We have an existing paid-for Webex deployment and use the AD Directory Connector to get our user account info from our on-prem AD to Webex. However the connector doesn't include AD authentication and everyone has a separate password for Webex. We do have hybrid authentication with AzureAD configured and working for other services.
So I'd like to integrate Webex with Azure AD so that my users can use their regular AD credentials for Webex. I've read the documentation about configuring Webex SSO with Azure AD and I understand it in principal, but I still had some questions:
1) After configuring SSO can I specify which users I want to enable SSO for? Ideally I'd like to turn on SSO to test it before I enable it for everyone.
2) After enabling SSO is it possible to convert my existing users over to using their AD credentials instead of creating new accounts for them?
Unfortunately the SSO is a global setting, so it would be enabled for all, you should add a backdoor account as an external full admin so you don't get locked out if it doesn't work, and revert the change if there's an issue.
And I believe that all the users will still be there, as long as the email address matches with the SSO id/email it should start using the IdP login instead of Webex CI.
This Cisco Live video may be helpful for you to see and get familiar with the process:
Thank you for your response. I'll check out the video.
In the mean time, is it possible to enable SSO and then go back to Webex CI without affecting my userbase permanently? I'd like to turn on SSO sometime afterhours to test, and then turn it off and have everything be back to normal for the next business day. After disabling SSO and going back to Webex CI, could my user accounts (Passwords, etc) be the same?
So, when you set it up, it will give you an opportunity to test the connection, and if the connection fails, gives you the opportunity to revert back to CI:
But after I enabled this, and disabled it, I was able to login with the original CI local admin account with the original password before I enabled SSO.
I do suggest that any changes you are going to make, have TAC on the call while you are performing these changes. I would also confirm this with TAC since they will support this change also if you need help.