Configuring single sign-on in Webex
Use the following minimum required settings to configure single sign-on (SSO) for Webex.
About this task
For more information on how to setup SSO for Webex, see Configure Single Sign-On for Cisco Webex Site on the Webex site.
You can customize your Webex configuration beyond the basics described here. However, the SP connection created by the connector template does not support the Webex Account Creation/Update options. These SAML assertion-based provisioning options conflict with the connector’s outbound provisioning methodology. |
Steps
-
Download your PingFederate SAML metadata file.
For more information, see Metadata export in the PingFederate documentation.
-
Sign on to your Webex administrator site.
-
In the upper-right corner, click your account, and then click Webex Administration.
-
Go to Configuration → Common Site Settings → SSO Configuration and in the Federation Protocol list, select SAML 2.0.
-
Click Import SAML Metadata, select the PingFederate metadata file that you downloaded, and then click Open.
If you receive a message asking whether you want to overwrite an existing certificate, click Yes.
-
Configure the fields based on the following table.
At a minimum, you must change the Webex default AuthnContextClassRef value, as specified in the table. This setting is not contained in the SAML metadata.
Field Description SSO Profile
If you want to enable both identity provider (IdP)- and service provider (SP)-initiated SSO, select SP Initiated.
Use this if you only want pre-authenticated users to be able to access Webex directly through another site, such as a company portal.
If you want to enable only IdP-initiated SSO, select IdP Initiated.
Use this if you want the SP-initiated behavior and also want users to be able to authenticate by clicking a link in Webex.
Webex SAML Issuer (SP ID)
If you are configuring a second (or greater) Webex Site for SSO, change this ID to match the Connection ID defined for the corresponding PingFederate SP connection.
The default value is http://www.webex.com.
Issuer for SAML (IdP ID)
The Entity ID for SAML 2.0 at your site, as shown on the PingFederate administrative console Federation Info tab.
Customer SSO Service Login URL
Your site’s PingFederate SAML 2.0 endpoint in the format:
https://<pf_host>:<pf_port>/idp/SSO.saml2
AuthnContextClassRef
-
If you customized the SAML_AUTHN_CTX value in Configuring provisioning and single sign-on, enter your custom value in this field.
-
Otherwise, enter the following:
urn:oasis:names:tc:SAML:2.0:ac:classes:Password
Default Webex Target page URL
The fully-qualified URL for your Webex site. For example, https://subdomain.webex.com.
-
-
Optional: If you selected SP Initiated SSO, select AuthnRequest Signed.
-
Optional: In the Destination URL field, paste the value from the Customer SSO Service Login URL field.
-
Click Update.