© 2024 Cisco

© 2024
and/or
Cisco
itsand/or
affiliates.
its affiliates.
All rights reserved.
All rights reserved.
Cisco Confiden tial

Cisco Confidential
Webex Identity, Provisioning,
Authentication, and Authorization

Scott Kiewert – Technical Marketing Engineer

October 21, 2024

© 2024 Cisco and/or its affiliates. All rights reserved.

 Introduction
Agenda
Provisioning
Manual, Automated, and Just-in-Time

Authentication and Authorization

Single Sign-on – SAML and OpenID Connect

Troubleshooting

References and Feedback

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Introduction

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Safe Harbor
This presentation contains forward looking statements that involve risks, uncertainties and assumptions. If the risks
and uncertainties ever materialize or the assumptions prove incorrect, our results may differ materially from those
expressed or implied by such forward-looking statements. All statements other than statements of historical fact
could be deemed forward-looking, including, but not limited to, any projections of financial information; any
statements about historical results that may suggest trends for our business; any statements of the plans, strategies
and objectives of management for future operations; any statements of expectation or belief regarding future events,
underlying any of the foregoing.

These statements are based on estimates and information available to us at the time of this presentation and are not
guarantees of future performance. Actual results could differ materially form our current expectations as a result of
the many factors, including but not limited to: the unpredictable nature of our rapidly evolving market and quarterly
fluctuations in our business; the effects of competition; and ay adverse changes in our indirect channel relationships.
These and other risks and uncertainties associated with our business are described in the company’s annual report on
Form 10-K. The forward-looking statements in this presentation are made as of the date of the initial publication of
this presentation, and we disclaim any obligation to update these statements at any time in the future.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Digital Identity and Access Management
Digital Identity
A digital identity is a central source of truth in
identity and access management. It refers to the
credentials that a user needs to gain access to
resources online or on an enterprise network. IAM
solutions match these credentials, known as
authentication factors, to users or entities that are
requesting access to applications, primarily at the
Layer 7 level. The factors help verify that users are
who they say they are.
© 2024 Cisco and/or its affiliates. All rights reserved.
Identity Access Management
Identity and access management (IAM) is the
practice of making sure that people and entities with
digital identities have the right level of access to
enterprise resources like networks and databases.
User roles and access privileges are defined and
managed through an IAM system.
Cisco Confidential
Provisioning

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
 Provisioning Methods
Manual Administrators can manually create individual user accounts in Control Hub

CSV Import Administrators can add user accounts in bulk by importing a CSV file into Control Hub

Self-registration Users can create their own account when a domain has been claimed in an organization

Social Sign-in Users can register and sign in to Webex using certain external accounts (Apple, Google, Facebook, Microsoft)

API Administrators can create, update, or delete user accounts via API (People or SCIM2)

SCIM 2.0 Use SCIM 2.0 protocol to create user accounts

Azure AD Wizard Utilizes a combination of SCIM 1.0 and the Graph API to synchronize users from Entra ID

Directory Connector Use the Directory Connector application to synchronize user accounts between an on-premises Active Directory server and Webex

CCUC Sync users from Unified CM to Webex

SAML JIT Create and/or update user accounts after successful SSO login

© 2024 Cisco and/or its affiliates. All rights reserved.

https://help.webex.com/en-us/article/nj34yk2/Ways-to-add-users-to-your-
Control-Hub-organization Cisco Confidential
Provisioning Method Comparison
Directory Azure AD Entra ID Okta
Functions / Features (Cisco Webex Identity
Connector Wizard App Application1 SCIM 2.0)
1

Sync Users (Create, Delete, Update) ✓ ✓ ✓ ✓

Allows local Webex user creation  ✓ ✓ ✓
Filter/Select users or groups-of-users to sync ✓ ✓ ✓ ✓
Soft-Delete/Recover Inactive User ✓ ✓ ✓ ✓
Sync Groups ✓ ✓  (2H CY24)3 ✓
Sync Avatar ✓ ✓  
Attribute Sync/Mapping ✓(30) ✓(15) ✓(15) ✓(29)
2nd Work Number/Extension Attribute ✓    TBD3
Full & Incremental sync options ✓  In Entra ID 
Manual/Force sync option ✓  In Entra ID ✓
On-Demand User Provisioning  ✓ In Entra ID ✓
Dry-Run (pre-check) ✓ ✓   TBD
Sync report ✓ ✓2 ✓2 ✓
Support multiple sync source  ✓ ✓ ✓
Exclusive sync source/Single source of truth ✓  (2H CY24)3  (2H CY24)3  (2H CY24)3
Sync Room Objects ✓ ✓  NA
Domain Verification  ✓ ✓ 
User’s Manager ✓ ✓  
Sync Org Contacts ✓   
Multiple Emails ✓  (2H CY24)4   TBD3
© 2024 Cisco and/or its affiliates. All rights reserved.
https://help.webex.com/en-us/article/nj34yk2/Ways-to-add-users-to-your-
Control-Hub-organization Cisco Confidential
Verify Domain

Proves ownership of domain.

Claim users that signed up with your domain in other
Webex organizations into your organization.
Email addresses with verified domains can still be used in
other organizations.

DNS Verification

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Claim Domain

Claiming a domain prevents users with an email in that

domain from being created in other orgs.
Users created in other orgs prior to the domain being claimed
are not affected.
These users can be claimed to your org manually.
Users can still self-register or invite other users and they
will be created in your org unless Directory Connector is
enabled.
Self-registration can be disabled.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Verified vs Claimed Domains

Verified Domain Claimed Domain

Existing Webex users can be claimed from other orgs. Existing Webex users can be claimed from other orgs.

New users cannot be created in other orgs. Users that

New users can be created in other orgs.
self-register will automatically be created in your org.

Since verified domains can be used in other orgs, self-

Self-registration for claimed domains can be disabled.
registration cannot be disabled.

https://help.webex.com/en-us/article/cd6d84/Manage-Your-Domains

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Provisioning – Manual and CSV

Manually add users via Control Hub.

Bulk add users via CSV file.
Useful for one-off user additions. CSV File
Users
High administrative overhead.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Provisioning – Directory Connector

Directory Connector is an on-premises application for identity

synchronization from Active Directory to Webex.

Feature-rich option that can do everything except configure

SSO.

Acts as a single source of truth for identity information on

Webex. When Directory Connector is enabled, users cannot
be provisioned through other means.

Only option for syncing org contacts, 2nd work number /

extension.

Supports full and incremental sync, avatar sync, and dry-runs.

https://help.webex.com/en-us/article/zqvufbb/Deployment-Guide-for-Directory-Connector

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
System for Cross-domain Identity
Management (SCIM)

IETF standard for exchanging identity

information between entities.
Webex supports both the Core Schema Users
and Enterprise Extension Schema.
Identity
Interoperability between Webex and Management
Groups Platform
SCIM 2.0 compliant clients for user
provisioning to Webex.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
SCIM 2.0 Bulk, Users, and Groups API

Users – Create, search, update, delete users.

Groups - Create, search, update, delete groups.

Bulk - Create, update, or remove multiple users or

groups. The number of operations in a bulk request is
limited to 100.

https://developer.webex.com/docs/scim-2-overview

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
SCIM 2.0 Application – Okta Integration
Network
An application that utilizes the
SCIM 2.0 endpoints for
provisioning is now available in
the Okta Integration Network.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard – New Configuration (Defaults)

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard – Manual Configuration
Manual config (or editing existing
config) allows for granular control
over synchronization:
• Selected users
• Selected groups
• Attribute mappings
• Avatar sync

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard – Attribute Mapping
Entra ID Attribute
Webex User Attribute (target)
(source)
userPrincipalName userName
displayName displayName
surname name.familyName
givenName name.givenName
objectId externalId
jobTitle title
usageLocation addresses[type eq "work"].country
city addresses[type eq "work"].locality
streetAddress addresses[type eq "work"].streetAddress
state addresses[type eq "work"].region
postalCode addresses[type eq "work"].postalCode
telephoneNumber phoneNumbers[type eq "work"].value
mobile phoneNumbers[type eq "mobile"].value
facsimileTelephoneNumb
phoneNumbers[type eq "fax"].value
er
manager manager

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard - Users

• Sync all users in the Entra ID tenant or

sync only selected users.

• Syncing many users is easily

accomplished by utilizing groups.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard – Groups
Sync group members
Webex will sync individual users in the group. Syncing users from a
group will not sync the group object. To sync group objects, go to
Options and enable the option Sync group objects

Sync children groups

Webex will only sync individual users in the child group, but not the
group objects. To sync group objects, go to Options and enable the
option Sync group objects

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard – More

Sync group objects

Syncs the group object and group membership from Entra ID. Can be used for
licensing and settings templates along with routing for SSO (Multiple IdP).

Activate single sign-on

Automatically creates and configures an app on Entra ID to enable SSO (using
OpenID Connect).

Identify and sync room objects

Sync room resources from Entra ID into Webex.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Wizard – App Migration

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Additional Provisioning and
Identity Features

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Multi-factor Authentication

MFA can be enabled in 3 different ways.

• MFA is enabled but optional for each

user.
• MFA is required when accessing
Control Hub but not required for
anything else.
• MFA is mandatory for all users in an org
that are accessing any Webex service.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
User Attributes
Required User Attributes

Administrators can specify attributes

required for user provisioning. By default,
only email is required.

If an attribute is marked as required but

it is not provided during user
synchronization, provisioning will fail.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
User Attributes
User Editable Attributes and Pronouns

Administrators can give users the ability to

edit certain synced attributes.

These attributes will reflect only in Webex

and will not affect the directory source.

Modified value can be overwritten upon

next sync.

Enabling allow pronouns will allow users to

either select from a dropdown (English
Webex app only) or enter a custom value.

If syncing via Directory Connector, custom

values are not available.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Alternative Emails
Allows users to authenticate with Webex using
a different email address than their primary.

Provides flexibility because the email address

for calendar management must map to the
primary email address field in Webex but the
alternative email(s) can be used for
authentication and to search users in Webex.

Alternative email addresses must be unique.

The domain for an alternative email address

must either be verified or claimed.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Administrator-Initiated Password Reset

Admins can initiate a password reset for a user from Control

Hub.
Only for users whose password is managed by Webex.
User receives email link to reset password.
Useful in scenarios such as:
• Password compromised
• Helpdesk requests
• User-requested reset

© 2024 Cisco and/or its affiliates. All rights reserved.

31

Cisco Confidential
Hide selected users/devices from search
Admins can hide select users or shared devices (workspace) so
they cannot be searched by name.
Hiding a user also hides devices associated to that user.
When a workspace is hidden, all devices in that space will be
hidden.
Hidden users and devices will still be searchable by org admins
and other users who have hidden accounts.
Limitations:
• Users who know the complete email address for a hidden user can
still connect with that user.
• DX, MX, SX series devices will bypass this feature and return
hidden users/devices.
• Devices with proximity enabled can be detected.

© 2024 Cisco and/or its affiliates. All rights reserved.

32

Cisco Confidential
Manage Access and Token TTL
• Admins have granular control over which types of clients can
access Webex.
• Admins can control token specifics per client type:
• Auto update refresh token
• Refresh token validity period
• Max number of refresh tokens per user
• Amount of time an access token is valid

• Gives administrators the ability to apply a stricter security

posture.
• Available now

© 2024 Cisco and/or its affiliates. All rights reserved.

33

Cisco Confidential
Federated Organizations

Organizations can be linked to allow for user

cross-org room and user searching.
• Name and email address
• Presence
Users can schedule meetings in public rooms
from other federated orgs.
Both orgs must enable ‘Allow federated
organizations’ in Organization Settings.
An admin in org A must send a request to other
org(s) for approval to federate.
Admins in org(s) B and C will now see the
pending request.

© 2024 Cisco and/or its affiliates. All rights reserved.

34

Cisco Confidential
License and Settings Templates

License and settings templates drastically reduce

administrative overhead by applying the correct licenses
and settings to user(s) during provisioning.

Licenses can be applied org-wide or based on the

group(s) of which the user is a member.

Settings templates for each Webex feature can be

applied based on group membership.

https://help.webex.com/en-us/article/n3ijtao/Set-up-automatic-license-assignments-
in-Control-Hub
https://help.webex.com/en-us/article/n5uf91x/Configure-settings-templates

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Multiple Identity Providers (IdPs)
• Useful in complex deployments
under certain circumstances:
• Mergers and acquisitions
• Global enterprises with subsidiaries
utilizing different IT organizations
• Partners who use Webex as a
consumer service
• Institutions with organizations or
departments utilizing multiple IT
organizations

Requires Extended Security Pack (ESP)

https://help.webex.com/en-us/article/ngp4sr8/SSO-with-multiple-
IdPs-in-Webex

© 2024 Cisco and/or its affiliates. All rights reserved.

36

Cisco Confidential
Multiple IdPs – Routing Rules
• Users can be routed based on their
group or domain.
• Rules can contain multiple groups or
domains.
• Routing rules will be checked in order
when routing users.
• Rules should be ordered from most specific
to least specific.
• Domains must be verified or claimed in
order to be added to a routing rule.
• If a user does not match any rules, they
will be routed using the default rule.

© 2024 Cisco and/or its affiliates. All rights reserved.

37

Cisco Confidential
Multiple IdPs Example
Rule 1
• Group-based rule
• Group name – localauth
• Authentication – Webex

Rule 2
• Domain-based rule
• Domain – sckiewer.com
• Authentication – Azure AD (Entra ID)

Rule 3
• Default rule
• Authentication – Okta

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Multiple IdPs Example
Rule 1
• Group-based rule
• Group name – localauth
• Authentication – Webex

Rule 2
• Domain-based rule
• Domain – sckiewer.com
• Authentication – Azure AD (Entra ID)

Rule 3
• Default rule
• Authentication – Okta

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Multiple IdPs Example
Rule 1
• Group-based rule
• Group name – localauth
• Authentication – Webex

Rule 2
• Domain-based rule
• Domain – sckiewer.com
• Authentication – Azure AD (Entra ID)

Rule 3
• Default rule
• Authentication – Okta

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Multiple IdPs Example
Rule 1
• Group-based rule
• Group name – localauth
• Authentication – Webex

Rule 2
• Domain-based rule
• Domain – sckiewer.com
• Authentication – Azure AD (Entra ID)

Rule 3
• Default rule
• Authentication – Okta

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Multiple IdPs – Security Implications
• This feature is targeted for solving issues in very
complex scenarios.
• Some common customer scenarios can be solved with
the simpler External Users feature.
• Federation is generally supported by most IdPs and is
recommended over this feature.
• This feature exists because collaboration admins
sometimes don't have access to set up federation on
the IdP side (or their company policy forbids it).
• Audit events have been added for multiple IdP to
ensure any unauthorized changes are tracked.
• This feature differentiates Webex from other
collaboration platforms.

© 2024 Cisco and/or its affiliates. All rights reserved.

42

Cisco Confidential
Security Assertion Markup
Language (SAML) and OpenID
Connect (OIDC)

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Single Sign-On - SAML

SAML is an XML-based standard for exchanging AuthN

and AuthZ data between an Identity Provider (IdP) and
Service Provider (SP).
Webex utilizes an SP-initiated login flow (user attempts
to access Webex and is subsequently redirected to the
IdP for authentication).
If an SSO failure prevents users from logging in, an admin
can make changes to SSO config using the recovery URL
(https://admin.webex.com/manage-sso).
Config guides for the most common IdPs:
https://help.webex.com/en-us/article/lfu88u/Single-Sign-On-Integration-
in-Control-Hub

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Webex Login Flow - SAML

1) User initiates log in attempt

2) Webex redirects client to Duo (HTTP 302)

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
 Webex Login Flow - SAML

<samlp:AuthnRequest
…
ID="s2ccffe5a3ebe2b7836ae8f
4655962854255204da7"
…
Destination="https://sso-
253ed3cb.sso.duosecurity.co
m/saml2/sp/DIJO4JTZZQX0K1VA
T0WP/sso"
…
AssertionConsumerServiceURL
="https://idbroker.webex.co
m/idb/Consumer/metaAlias/ef
70fae6-b079-45e6-901e-
0a1ba9856721/sp" >
…
</samlp:AuthnRequest>
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Webex Login Flow - SAML

7) Client returns to Webex with assertion from Duo

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
 SAML Assertion Analysis
<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_5d951be3-7d3e-4aab-8d39-f8d03659fa9b" IssueInstant="2024-05-21T20:17:31.762Z" Version="2.0">
<Issuer>https://sso-253ed3cb.sso.duosecurity.com/saml2/sp/DIJO4JTZZQX0K1VAT0WP/metadata</Issuer>
…
<Subject>
…
<SubjectConfirmationData InResponseTo="s2ccffe5a3ebe2b7836ae8f4655962854255204da7"
…
Recipient="https://idbroker.webex.com/idb/Consumer/metaAlias/ef70fae6-b079-45e6-901e-0a1ba9856721/sp"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2024-05-21T20:17:31.746Z" NotOnOrAfter="2024-05-21T21:17:31.746Z">
…
</Conditions>
<AttributeStatement>
<Attribute Name="uid">
<AttributeValue>[email protected]</AttributeValue>
</Attribute>
</AttributeStatement>
<AuthnStatement AuthnInstant="2024-05-21T14:33:09.647Z" SessionIndex="_5d951be3-7d3e-4aab-8d39-f8d03659fa9b">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
SAML Just-in-Time (JIT) User
Create and Update
Users can be created using information provided by the
IdP during an SSO login.

Attribute mappings are configurable in the SSO wizard.

Can be restricted to only allow user creation but not

updates, or for both options to be enabled.

Using JIT, users can now be added to Webex groups after

a successful login (provided that the IdP sends a valid
attribute and group ID).
https://help.webex.com/en-us/article/nsjpi6h/SAML-Auto-Account-Creation-and-
Update-for-Control-Hub#_2877a2c2-882f-4325-a2a2-1f78ac2b10e8

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
What is OpenID Connect (OIDC)?
Terminology:
OpenID Connect adds an authentication layer
• Authorization Server
to the robust OAuth 2.0 protocol.
• Response Type
Utilizes ID tokens (Base64-encoded JSON Web • Redirect URI
Tokens (JWT)) to encode claims. • Authorization Code
Provides multiple flows for different • Authorization Grant
applications and security requirements. • ID Token
• Access Token
Less complexity and administrative overhead
• Scope
when compared to SAML.
• Claim

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
OpenID Connect
Client Secret
Entra ID
The client secret may require rotation depending on
your IdP.
• Entra ID requires rotation at least every two years.
• Okta does not require rotation

Rotating the key regularly is a security best practice.

Okta

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
OpenID Connect
Endpoints

OpenID Connect uses a Well-known URI (Discovery URL) to provide

addresses to a client for use during a login attempt.

Entra ID example (https://login.microsoftonline.com/8a3c8e9d-

c3d6-49d9-8ca8-0d91988b2bff/v2.0/.well-known/openid-
configuration)

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
OpenID Connect
Well-known URI (Discovery URL)
{"token_endpoint":"https://login.microsoftonline.com/8a3c8e9d-c3d6-49d9-8ca8- token_endpoint - used by the client to exchange an authorization code for
0d91988b2bff/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_k access, refresh, and/or ID tokens.
ey_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/8a3c8e9d-c3d6-49d9-8ca8-
0d91988b2bff/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_ty
jwks_uri - contains the signing key(s) the Relying Party (Webex) uses to
pes_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":[ validate signatures from the OpenID Provider (IdP).
"code","id_token","code id_token","id_token
response_types_supported - JSON array containing a list of the OAuth 2.0
token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.
response_type values that this OpenID Provider supports.
com/8a3c8e9d-c3d6-49d9-8ca8-
0d91988b2bff/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.co scopes_supported - JSON array containing a list of the OAuth 2.0 scope
m/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/8a3c8e9d-c3d6-49d9-8ca8- values that this server supports.
0d91988b2bff/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/8a3c
8e9d-c3d6-49d9-8ca8- issuer – HTTPS URL identifying the OpenID Provider that is issuing the
0d91988b2bff/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"e token(s).
nd_session_endpoint":"https://login.microsoftonline.com/8a3c8e9d-c3d6-49d9-8ca8-
0d91988b2bff/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_ho userinfo_endpoint – returns claims about an authenticated end-user.
st_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_us
ername","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com
authorization_endpoint – responsible for authenticating the end user.
/8a3c8e9d-c3d6-49d9-8ca8-
0d91988b2bff/kerberos","tenant_region_scope":"NA","cloud_instance_name":"microsoftonline.com","cloud_gra
ph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.n claims_supported – JSON array containing a list of the claims for which the
et"} OpenID Provider MAY be able to supply information.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
OpenID Connect
Configuration

There are some quality-of-life improvements with

OIDC:
• No metadata file exchange
• No certificates to manage
• Granular control over data with scopes
OIDC requires a Client ID, Client Secret, and a discovery
URL that allows Webex to retrieve endpoint URLs from
the IdP.
If preferred, endpoints can be configured manually
rather than using the discovery URL.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
OpenID Connect
Example ID Token Decoded
{
Token: "typ": "JWT",
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6IjFMVE16YWtpaGlSbGFfOHoyQkV "alg": "RS256",
KVlhlV01xbyJ9.eyJ2ZXIiOiIyLjAiLCJpc3MiOiJodHRwczovL2xvZ2luLm1pY3Jvc29mdG "kid": "1LTMzakihiRla_8z2BEJVXeWMqo"
9ubGluZS5jb20vOTEyMjA0MGQtNmM2Ny00YzViLWIxMTItMzZhMzA0YjY2ZGFkL3 }
YyLjAiLCJzdWIiOiJBQUFBQUFBQUFBQUFBQUFBQUFBQUFJa3pxRlZyU2FTYUZIeTc4 {
MmJidGFRIiwiYXVkIjoiNmNiMDQwMTgtYTNmNS00NmE3LWI5OTUtOTQwYzc4ZjV "ver": "2.0",
hZWYzIiwiZXhwIjoxNTM2MzYxNDExLCJpYXQiOjE1MzYyNzQ3MTEsIm5iZiI6MTUzNj "iss": "https://login.microsoftonline.com/9122040d-6c67-4c5b-b112-
I3NDcxMSwibmFtZSI6IkFiZSBMaW5jb2xuIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiQWJl 36a304b66dad/v2.0",
TGlAbWljcm9zb2Z0LmNvbSIsIm9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC02N "sub": "AAAAAAAAAAAAAAAAAAAAAIkzqFVrSaSaFHy782bbtaQ",
mYzLTMzMzJlY2E3ZWE4MSIsInRpZCI6IjkxMjIwNDBkLTZjNjctNGM1Yi1iMTEyLTM2 "aud": "6cb04018-a3f5-46a7-b995-940c78f5aef3",
YTMwNGI2NmRhZCIsIm5vbmNlIjoiMTIzNTIzIiwiYWlvIjoiRGYyVVZYTDFpeCFsTUNX "exp": 1536361411,
TVNPSkJjRmF0emNHZnZGR2hqS3Y4cTVnMHg3MzJkUjVNQjVCaXN2R1FPN1lXQnlq "iat": 1536274711,
ZDhpUURMcSFlR2JJRGFreXA1bW5PcmNkcUhlWVNubHRlcFFtUnA2QUlaOGpZIn0.1 "nbf": 1536274711,
AFWW-Ck5nROwSlltm7GzZvDwUkqvhSQpm55TQsmVo9Y59cLhRXpvB8n- "name": "Abe Lincoln",
55HCr9Z6G_31_UbeUkoz612I2j_Sm9FFShSDDjoaLQr54CreGIJvjtmS3EkK9a7SJBbcp "preferred_username": "[email protected]",
L1MpUtlfygow39tFjY7EVNW9plWUvRrTgVk7lYLprvfzw-CIqw3gHC- "oid": "00000000-0000-0000-66f3-3332eca7ea81",
T7IK_m_xkr08INERBtaecwhTeN4chPC4W3jdmw_lIxzC48YoQ0dB1L9- "tid": "9122040d-6c67-4c5b-b112-36a304b66dad",
ImX98Egypfrlbm0IBL5spFzL6JDZIRRJOu8vecJvj1mq-IUhGt0MacxX8jdxYLP- "nonce": "123523",
KUu2d9MbNKpCKJuZ7p8gwTL5B7NlUdh_dmSviPWrw "aio":
"Df2UVXL1ix!lMCWMSOJBcFatzcGfvFGhjKv8q5g0x732dR5MB5BisvGQO7YWByjd8iQDLq!eG
bIDakyp5mnOrcdqHeYSnltepQmRp6AIZ8jY"
}

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Webex Login Flow – OIDC

1) User initiates log in attempt

2) Webex redirects to Entra Authorize endpoint

HTTP/1.1 302
location:
https://login.microsoftonline.com
/8a3c8e9d-c3d6-49d9-8ca8-
0d91988b2bff/oauth2/v2.0/auth
orize...

GET
client_id: aa6f8718-ad1d-42fc-
a2c8-a7df9a181a6f
response_type: code
scope: email openid address
phone Authorize Login
redirect_uri: https://idbroker-b- Endpoint Endpoint
us.webex.com/idb/Consumer/oid
c/sp
login_hint: [email protected]

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
 Webex Login Flow – OIDC

6) Authorization code is passed to Webex

GET https://idbroker-b-
us.webex.com/idb/oauth2/v1/authorize?
response_type=code...
Referer:
https://login.microsoftonline.com/

HTTP/1.1 302
location:
https://web.webex.com?code=YWU0ZjA2 Authorize Login
NGY... Endpoint Endpoint

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Webex Login Flow – OIDC

{
…
"email": “[email protected]",
"email_verified": true,
"name": “Scott Kiewert",
"given_name": “Scott",
Token UserInfo "family_name" : “Kiewert",
Endpoint Endpoint "phone_number" : "+9191112222",
…
}

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Webex Login Flow – OIDC

{
…
"email": “[email protected]",
"email_verified": true,
"name": “Scott Kiewert",
"given_name": “Scott",
Token UserInfo "family_name" : “Kiewert",
Endpoint Endpoint "phone_number" : "+9191112222",
…
}

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
OpenID Connect
Comparison with SAML
SAML OpenID Connect
XML-based JSON-based
Typically, worse for user privacy - user consent requires Better for user privacy (user consent is supported by
additional configuration. default)
Conveys user information in an assertion Conveys user information in claims
Application being accessed is called the Service Provider Application being accessed is called the Relying Party

Wide adoption and trusted by enterprises Less adoption than SAML

Harder to configure Easier to configure
Relies on certificates Relies on client secret
Engineers are usually more familiar Engineers are usually less familiar

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Troubleshooting

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Entra ID – Group Object Sync

When enabling sync of group objects from Entra ID via the

wizard, the Graph API will be used to sync those objects.

Sync occurs every 12 hours – so if group membership

changes after enabling the Sync group objects option, you
need to wait for the next scheduled sync or disable and re-
enable to force a sync immediately.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Integration Error

Occurs when the provisioning app was removed from

Entra ID.

Access https://portal.azure.com > Microsoft Entra ID >

Enterprise Applications and verify that Cisco Webex
Identity Integration is present.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Azure AD Integration Error

If the integration is missing, navigate to the following URL

to add the app back to the tenant:

https://login.microsoftonline.com/common/adminconsent
?client_id=90db942a-c1eb-4e8d-82e4-eebf64a7e2ae

Accept the required permissions to create the integration.

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Inactive Users

User is marked inactive

manually in CH 30 days

User is removed from the

directory source 30 days

User is deactivated in
30 days
directory source

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Inactive Users – Directory Connector

User is marked inactive

manually in CH 30 days

User is removed from the

7 days
directory source

User is deactivated in
Indefinite
directory source

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
Directory Connector Troubleshooting

Log files for directory connector can be found in:

C:\Program Files (x86)\Cisco Systems\Cisco Systems\Cisco
Directory Connector\Logs
Start troubleshooting by logging in to Directory
Connector
Dashboard > Actions > Utilities > TroubleShooting
This will clear the Logs folder and enable Verbose
logging.
Event Viewer can also provide insight into any
issues:
Start > Event Viewer > Applications and Services Logs
> Cisco Directory Connector

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
References and Feedback

© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
References
Provisioning
https://help.webex.com/en-us/article/nj34yk2/Ways-to-add-users-to-your-Control-Hub-organization

Domain Management
https://help.webex.com/en-us/article/cd6d84/Manage-Your-Domains

Directory Connector
https://help.webex.com/en-us/article/zqvufbb/Deployment-Guide-for-Directory-Connector

Azure AD Wizard
https://help.webex.com/en-us/article/heauzeb/Set-up-the-Entra-ID-(Azure-AD)-Wizard-App-in-Control-Hub

SCIM 2
https://developer.webex.com/docs/scim-2-overview

License and Settings Templates

https://help.webex.com/en-us/article/n3ijtao/Set-up-automatic-license-assignments-in-Control-Hub
https://help.webex.com/en-us/article/n5uf91x/Configure-settings-templates

Single Sign-On
https://help.webex.com/en-us/article/ngp4sr8/SSO-with-multiple-IdPs-in-Webex
https://help.webex.com/en-us/article/lfu88u/Single-Sign-On-Integration-in-Control-Hub
https://help.webex.com/en-us/article/nsjpi6h/SAML-Auto-Account-Creation-and-Update-for-Control-Hub

OpenID Connect
https://openid.net/developers/how-connect-works/
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential
© 2024 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential