AWS IAM Identity Center (successor to AWS SSO) Integration Guide for Cisco Webex

Introduction

This document helps you configure IAM Identity Center to facilitate single sign-on (SSO) for Cisco Webex using SAML.

Topics

• Prerequisites

• Setup instructions

• Verification

• Troubleshooting

Prerequisites

You’ll need the following to set up SSO access to Cisco Webex:

• Access to the IAM Identity Center console with permissions to manage applications.

• An Cisco Webex account with admin permissions to configure SAML SSO.

Setup instructions

1. On the Configure page, in the Details section, fill in the Display name and the Description(optional) of the application.

Note

We suggest that you choose a unique display name if you plan to have more than one of the same application.

Note

Cisco Webex supports SP initiated flow only.

2. Login to your Cisco Webex account as an administrator (example: https://admin.webex.com).

3. In the left navigation pane, choose Settings.

4. On the settings page, scroll down to Authentication and choose modify below Single Sign-On.

5. Choose the option Integrate a 3rd-party identity provider (Advanced) then choose Next.

6. Choose Download Metadata File.

7. Go back to the IAM Identity Center console page where you are configuring the Application.

8. Under Application properties, Insert the value, ensure you replace DOMAINNAME with your DOMAINNAME:

Field	Value
Application start URL	https://DOMAINNAME.webex.com/mw3300/mywebex/default.do?siteurl=DOMAINNAME&viewFrom=modern
&login_return_url=https://DOMAINNAME.webex.com/webappng/sites/DOMAINNAME/dashboard?siteurl=DOMAINNAME

9. Edit the Cisco Webex metadata file and find entityID and location:

entityID=https://idbroker.webex.com/ID Location=https://idbroker.webex.com/idb/Consumer/metaAlias/ID/sp

10. Under Application metadata, select If you don’t have a metadata file, you can manually type your metadata values. Then insert these values:

Field	Value
Application ACS URL	https://idbroker.webex.com/idb/Consumer/metaAlias/ID/sp
Application SAML audience	https://idbroker.webex.com/ID

As you can see the Location attribute is entered in the Application ACS URL field and the entityID attribute entered in the Application SAML audience.

11. Choose Save Changes.

12. Assign a user to the application in IAM Identity Center.

13. Go back to the Cisco Webex administration console and choose Next on the Export Directory Metadata page.

14. Download IAM Identity Center metadata file.

15. Below Import IdP Metadata choose file browser and select the previously downloaded IAM Identity Center metadata file.

16. On the Test SSO setup page, choose Test SSO Connection.

17. Type the credentials of a user assigned to the application in the IAM Identity Center console.

18. Choose Sign In.

19. You will now see the following message Single Sign-on succeeded.

20. Go back to the Cisco Webex administration console, choose The test was successful. Enable Single Sign On., then choose Save.

Verification

Use the following sections to verify the SSO integration.

Note

Ensure that the user performing the verification is logged out of both IAM Identity Center and the application before performing the steps in each section.

Verifying Service Provider Initiated SSO from Cisco Webex

1. Browse to the Cisco Webex login page for your application. The login URL is of the form https://DOMAINNAME.webex.com

2. Choose Sign in.

3. Type the email address of a user assigned to the application in the IAM Identity Center console, then choose Next.

4. Type the credentials of a user assigned to the application in the IAM Identity Center console, then choose Next.

5. Choose Sign In.

6. On the Cisco Webex home page, verify that both Cisco Webex and IAM Identity Center are logged in with the same user.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Verifying SSO from IAM Identity Center

1. Access the AWS access portal using the credentials of a user assigned to the Cisco Webex application.

2. In the list of applications, choose Cisco Webex to initiate a login to Cisco Webex.

3. Type the email address of a user assigned to the application in the IAM Identity Center console, then choose Next.

4. If login was successful you will be signed-in to the Cisco Webex account.

Troubleshooting

If sign in was not successful, please see the troubleshooting steps.

Troubleshooting

Error	Issue	Solution
Other	When IAM Identity Center creates a SAML Assertion for a user, it uses the value of the 'email' field (if they are present) from the connected directory to populate the 'Email' in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields.	Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings.

For general troubleshooting problems, please refer to Troubleshooting Guide.

User Provisioning Types

There are two user provisioning you need to aware of:

• Preprovisioned users

  Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.

• JIT users

  JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.