Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
597
Views
0
Helpful
2
Replies

Webex SSO with OpenID Connect

Lajos Demeter
Level 1
Level 1

‎06-23-2023 12:08 PM - edited ‎06-24-2023 04:21 AM

I am doing some testing with the Webex SSO using OpenID Connect (OIDC), first for login only, in the "openid email" scope, and found some items which are not fully documented.

My questions the OIDC based SSO behavior of Webex:
- could you please confirm that the "JWKS endpoint" is really not used, and if yes, make this mandatory field optional?
- could you please confirm that the "User info endpoint" is really not used, and make this mandatory field optional?
- could you please confirm that the returned "access_token" within the OIDC token is not used, so may be empty?
- could you please confirm that the only the payload part of the returned "id_token" within the OIDC token is used, the other parts can be arbitrary values?

Or am I on a completely wrong path?

Background

In configuring the OIDC IdP details in Control Hub under "Manually add endpoint information", the CH requests mandatory URLs to the "JWKS endpoint" and "User info endpoint".

According to the IDC standard HERE, the JWKS endpoint is REQUIRED and returns key(s) to validate the id_token signature with. The User info endpoint is optional, and serves requests to user details.

In my understanding, the IDP should POST something similar to the Webex idbroker:
{
"token_type": "Bearer",
"expires_in": 3600,
"access_token": "...",
"scope": "email openid",
"id_token": "..."
}
and in my understanding the Webex side MUST verify the signature of the id_token using the key(s) downloaded from the "JWKS endpoint", and MAY ask for user details from the "User info endpoint".

However, at least in my tests, it looks like Webex does NOT verify the signature of the id_token, (does not even turn to the "JWKS endpoint" to get the verification key), and ignores the mandatory "iss" (issuer) param in the "id_token" JWT header. It does not turn to the "User info endpoint" either.
In spite of all these symptoms, the authentication is successful.  I found no docs about the OIDC behavior of Webex, while the SAML behavior is quite well documented.

Thanks in advance for your clarification.

1 person had this problem
0 Helpful
2 Replies 2

Janos Benyovszki
Cisco Employee
Cisco Employee

‎06-26-2023 02:55 AM

@Lajos Demeter would you mind opening a ticket for this please - devsupport@webex.com ? Please also include the payloads of your testings that you mentioned above, so that we can cross-verify them internally. Thanks

0 Helpful

Lajos Demeter
Level 1
Level 1
In response to Janos Benyovszki

‎06-26-2023 06:43 AM

OK Janos, I will do so.

0 Helpful
Customers Also Viewed These Support Documents