Import the IdP metadata and enable single sign-on after a test
Troubleshoot Azure integration
Configure single sign-on in Control Hub with Microsoft Azure
In this article
You can configure a single sign-on (SSO) integration between a Control Hub customer organization and a deployment that uses Microsoft Azure as an identity provider (IdP).
Single sign-on and Control Hub
Single sign-on (SSO) is a session or user authentication process that permits a user to provide credentials to access one or more applications. The process authenticates users for all the applications that they are given rights to. It eliminates further prompts when users switch applications during a particular session.
The Security Assertion Markup Language (SAML 2.0) Federation Protocol is used to provide SSO authentication between the Webex cloud and your identity provider (IdP).
Profiles
Webex App only supports the web browser SSO profile. In the web browser SSO profile, Webex App supports the following bindings:
SP initiated POST -> POST binding
SP initiated REDIRECT -> POST binding
NameID format
The SAML 2.0 Protocol supports several NameID formats for communicating about a specific user. Webex App supports the following NameID formats.
In the metadata that you load from your IdP, the first entry is configured for use in Webex.
Integrate Control Hub with Microsoft Azure
The configuration guides show a specific example for SSO integration but do not provide exhaustive configuration for all possibilities. For example, the integration steps for nameid-format urn:oasis:names:tc:SAML:2.0:nameid-format:transient are documented. Other formats such as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress will work for SSO integration but are outside the scope of our documentation.
Set up this integration for users in your Webex organization (including Webex App, Webex Meetings, and other services administered in Control Hub). If your Webex site is integrated in Control Hub, the Webex site inherits the user management. If you can't access Webex Meetings in this way and it is not managed in Control Hub, you must do a separate integration to enable SSO for Webex Meetings. (See Configure Single Sign-On for Webex for more information in SSO integration in Site Administration.)
Before you begin
For SSO and Control Hub, IdPs must conform to the SAML 2.0 specification. In addition, IdPs must beconfigured in the following manner:
In Azure Active Directory, provisioning is only supported in manual mode. This document only covers single sign-on (SSO) integration.
Download the Webex metadata to your local system
1
From the customer view in https://admin.webex.com, go to Management > Organization Settings, and then scroll to Authentication, and then toggle on the Single sign-on setting to start the setup wizard.
2
Choose the certificate type for your organization:
Self-signed by Cisco—We recommend this choice. Let us sign the certificate so you only need to renew it once every five years.
Signed by a public certificate authority—More secure but you'll need to frequently update the metadata (unless your IdP vendor supports trust anchors).
Trust anchors are public keys that act as an authority to verify a digital signature's certificate. For more information, refer to your IdP documentation.
3
Download the metadata file.
The Webex metadata filename is idb-meta-<org-ID>-SP.xml.
If you cannot see the Azure Active Directory icon, click More services.
3
Go to Azure Active Directory for your organization.
4
Go to Enterprise Applications and then click Add.
5
Click Add an application from the gallery.
6
In the search box, type Cisco Webex.
7
In the results pane, select Cisco Webex, and then click Create to add the application.
8
To make sure that the Webex application you've added for single sign-on doesn't show up in the user portal, open the new application. Under Manage, click Properties, and set Visible to users? to No.
We don't support making Webex app visible to users.
9
Configure Single-Sign On:
Under Manage, click Single sign-on, and then under Select a single-sign on method, choose SAML.
Click Upload metadata file and then choose the metadata file that you downloaded from Control Hub.
Some fields are automatically filled out for you.
Under Manage, click Set up Single Sign-On with SAML, click Edit icon to open Basic SAML Configuration.
Copy the Reply URL value and paste it into Sign on URL, and then save your changes.
10
Go to Manage > Users and groups, and then choose the applicable users and groups that you want to grant access to Webex App.
11
On the Set up Single Sign-On with SAML page, in the SAML Signing Certificate section, click Download to download the Federation Metadata XML and save it on your computer.
Import the IdP metadata and enable single sign-on after a test
After you export the Webex metadata, configure your IdP, and download the IdP metadata to your local system, you are ready to import it into your Webex organization from Control Hub.
Before you begin
Do not test SSO integration from the identity provider (IdP) interface. We only support Service Provider-initiated (SP-initiated) flows, so you must use the Control Hub SSO test for this integration.
1
Choose one:
Return to the Control Hub – certificate selection page in your browser, and then click Next.
If Control Hub is no longer open in the browser tab, from the customer view in https://admin.webex.com, go to Management > Organization Settings, scroll to Authentication, and then choose Actions > Import Metadata.
2
On the Import IdP Metadata page, either drag and drop the IdP metadata file onto the page or use the file browser option to locate and upload the metadata file. Click Next.
You should use the More secure option, if you can. This is only possible if your IdP used a public CA to sign its metadata.
In all other cases, you must use the Less secure option. This includes if the metadata is not signed, self-signed, or signed by a private CA.
Okta does not sign the metadata, so you must choose Less secure for an Okta SSO integration.
3
Select Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.
If you receive an authentication error there may be a problem with the credentials. Check the username and password and try again.
A Webex App error usually means an issue with the SSO setup. In this case, walk through the steps again, especially the steps where you copy and paste the Control Hub metadata into the IdP setup.
To see the SSO sign-in experience directly, you can also click Copy URL to clipboard from this screen and paste it in a private browser window. From there, you can walk through signing in with SSO. This step stops false positives because of an access token that might be in an existing session from you being signed in.
4
Return to the Control Hub browser tab.
If the test was successful, select Successful test. Turn on SSO and click Next.
If the test was unsuccessful, select Unsuccessful test. Turn off SSO and click Next.
The SSO configuration does not take effect in your organization unless you choose first radio button and activate SSO.
What to do next
Use the procedures in Synchronize Okta Users into Cisco Webex Control Hub if you want to do user provisioning out of Okta into the Webex cloud.
Use the procedures in Synchronize Azure Active Directory Users into Cisco Webex Control Hub if you want to do user provisioning out of Azure AD into the Webex cloud.
You can follow the procedure in Suppress Automated Emails to disable emails that are sent to new Webex App users in your organization. The document also contains best practices for sending out communications to users in your organization.
Check the assertion that comes from Azure to make sure that it has the correct nameid format and has an attribute uid that matches a user in Webex App.
From the customer view in Control Hub ( https://admin.webex.com), go to Management > Organization Settings, scroll to Authentication and click Activate SSO setting to start the configuration wizard. Select Webex as your IdP and click Next.
Ensure that the Seamless SSO feature is still Enabled on your tenant. You can check the status by going to the Identity > Hybrid management > Microsoft Entra Connect > Connect Sync pane in the [Microsoft Entra admin center](https://portal.azure.com/).
OpenID, SAML and Oauth are the authentication protocols that Azure AD supports. OpenID and SAML are both authentication and authorization protocols. Oauth is an authorization protocol.
With SSO, a user logs in once, and gains access to all systems without being prompted to log in again at each of them. Active Directory (AD) is a directory service that provides a central location for network administration and security.
Security Assertion Markup Language, or SAML, is a standardized way to tell external applications and services that a user is who they say they are. SAML makes single sign-on (SSO) technology possible by providing a way to authenticate a user once and then communicate that authentication to multiple applications.
SCIM (System for Cross-domain Identity Management) Provisioning is a crucial feature in Single Sign-On (SSO) implementations with Azure AD. It simplifies user management, enabling organizations to automate the provisioning and deprovisioning of users across various applications and services.
Open Azure DevOps and access the project that you want to add a service connection to. Choose the settings icon in the lower-left side of the screen, and then choose Service connections. From New AWS service connection, choose AWS. This opens the Add AWS service connection form.
Introduction: My name is Neely Ledner, I am a bright, determined, beautiful, adventurous, adventurous, spotless, calm person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.