Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2412
Views
10
Helpful
3
Replies

Web with AzureAD SSO - Re-Prompt for Authentication

Go to solution
shockocisco
Level 1
Level 1

‎02-01-2023 01:44 PM

We have our Webex instance integrated with AzureAD for SSO. This is working fine and users can logon with their AzureAD account. The first time they do this they get prompted for username/password and then subsequently MFA. However, even after PC restarts they do NOT get prompted for for username/password nor MFA again it seems. 

Can this be configured anywhere? 

Labels:
0 Helpful
1 Accepted Solution

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to shockocisco

‎02-02-2023 08:15 AM

AFAIK, the Azure AD integration does not mark an account Inactive in Webex Control Hub just because an account is locked. If that's accurate (please test), the Webex app would continue to function. You could use the Reset Access - either GUI or the API, both in the help article I linked to - to force the user out of every Webex app they are logged into though. That would force the user to login again with SSO which would fail since their account is locked.

As for a password change: the Force Authentication toggle I linked to below only works with on-prem AD and the Directory Connector at the moment. I just checked and there is not (yet) an equivalent for Azure AD. I cannot discuss future roadmap here because it requires an NDA. If this is important you should discuss it with your Cisco Collab TSA or partner SE; they can attach you to the existing feature request or submit a new one. They may also be able to share more detail individually.

View solution in original post

3 Replies 3

Go to solution
shockocisco
Level 1
Level 1

‎02-02-2023 12:46 AM

Thanks for the reply. Well noted regarding the mobile app. What are the effects of account lockout/password change in regards to the token? Would it be invalidated?

0 Helpful

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame
In response to shockocisco

‎02-02-2023 08:15 AM

AFAIK, the Azure AD integration does not mark an account Inactive in Webex Control Hub just because an account is locked. If that's accurate (please test), the Webex app would continue to function. You could use the Reset Access - either GUI or the API, both in the help article I linked to - to force the user out of every Webex app they are logged into though. That would force the user to login again with SSO which would fail since their account is locked.

As for a password change: the Force Authentication toggle I linked to below only works with on-prem AD and the Directory Connector at the moment. I just checked and there is not (yet) an equivalent for Azure AD. I cannot discuss future roadmap here because it requires an NDA. If this is important you should discuss it with your Cisco Collab TSA or partner SE; they can attach you to the existing feature request or submit a new one. They may also be able to share more detail individually.

Go to solution
Jonathan Schulenberg
Hall of Fame
Hall of Fame

‎02-01-2023 06:27 PM

This is by design. The Webex app uses OAuth tokens after initial sign-in. So long as the user launches the app on a given device once every 60 days, and it successfully connects to Webex, the OAuth tokens will refresh and keep the session alive.

You cannot disable this behavior entirely - nor should you because on mobile, for example, if the app lacks a valid OAuth token there is zero chance that the user can complete the login flow fast enough to answer an incoming call.

You can influence it though with the Token policy settings. I really suggest leaving them at the default values though.

Three adjacent settings to be aware of:

Customers Also Viewed These Support Documents