---
title: Configuring provisioning and single sign-on
description: You can follow these steps to create a new service provider (SP) connection, or you can modify an existing connection.
component: webex
page_id: webex:setup:pf_webex_connector_configuring_provisioning_and_single_sign_on
canonical_url: https://docs.pingidentity.com/integrations/webex/setup/pf_webex_connector_configuring_provisioning_and_single_sign_on.html
revdate: July 5, 2024
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring provisioning and single sign-on

## About this task

|   |                                                                                                                        |
| - | ---------------------------------------------------------------------------------------------------------------------- |
|   | You can follow these steps to create a new service provider (SP) connection, or you can modify an existing connection. |

## Steps

1. In the PingFederate administrator console, configure the datastore that PingFederate will use as the source of user data.

   For instructions, see [Datastores](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_managedatasourcestasklet_managedatasourcesstate.html) in the PingFederate documentation.

   |   |                                                                                                                                                                                                                                                                      |
   | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | When targeting users and groups for provisioning, exclude the user account that you will use to administer users in your connection to Webex. This prevents the PingFederate provisioning engine from interfering with the account that provisions users and groups. |

2. Enable provisioning:

   1. Go to **System > Protocol Settings > Roles & Protocols** and select **Enable Identity Provider IdP Role and Support the Following**.

   2. Select **Outbound Provisioning**. Click **Save**.

3. Create an SP connection with the Webex quick connection template:

   1. Follow the steps in [Downloading your Webex SAML metadata file](pf_webex_connector_downloading_your_webex_saml_metadata_file.html).

   2. On the PingFederate **Identity Provider** tab, in the **SP Connections** section, click **Create new**.

   3. On the **Connection Template** tab, select **Use a template for this connection**.

   4. In the **Connection Template** list, select **Webex Connector**.

   5. Click **Choose File**, select the Webex metadata file that you downloaded, and then click **Open**. Click **Next**.

4. On the **Connection Type** tab, select **Browser SSO Profiles** and **Outbound Provisioning**.

5. In the **Type** list, select **Webex Connector**. Click **Next**.

6. On the **Connection Options** tab, click **Next**.

7. On the **General Info** tab, the basic connection information is populated by the metadata XML file. Click **Next**.

8. On the **Browser SSO** tab, configure single sign-on (SSO) settings. Click **Next**.

   Follow the steps in [Configure IdP Browser SSO](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_spbrowserssostate.html) in the PingFederate documentation, with the following specifics:

   1. Go to **Browser SSO > SAML Profiles** and select **IdP-initiated SSO** and **SP-initiated SSO**.

   2. **Optional:** Go to **Browser SSO > Assertion Creation > Attribute Contract** and extend the contract. Webex supports the following formats:

      * Unspecified

      * Email address

      * X509 subject name

      * Entity identifier

      * Persistent identifier

   3. **Optional:** Add the special `SAML_AUTHN_CTX` attribute.

   This indicates to the SP the type of credentials used to authenticate to the identity provider (IdP) application.

   1. Go to **Browser SSO > Assertion Creation > Authentication Source Mapping** to configure your authentication source mappings:

      * If you added the special `SAML_AUTHN_CTX` attribute, on the **Attribute Contract Fulfillment** tab, map the attribute to a text value, such as `urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified`.

   2. Go to **Browser SSO > Protocol Settings > Allowable SAML Bindings** and select **Post** and **Redirect**. Clear **Artifact** and **SOAP**.

   3. If you want to enable SP-initiated SSO, go to **Browser SSO > Protocol Settings > Signature Policy** and select **Require authn requests to be signed when received via the POST or Redirect bindings**.

9. On the **Credentials** tab, configure your credentials. Click **Next**.

   See [Configure credentials](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_credentialsstate.html) in the PingFederate documentation.

   1. Click **Configure Credentials**.

   2. Go to **Credentials > Digital Signature Settings** and in the **Signing Certificate** list, select a certificate to use to sign SAML assertions.

10. On the **Outbound Provisioning** tab, configure the provisioning target and channel. Click **Next**.

    See [Configuring outbound provisioning](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_spconnectionconfigtasklet_saasprovisioningstate.html) in the PingFederate documentation.

    1. Click **Configure Provisioning**.

    2. On the **Target** tab, complete the fields as follows.

       | Field          | Description                                                                                                                                       |
       | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
       | **Webex ID**   | Your Webex administrator username.                                                                                                                |
       | **Password**   | Your Webex administrator password.                                                                                                                |
       | **Site name**  | The subdomain of the **Site Brand Name(s)** listed on your Webex administration **Site Information** tab, such as *example* in example.webex.com. |
       | **Site ID**    | **Optional**:The **Site ID** listed on your Webex administration **Site Information** tab.                                                        |
       | **Partner ID** | **Optional**:The **Partner ID** listed on your Webex administration **Site Information** tab.                                                     |

       |   |                                                                                        |
       | - | -------------------------------------------------------------------------------------- |
       |   | PingFederate verifies the credentials when you activate the channel and SP connection. |

    3. Customize the provisioning connector actions. Click **Next**.

       See [Provisioning options](pf_webex_connector_provisioning_options.html).

    4. On the **Manage Channels** tab, create a channel. Click **Done**.

    See [Managing channels](https://docs.pingidentity.com/pingfederate/latest/administrators_reference_guide/help_saasmanagementtasklet_saasmanagementstate.html) in the PingFederate documentation.

11. On the **Activation and Summary** tab, above the **Summary** section, click the toggle to turn on the connection. Click **Save**.