Single Sign-On (SSO) Using SAML

The Webex Connect platform now supports web-based Single Sign-On (SSO) using the Security Assessment Mark-up Language (SAML). Webex Connect enterprise clients who want their employees to use their existing organizational credentials for logging into Webex Connect can avail this option.

Single sign-on (SSO) is available as an optional add-on for Webex Connect users and needs to be enabled before you can start using it. Get in touch with your account manager if you would like to use the SSO feature.

📘

SSO for tenant Owner

Owner can login via SSO or password depending on the SSO configurations.

Only an owner can configure the SSO settings and enable SSO for various users.

Prerequisites

You must have the Identity provider details like IDP (Identity Provider) login URL, Entity ID, and IDP certificate for successful user invitation. Also, make sure that the users' email addresses are present in IDP.

Obtain the following assertion data from the Webex Connect service provider:

📘

Attributes in assertion data

The attributes are case-sensitive and should be entered in the displayed cases above.

SSO Settings

To configure the SSO settings, follow the steps given below:

1. Navigate to Settings > Single Sign-On Settings.
2. Select from the following options under Log-in Settings. The settings you select here are applicable to all users across the platform, except for the owner.
   • Allow login with password - this option allows users to log in using an email ID and password-based basic authentication.
   • Allow login with Single-sign on (SSO) - this option allows users to log in using their existing organizational (Identity provider) credentials as per single sign-on configurations.

📘

If you select both the options, you can choose how each user logs in individually.

3. Select the Default Authentication For New Users. The available options are SSO and Password. The option you select here will be the default login mechanism for all the new users created from now on.

4. Select the SAML Version that the identity provider uses.
5. Provide the Identity Provider Login URL. This is the URL to which Webex Connect sends a SAML request to start the login sequence.
6. Provide the Entity ID. This is the unique URL that identifies your SAML Identity Provider (IDP). This entity ID must be the same as the <saml:issuer> attribute in the SAML assertion. You will get this URL at both the IDP end as well as at the service provider end but you would need to use only one of these URLs and use the same URL at both places.
7. Select a file for the Identity Provider Certificate.
8. Select the Request Signature Method. This is the hashing algorithm for encrypted requests. The supported methods are RSA-SHA1 and RSA-SHA256.
9. Optionally, if the identity provider encrypts SAML assertions, upload the Assertion Decryption Certificate.
10. Provide Webex ConnectService Provider Details. These details are required to configure the federated authentication, a single sign-on method that uses SAML assertions sent to an Webex Connect endpoint.

• Assertion Customer Service URL - the URL that the identity provider uses to verify SAML messages from Webex Connect.
• Identifier - the unique identifier for your tenant. Use it as entity id in the identity provider configuration.

11. Click Save to save the configuration details.

Inviting New Users

After you have configured the SSO settings, when you invite new users, an email will be sent for the invitation. If you have selected SSO as the default option, the new users do not need to create a password. The name and phone number of such users are captured during their first login.

📘

Password Reset

The password reset option is not applicable for users who are configured to login with SSO.

Password vs SSO

The following image illustrates how login works for existing and new users with password and SSO:

Testing your SSO configuration

Webex Connect allows you to test your SSO configuration by simply clicking a Test button after you have configured the SSO settings. Enter the Login Email ID of the user for whom you have enabled and want to test the SSO option for.

📘

Note

The 'Allow login with SSO' option should be selected to test SSO.

Follow the below steps to test SSO:

1. Click Allow login with Single Sign-on (SSO).
2. Select SSO from 'Default for New Users' option to enable SSO for the new users.
3. Configure the required settings.
4. Click Test.
   The Test Single Sign-On page appears.

5. Enter your Test Email ID (see below).
   The entered user ID should match with the user’s records provided to the IDP (Identity Provider) in order to successfully login.
6. Click Test.

The user will be directed to the login page of the entered ‘Identity Provider’s Login URL’. In case of a successful login, the user will be provided a ‘test session’ with Webex Connect.

In case, entered data do not match (e.g. due to the wrong id), an error message is thrown as received from IDP. For example:

Remote Log-off for SSO

Webex Connect has introduced Remote Logout functionality which allows a user that is active on multiple platforms/products to logout at once from everywhere simply from a single platform.

In order to enable remote logout, you need to provide “Remote Logout URL” under the SAML Settings on the Single Sign-On Settings page.

Remote logout URL is used to terminate session at IDP's end when the user logs out of Webex Connect(SP).”

On successful logout from Webex Connect for SSO enabled users, a session termination request is sent on remote logout URL.

Remote logout URL is used to terminate session at IDP end when user logs out of Webex Connect(SP).

Webex Connect (SP) will not delete any other active SP's session (other than Webex Connect when SSO user logouts of Webex Connect) and IDP should take action to delete other SP's sessions to achieve Single Logout.