Webex Provisioner

Configuring provisioning and single sign-on

About this task

You can follow these steps to create a new service provider (SP) connection, or you can modify an existing connection.

Steps

  1. In the PingFederate administrator console, configure the datastore that PingFederate will use as the source of user data.

    For instructions, see Datastores in the PingFederate documentation.

    When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to Webex. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups.

  2. Enable provisioning:

    1. Go to System → Protocol Settings → Roles & Protocols and select Enable Identity Provider IdP Role and Support the Following.

    2. Select Outbound Provisioning. Click Save.

  3. Create an SP connection with the Webex quick connection template:

    1. Follow the steps in Downloading your Webex SAML metadata file.

    2. On the PingFederate Identity Provider tab, in the SP Connections section, click Create new.

    3. On the Connection Template tab, select Use a template for this connection.

    4. In the Connection Template list, select Webex Connector.

    5. Click Choose File, select the Webex metadata file that you downloaded, and then click Open. Click Next.

  4. On the Connection Type tab, select Browser SSO Profiles and Outbound Provisioning.

  5. In the Type list, select Webex Connector. Click Next.

  6. On the Connection Options tab, click Next.

  7. On the General Info tab, the basic connection information is populated by the metadata XML file. Click Next.

  8. On the Browser SSO tab, configure single sign-on (SSO) settings. Click Next.

    Follow the steps in Configure IdP Browser SSO in the PingFederate documentation, with the following specifics:

    1. Go to Browser SSO → SAML Profiles and select IdP-initiated SSO and SP-initiated SSO.

    2. Optional: Go to Browser SSO → Assertion Creation → Attribute Contract and extend the contract. Webex supports the following formats:

      • Unspecified

      • Email address

      • X509 subject name

      • Entity identifier

      • Persistent identifier

    3. Optional: Add the special SAML_AUTHN_CTX attribute.

    This indicates to the SP the type of credentials used to authenticate to the identity provider (IdP) application.

    1. Go to Browser SSO → Assertion Creation → Authentication Source Mapping to configure your authentication source mappings:

      • If you added the special SAML_AUTHN_CTX attribute, on the Attribute Contract Fulfillment tab, map the attribute to a text value, such as urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified.

    2. Go to Browser SSO → Protocol Settings → Allowable SAML Bindings and select Post and Redirect. Clear Artifact and SOAP.

    3. If you want to enable SP-initiated SSO, go to Browser SSO → Protocol Settings → Signature Policy and select Require authn requests to be signed when received via the POST or Redirect bindings.

  9. On the Credentials tab, configure your credentials. Click Next.

    See Configure credentials in the PingFederate documentation.

    1. Click Configure Credentials.

    2. Go to Credentials → Digital Signature Settings and in the Signing Certificate list, select a certificate to use to sign SAML assertions.

  10. On the Outbound Provisioning tab, configure the provisioning target and channel. Click Next.

    See Configuring outbound provisioning in the PingFederate documentation.

    1. Click Configure Provisioning.

    2. On the Target tab, complete the fields as follows.

      Field Description

      Webex ID

      Your Webex administrator username.

      Password

      Your Webex administrator password.

      Site name

      The subdomain of the Site Brand Name(s) listed on your Webex administration Site Information tab, such as example in example.webex.com.

      Site ID

      Optional:

      The Site ID listed on your Webex administration Site Information tab.

      Partner ID

      Optional:

      The Partner ID listed on your Webex administration Site Information tab.

      PingFederate verifies the credentials when you activate the channel and SP connection.

    3. Customize the provisioning connector actions. Click Next.

    4. On the Manage Channels tab, create a channel. Click Done.

    See Managing channels in the PingFederate documentation.

  11. On the Activation and Summary tab, above the Summary section, click the toggle to turn on the connection. Click Save.