SSO Profile

SP Initiated - When a user visits a service provider (SP) site via a browser bookmark and first accessing resources that do not require special authentication or authorization. In an SAML-enabled deployment, when they subsequently attempt to access a protected resource at the SP, the SP will send the user to the IdP with an authentication request in order to permit the user to sign in.

AuthnRequest Signed Destination - When selected, a WebEx certificate and destination must be specified. This destination address must match the authnRequest signed configuration in the IAM.

IdP Initiated Target page URL Parameter - The user will authenticated at the IdP prior to accessing a protected resource at the Cisco WebEx service (SP).

WebEx SAML Issuer (SP ID)

The URI identifies the Cisco WebEx Connect service as an SP. The configuration must match the settings in the customer Identity Access Management.

The default value is http://www.webex.com.

Issuer For SAML (IdP ID)

A URI uniquely identifies the IdP.The configuration must match the settings in the customer IAM.

Customer SSO Service Login URL

URL for your enterprise's single sign-on service. Users in your enterprise will typically sign in via this URL.

You can export an SAML metadata WebEx SP configuration file:

Exported metadata fields include:

• AuthnRequestSigned Destination
• Issuer for SAML (Idp ID)
• Customer SSO Service Login URL

NamedID Format

This field must match the IAM configuration. The following formats are supported:

• Unspecified (default)
• Email address
• X509 Subject Name
• Entity Identifier
• Persistent Identifier

AuthnContextClassRef

The SAML statement that describes the act of authentication at the identity provider.This field must match the IAM configuration.

Default WebEx Target page URL

Optional. Upon authentication, displays a target page assigned for the Web Client only. The request does not contain a RelyState parameter.

Customer SSO Error URL

Optional. In the event of an error, redirects to this URL with the error code appended in the URL.

Single Logout for Web Client

Check to require a sign out and set the log out URL. The IdP does not support SLO and does not participate in the SLO protocol.

Note: This option is only applicable to the web IM client.

Customer SSO Service Logout URL

Enter the url to be redirected to upon sign out. This field is active when Single Logout for Web Client is set checked. This field must match the IAM configuration.

Auto Account Creation

Select to create a user account. UID, email, and first and last name fields must be present in the SAML assertion.

Auto Account Update

Specify the “updateTimeStamp” attribute in the SAML assertion and check this field to update an existing user account.

The “updateTimeStamp” value is the last update time of a user’s profile in the customer’s Identity store. For example, in Active Directory, the “whenChanged” attribute has this value. If “updateTimeStamp” is not in the attribute, the user profile would not be updated since the last update. It updates the first time when the user profile is updated via Auto Account Update or Auto Account Creation.

Unchecked indicates no updates will occur.

Remove uid Domain Suffix for Active Directory UPN

The Active Directory domain part will be removed from the UPN when selected.

WebEx Connect uid’s require the email domain; therefore, when this field is checked, it will cause an error. In this case, use “ssoid” to identify the user.

The default is unchecked for SAML 2.0 and WS-Federation 1.0.