Set up IAM authentication

Use the IAM (identity and access management) Authentication page to enable an external identity provider (IdP) to authenticate Webex WFO sessions, enable direct login using Webex WFO's IAM service, or enable multi-factor authentication.

The IAM Authentication page is only available for Cloud deployments of Webex WFO.

If you are using an external identity provider, see Configure SAML authentication to learn how to configure your organization’s IdP prior to using this page to enable your IdP connection to Webex WFO.

Multi-factor authentication is a method in which a user is granted access to a website after successfully proving their identity using at least two means of verification. Webex WFO multi-factor authentication uses a login password and an email of a one-time password to verify a user's identity and grant them access to Webex WFO. The following workflow details what happens when a user attempts to login once multi-factor authentication is configured.

  1. The user successfully enters their email and password on the login page.

  2. The user receives an email from Webex WFO that contains their one-time password.

  3. The user enters their one-time password on the login page and is successfully authenticated.

Prerequisites

  • You need the Administer Tenant permission to access this page. See Manage roles and permissions for QM, Analytics, and Insights for more information.

  • Your external IdP must be configured for Webex WFO. Follow the procedures detailed in Configure SAML authentication to set up your IdP.

  • Follow the "Configure identity providers" and "Export SAML Metadata" procedures in Configure SAML authentication if your IdP is not on the list below. If you are not able to successfully configure your IdP, please contact Cisco Support.

    Identity Provider
    AD FS
    Azure AD
    Ping Federate
    OKTA
    Cisco Duo
    OneLogin

Page location

Application Management > Administration > IAM Authentication

Procedure

Configure an external IDP

  1. Under Enable Authentication, select the Enable IAM External Authentication Entity (Company Login) box to allow authentication using an external IdP.

    IMPORTANT   Changes to your configuration will cause login issues with your identity provider if you do not make corresponding updates to your identity provider application.

  2. Enter the required information in the available fields. See Field descriptions for more information.
  3. Click Save.

Configure direct login

  1. Under Enable Authentication select Enable IAM Authentication (Direct Login) to authenticate using Webex WFO's IAM service.
  2. Click Save.

Configure multi-factor authentication

  1. Under Enable Authentication, select Enable IAM Authentication (Direct Login) to authenticate using Webex WFO's IAM service.
  2. Under IAM Authentication Settings, select Enable One-Time Password via Email.
  3. Click Save.

NOTE   If users do not receive their one-time password emails within one minute, instruct them to check their spam folders or work with their IT administrator to ensure the one-time password email from "supportservices_noreply@calabriocloud.com" is not blocked.

Field descriptions

Field Description

Enable Authentication

At least one of the two check boxes must be selected.

Enable IAM Authentication (Direct Login)

Enables authentication through the Webex WFO IAM Service or multi-factor authentication.

Enable IAM External Authentication Entity (Company Login)

Enables authentication using an external IdP.

IAM Authentication Settings

Multi-factor Authentication -

Enable One-Time Password via Email

When configured, all tenant users receive an email from Cisco that contains a one-time password whenever they attempt to log into Webex WFO. The one-time password email is delivered to the email address linked to an individual's Webex WFO user account.

The password expires after five minutes.

Identity Provider Settings
Entity ID

The entity ID information from the customer’s configured IdP.

EXAMPLE   http://www.okta.com/mxkgk2l57kJrrPAeo0h7TEST

IDP X.509 Certificate

Import, export, or view an SP X.509 certificate. Acceptable file formats are CER, CRT, and CERT.

IMPORTANT   The certificate must be Base64 encoded.

Authorization Requests Signed -

Require signed SAML request

 Select if SAML requests need to be signed.
Name ID Format

The default is as follows.

urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect)

The value provided for a Single Sign On Service Endpoint (HTTP-Redirect). Include http or https in the url.

EXAMPLE   https://dev-111111.oktapreview.com/app/dev-111111_exampletest20220608_1/mpkznqqbkzvTHE3Nc0h7/sso/saml

SAML Binding

Select if SAML bonding is required to post or redirect.

NOTE   Check if your identity provider requires post or redirect. Azure AD, AD FS, and Ping Federate IdPS require post.

Service Provider Settings (read-only fields)

Entity ID

The unique identifier for your IdP. Required if configuring an IdP application for single sign-on.

Assertion Consumer Service URL

The service provider endpoint where the SAML assertion authentication response is sent by your IdP. Required if configuring an IdP application for single sign-on.

Metadata URL

The web address that points to the file with details on the service provider Entity ID, certificates, and more.

Service Provider Initiated Sign-On URL

The web address users visit to start the SSO process. When a user opens this URL, the service provider (Calabrio) redirects you to your IdP to authenticate and sign in.

Related topics

  • Configure SAML authentication — Learn how to configure your organization’s external IdP for Webex WFO before using the IAM Authentication page to connect your organization’s IdP and Webex WFO‘s IAM service.

  • Log in to Webex WFO (legacy) — Learn how to log into Webex WFO after configuring an authentication method.