SAML Auto Account Creation and Update for Control Hub in webex
Using SAML assertions, you can use Webex to map user attributes from the identity provider (IDP) to the identity provider (Webex), as well as enable just-in-time (JIT) auto account updates when they are available.
Modify single sign-on authentication in Control Hub
Before you begin
There are several preconditions that must be met before the start of the project:
-
There is already a SSO configuration in place. There is an article here with information on how to use the SSO configuration wizard: https://help.webex.com/article/lfu88u/ which explains how to use it.
-
There has already been verification of the domains.
-
I have claimed the domains and turned them on. With this feature, every time a user authenticates with your IDP, a new user from your domain will be created and updated once.
-
It is enabled to sync with DirSync or AzureAD. One of these configurations should be configured to disable SAML Update Mapping and the other configuration should not.
-
It is enabled to block users from updating their profiles. It is possible to use SAML Update Mapping because it determines whether the user is able to make changes to attribute values. There is still the possibility of creating and updating documents using the admin-controlled method.
Unless there is an automatic license template set up for the organization, new users will not be automatically assigned licenses when they are created.
Set up SSO
- Go to Management > Organization Settings in the customer view of Portal and scroll down to Authentication. This can be done directly from the customer view at https://admin.webex.com.
- It is recommended that you toggle the switch Modify your organization’s SSO authentication on, and that you follow the instructions in the SSO setup wizard. There is a step you should take if it has not happened already in the “SSO Setup” section at the following link: https://help.webex.com/article/lfu88u/. Otherwise, continue to the next step.
- Click on the Actions button to expand the section below.
SAML response mapping
In the SAML Attribute Name field, you should enter the name of the attribute corresponding to the displayname of the, for example, SAML assertion that follows, as illustrated in the example from the sample SAML assertion that follows:
The example above shows how to map the attribute “firstname” to the Webex Identity attribute “name.givenName”, which in many cases will simply be the Webex Identity attribute name.givenName as it is in most cases. The givenName of the user in this particular case has the value of “Paulo Jorge” when SAML Assertion is presented in this particular case.
- The SAML response map will be opened once you select Configure SAML mapping.
- You will need to set the attributes that are required.
Table 1. Required attributes
Webex Identity attribute name | SAML attribute name | Attribute description |
---|---|---|
Username / Primary email address | Example: uid | Provide an attribute for the UID attribute that is linked to the provisioned user's email, user name, or education principal name. |
- You can set the attributes of your profile.
Table 2. Profile attributes
Webex Identity attribute name | SAML attribute name | Attribute description |
---|---|---|
externalId | Example: user.objectid | To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes. |
externalId | Example: user.objectid | To identify this user from other individual profiles. This is necessary when mapping between directories or changing other profile attributes. |
employeenumber | Example: user.employeeid | This user's employee number, or an identification number within their HR system. Note that this isn't for "externalid," because you can re-use or recycle "employeenumber" for other users. |
preferredLanguage | Example: user.preferredlanguage | The user's preferred language. |
locale | Example: user.locale | The user's primary work location. |
timezone | Example: user.timezone | The user's primary time zone. |
displayName | Example: user.displayname | The user's display name in Webex. |
name.givenName | Example: user.givenname | The user's first name. |
name.familyName | Example: user.surname | The user's last name. |
addresses.streetAddress | Example: user.streetaddress | The street address of their primary work location. |
addresses.state | Example: user.state | The state of their primary work location. |
addresses.region | Example: user.region | The region of their primary work location. |
addresses.postalCode | Example: user.postalcode | The zip code of their primary work location. |
addresses.country | Example: user.country | The country of their primary work location. |
phoneNumbers.work | Example: work phonenumber | The work phone number of their primary work location. Use the international E.164 format only (15 digits maximum). |
phoneNumbers.extension | Example: mobile phonenumber | The work extension of their primary work phone number. Use the international E.164 format only (15 digits maximum). |
pronoun | Example: user.pronoun | The user's pronouns. This is an optional attribute, and the user or admin can make it visible on their profile. |
title | Example: user.jobtitle | The user's job title. |
department | Example: user.department | The user's job department or team. |
pronoun | Example: user.pronoun | This is the pronoun of the user. The visibility of this attribute is controlled by the Admin and the user |
manager | Example: manager | The user's manager or their team lead. |
costcenter | Example: cost center | This is the last name of the user also known as surname or familyname |
email.alternate1 | Example: user.mailnickname | An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid. |
email.alternate2 | Example: user.primaryauthoritativemail | An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid. |
email.alternate3 | Example: user.alternativeauthoritativemail | An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid. |
email.alternate4 | Example: user.othermail | An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid. |
email.alternate5 | Example: user.othermail | An alternative email address for the user. If you want the user to be able to sign in using it, map it to the uid. |
- Specify the attributes for the extension. Using these attributes, you can map them to extended attributes in Active Directory, Microsoft Azure, or your own directory in order to track codes within them.
Table 3. Extension attributes
Webex Identity attribute name | SAML attribute name |
---|---|
Extension Attribute 1 | Example: user.extensionattribute1 |
Extension Attribute 2 | Example: user.extensionattribute2 |
Extension Attribute 3 | Example: user.extensionattribute3 |
Extension Attribute 4 | Example: user.extensionattribute4 |
Extension Attribute 5 | Example: user.extensionattribute5 |
Extension Attribute 6 | Example: user.extensionattribute6 |
Extension Attribute 7 | Example: user.extensionattribute7 |
Extension Attribute 8 | Example: user.extensionattribute8 |
Extension Attribute 9 | Example: user.extensionattribute9 |
Extension Attribute 10 | Example: user.extensionattribute10 |
It can be found in the help section of the Webex Meetings website https://help.webex.com/article/WBX67566 a list of SAML assertion attributes.
Just in time (JIT) settings
It is important to configure the settings for just-in-time as follows:
-
Create or activate user: Webex Identity creates a user if there are no active users to match the system and updates the user’s attributes after the user has authenticated with the IDP, if there are no active users to match.
-
Update user with SAML attributes: As soon as Webex Identity finds a user that has an email address, it updates the user’s attributes with the values mapped to the SAML assertion, if their email address is found.
It is important to confirm that users are able to log in using an email address that cannot be identified.