download the metadata.
Before you begin
Integrate with the identity provider interface (IdP) but do not test SSO. Flows initiated by Service Providers (SPs) are not supported by Control Hub, so you must use the SSO test instead.
- The choice is yours:
-
Click Next when you are on the Control Hub – certificate selection page in your browser. This will take you to a new page.
-
As soon as you drop Control Hub from the browser tab, you can access it through the customer view at https://admin.webex.com, by going to Management > Organization Settings, scrolling to Authentication, and then selecting Actions > Import Metadata from the Actions menu.
- It is possible to import the IdP metadata file by either dragging and dropping it onto the Import IdP Metadata page, or you can upload it by using the file browser option. The next step is to click on the next button.
If you can, you should choose More secure as the option. The only way this can be achieved is if the metadata pertaining to your IdP is signed by a public CA.
Whenever the option Less secure is available, you must use it in all other cases. This applies irrespective of whether the metadata is unsigned, self-signed, or if a private CA has signed it.
You will need to choose Less secure if you’d like to integrate Okta SSO with Okta as Okta does not sign metadata.
- In the Test SSO setup box, select Authenticate with the IdP by signing in and a new browser tab will open with the SSO setup ready for you to test.
A problem with the credentials may be the cause of an authentication error if you receive one. Try again by checking the username and password and make sure that they are correct.
There is usually an issue with the SSO configuration in the case of a Webex App error. I recommend you to go through the entire process once again, especially the part where you copy and paste the metadata from the Control Hub into the setup of the IdP.
The quickest way to experience SSO sign-in is to click the Copy URL to clipboard button on this screen and paste it into a private browser window in order to see what it looks like directly. The next step is to walk you through the process of signing in with SSO. The purpose of this step is to eliminate false positives caused by an access token that might be in a current session that may prevent you from signing in from the correct session.
- Click on the Control Hub tab in the browser to return to the previous page.
-
It is recommended that you select Successful test if there was a successful test. Click on the SSO button and turn it on.
-
The Unsuccessful test option should be selected if the test was unsuccessful. Click on the next button after turning off SSO.
When you choose the first radio button and activate SSO for your organization, the configuration for SSO will not take effect in your organization.
What to do next
If you are interested in doing user provisioning from Okta into the Webex cloud, please follow the instructions in Synchronize Okta Users into Cisco Webex Control Hub.
For provisioning users out of Azure Active Directory into the Cisco Webex cloud, you need to follow the procedures in Synchronize Azure Active Directory Users into Cisco Webex Control Hub.
For more information on preventing automated emails from being sent to new users of the Webex App in your organization, please follow the instructions in Suppress Automated Emails. Also included in this document are best practices for how to communicate with users in your organization by sending them emails and newsletters.
Troubleshoot Azure integration
You will need Mozilla Firefox and the SAML tracer extension for it when trying the SAML test. You can download the SAML tracer extension at https://addons.mozilla.org/en-US/firefox/addon/saml-tracer/when doing the SAML test.
In order to ensure that the assertion that comes from Azure has the correct nameid format, it is also necessary to make sure that the attribute uid on the assertion corresponds to a user within Webex App.
Frequently Asked Questions
How do I enable SSO Webex control hub?
The Single Sign-On configuration wizard can be launched from the customer view in Control Hub ( https://admin.webex.com ), by clicking on Management > Organization Settings, scrolling down to Authentication, and turning on the toggle next to Single Sign-On.
Is Webex compatible with Microsoft?
Using Microsoft Teams, you can schedule meetings, start them, and join them right from your Microsoft account. It is easy to share a link to your Cisco Webex Meetings or Personal Room Meeting in your Microsoft Teams team channel using the Cisco Webex Meetings integration since the two can be integrated in one easy step.
How do I link Microsoft to Webex?
You must have administrator rights on your computer in order to connect Webex to Microsoft Outlook if you have a free account. Click your profile picture in the Webex App, and then go to Settings > General > Click Connect Webex to Microsoft Outlook, and then click OK.
Can Microsoft 365 be integrated into the Webex app?
From within the Webex app, users can access a variety of files, such as apps such as SharePoint and OneDrive. This integration will work just fine if you are interested in using the Microsoft 365 suite inside of the Webex app as your end goal.
How do I download Microsoft Webex?
If you are in need of a Windows, Mac, iPhone, iPad, or Android version of Webex, then go to https://www.webex.com/downloads.html. For more information on Webex App for Web, please go to https://web.webex.com/. Windows 10 or later is required to run the Webex App for Windows.
Can Microsoft Teams join a Webex meeting?
Using the Webex tab, you will be able to join Webex Personal Room meetings or Webex scheduled meetings. Go to the Microsoft Teams tab and select the Webex tab. The steps to join a meeting can be done in the following ways: To join a meeting in the list of upcoming meetings, locate the meeting under Upcoming Meetings, select Join next to the meeting, and then click on Join.
How do I change a Webex meeting to a Microsoft team?
It is very easy to change a meeting by double clicking on it. Select the Teams Meeting button from the toolbar located on the top right of the meeting window, then click on it. Once you have clicked on Send Updates, you will be taken to a new page. It has now been set up as a Teams meeting, which means that participants will be able to join directly from their calendars in order to participate in the meeting.
All images and contents credit goes to help.webex.com