Configure single sign-on in Control Hub with Okta – Webex
Integrations for single sign-on (SSO) can be configured between Control Hub and deployments that use Okta as their identity supplier. (IdP).
Single sign-on and Control Hub
Single sign-on, also known as SSO, refers to a session or user authentication procedure that enables users to access one or more applications by providing their credentials only once. Users are verified as legitimate across all applications to which they have been granted access thanks to the procedure. When users transfer applications during the course of a session, they won’t be prompted again thanks to this feature.
Between the Webex cloud and your identity supplier, Single Sign-On (SSO) authentication can be accomplished through the use of the Security Assertion Markup Language 2.0 (SAML 2.0) Federation Protocol. (IdP).
Profiles
The web browser SSO identity is the only one that the Webex App supports. Webex App provides support for the following interfaces within the SSO profile for web browsers:
-
SP initiated POST -> POST binding
-
SP initiated REDIRECT -> POST binding
NameID format
The SAML 2.0 Protocol is compatible with a variety of NameID protocols, which facilitates communication regarding individual users. The following variations of NameID are supported by Webex App.
-
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
-
urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
-
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
The very first element in the metadata that is loaded from your IdP is the one that is set up to work with Webex.
Integrate Control Hub with Okta
The configuration guides present a particular illustration of SSO integration, but they do not supply comprehensive configuration for all of the potential outcomes. Examples of documented integration stages include those for nameid-format urn:oasis:names:tc:SAML:2.0:nameid-format:transient. Other formats, such as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, will function for SSO integration, but our documentation will not cover them because they are outside the scope of what we cover.
Users in your Webex organization will benefit from having this collaboration set up. (including Webex App, Webex Meetings, and other services administered in Control Hub). In the event that your Webex site is integrated in Control Hub, the account management will be passed down to the Webex site. If this method of accessing Webex Meetings does not work for you and the feature is not controlled in Control Hub, you will need to perform an additional integration in order to enable SSO for Webex Meetings. (See Configure Single Sign-On for Webex for more information in SSO integration in Site Administration.)
Before you begin
IdPs are required to adhere to the SAML 2.0 specification in order to support SSO and Control Hub. In addition, identifier providers (IdPs) need to be set up in the following way:
Download the Webex metadata to your local system
- Start the configuration wizard by navigating to the customer view of https://admin.webex.com, clicking on Management > Organization Settings, scrolling down to Authentication, and then toggling on the Single sign-on setting. This will bring up the customer view.
- Select the sort of certificate that will apply to your organization:
- Self-signed by Cisco—This option comes highly recommended by us. Let us autograph the certificate so that you will only have to renew it once every five years instead of annually.
- Signed by a public certificate authority—More private, but the metadata will need to be updated on a more regular basis. (unless your IdP vendor supports trust anchors).
Trust anchors are public keys that serve as an authority to validate the certificate that is associated with a digital signature. Please consult the documentation provided by your IdP for any additional information.
- Get the file containing the information.
- The name of the file that contains the Webex information is idb-meta-org-ID>-SP.xml.
Configure Okta for Webex services
- After logging in as an administrator to your Okta Tenant (example.okta.com, where example is the name of your business or organization), navigate to the Applications section, and then click the Add Application button.
- Conduct a search for “Cisco Webex,” and add the application to your renter after finding it.
- After clicking Next, select SAML 2.0 from the drop-down menu.
- Open up the information file that you downloaded from Control Hub in the browser that you are using. Make a copy of the URLs for the entityID (which can be found at the beginning of the file) as well as the location of the assertionConsumerService. (at the bottom of the file).
Figure 1: An Illustration of Selected entityIDs in the Control Hub Metadata File
- In Okta, navigate to the Cisco Webex tab, scroll down until you reach the Advanced Settings section, then click the “Paste” button to enter the Entity ID and Assertion Consumer Service values that you copied from the Control Hub metadata file. Finally, click the “Save Changes” button.
- After clicking Sign On, retrieve the Okta metadata file from the link provided. You are going to re-import this file into the instance of Control Hub that you are using.
- 7 Navigate to Assignments, select all of the users and any pertinent groups that you want to associate with the software and services that are controlled in Control Hub, click the Assign button, and then click the Done button when you are finished.
You have the option of assigning a person or group. It is imperative that you do not skip this stage, as doing so will result in the integration between your Control Hub and Okta failing.
Import the IdP metadata and enable single sign-on after a test
You are now ready to integrate it into your Webex organization from Control Hub once you have exported the metadata from Webex, configured your identity provider (IdP), and downloaded the metadata from the IdP to your local system.
Before you begin
Test the SSO interaction using the identity provider (IdP) interface only when absolutely necessary. Because we only support flows that are triggered by the Service Provider (SP-initiated), you are required to use the Control Hub SSO test for this integration.
- Choose one:
- Click the Next button after you have successfully returned to the Control Hub’s certificate selection screen in your browser.
- From the customer view on https://admin.webex.com, navigate to Management > Organization Settings, scroll down until you reach Authentication, and then select Actions > Import Metadata. This step is only necessary if the Control Hub tab is no longer active in the browser.
- Drag and drop the IdP metadata file onto the Import IdP Metadata page, or use the file browser option to identify the metadata file and upload it. Both methods are located on the Import IdP Metadata page. The following page will appear.
If you have the choice to do so, you should go with the more secure one. If your IdP signed its information with a public CA, then you will have the ability to do this.
In every other scenario, you are required to go with the choice that offers a lower level of safety. This encompasses situations in which the metadata is not signed, in which the metadata is self-signed, or in which the metadata is signed by a private CA.
Because Okta does not sign the metadata, you will need to select Less private when integrating Okta for single sign-on purposes.
- Click the Test SSO setup button, and when a new tab appears in your browser, sign in to the IdP to authenticate your identity.
In the event that you receive an authentication mistake, it is possible that there is a problem with the credentials. Check that you’re using the right identity and password, then try again.
In most cases, a problem with the SSO configuration is the cause of a Webex App error. In this instance, it is necessary to repeat the steps, particularly the steps in which you are required to duplicate and paste the Control Hub metadata into the IdP configuration.
You have the option of immediately experiencing the SSO sign-in process by clicking the Copy URL to clipboard button on this screen and then pasting the URL into a private browser window. You will then be able to navigate through the steps of signing in with SSO. This process prevents false positives that could have been caused by an access token that was already present in an active session as a result of your previous sign-in.
- Come back to the browser page for the Control Hub.
- Choose the option Successful test if the examination was a triumph. Activate SSO, then select the Next button.
- Select “Unsuccessful test” if the attempt at the exam was not successful. Click Next after you have disabled SSO.
If you do not select the first radio button and turn on SSO, the SSO configuration you’ve applied to your organization will not take affect.
Where do we go from here?
If you want to do user provisioning out of Okta into the Webex cloud, use the procedures that are outlined in the document titled Synchronize Okta Users into Cisco Webex Control Hub.
You can deactivate the emails that are sent to new Webex App users in your organization by following the procedure outlined in the section titled “Suppress Automated Emails.” The document also includes recommendations for the most effective ways to communicate with people working within your organization.