Webex Team Single Sign-On
Webex Teams supports any Identity Provider (IdP) that complies with SAML v2. Webex Teams works with the leading identity providers for both on-premises and Identity as a Service (IaaS) integration for the purpose of SAML v2 federated single sign-on. Cisco has created integration guides for some of these partners and has posted them on its Help site at https://help.webex.com/article/lfu88u. Integration guides or confirmed customer integrations are available for the following identity providers:
• On-premises identity providers:
• Microsoft ADFS
• Oracle Access Manager
• Ping Identity
• OpenAM
• IBM Security Access Manager
• CA Siteminder
• F5 Big-IP
• Shibboleth
• IaaS vendors:
• Okta
• PingOne
• Salesforce
• Microsoft Azure
• Oracle Identity Cloud Service
• Centrify
• OneLogin
Multifactor Authentication
Webex Teams provides authentication through multifactor authentication (MFA) by integrating with SAML v2 identity providers that support this mechanism. Many organizations deploy MFA mechanisms across their enterprise for all services that require special additional factors during authentication—something you know, such as your password, and something you have, such as an x509 certificate, HMAC-based one-time password (HOTP), time-based one-time password (TOTP), device fingerprinting, or other supported mechanisms by the IdP.
IdP and MDM/MAM with Webex Teams
Enterprise customers are building new architectures to address the security of mobile devices, authentication, and authorization of cloud-based SaaS. Enterprise customers look to the identity provider vendors to provide authentication and authorization to web apps, as well as access control to mobile apps (also known as mobile application management, or MAM). These same IdPs also include mobile device management (MDM) features or integrations to make sure that trusted devices are used by employees when accessing applications. Many IDPs use features such as device registration or certificate-based authentication to achieve these goals.
Webex Teams Proximity and Device Pairing
Webex Teams desktop and mobile apps can use proximity to pair with Webex cloud-registered devices and on-premises Cisco video devices registered to Cisco Unified CM and Cisco TelePresence Video Communication Server (VCS). The device discovery and pairing mechanisms are similar for cloud-registered devices and Unified CM/VCS-registered devices; the content sharing and device control mechanisms both use TLS/HTTPS connections but differ in the paths they use between the Webex Teams app and the device.
Note
Webex Teams for web supports manual pairing only.
Proximity for Cloud-Registered Webex Devices
Cloud-registered Webex devices use ultrasonic signaling and tokens to pair with Webex Teams apps. Figure 6-53 shows that unique tokens are generated by the Webex cloud every 30 seconds and securely sent over TLS to the Webex device, which emits these tokens using ultrasound from the device speakers. A Webex Teams app within range of the ultrasound signal can use the received token to pair with Webex device, by sending the token to the Webex cloud service. Once the device and app are paired, newly emitted tokens must be received by the Webex Teams app and sent to the Webex cloud service to maintain the paired connection.
One reason for using ultrasound for proximity detection is its limited range; ultrasound signals typically do not pass through walls, limiting the pairing token’s range to the enclosed room that the endpoint is placed within.
Figure 6-53 Ultrasound pairing for Webex Teams and Webex devices
Figure 6-54 shows that once the paired connection between the device and app has been established using the Webex cloud, the Webex Teams app can control the Webex device (for example, to make calls, mute, and so on) and also share content on the Webex device. Both the Webex Teams app and the Webex device use their existing TLS connections to the Webex cloud to exchange call control signaling and media for content sharing.
Figure 6-54 Ultrasound pairing for Webex Teams and Webex devices post connection