Introduction
This is a configuration example for OKTA AD with Webex Control Hub.
In this article, I'm describing the steps performed in my OKTA AD trial sub with my Webex Control Hub Lab environment.
Requirements
- Admin Account in the OKTA Portal.
- Admin Account in Control Hub (for the current Organization to be configured).
- Cisco Webex App already created in the OKTA Portal.
Components Used
- Webex Control Hub
- OKTA Portal
Configuration steps:
We will start configuring the API integration with OKTA AD and Webex Control Hub.
1. Within the OKTA portal in the left pane click on the following options:
Applications>Applications> Select the Cisco Webex App (in this case, our Cisco Webex App is called Webex-OKTA SSO/AD)
NOTE: The Webex app can be named as per the customer's needs/preferences, and is the same one used for SSO, in case the customer already configured it.
2. Then click on “Provisioning” and click on “Configure API integration”
3. Check the box “Enable API integration” and fill in the respective fields:
- Organization ID: <Available in Webex Control Hub under "Account" section>
- API Token: <You can follow step 3, subsections A to C from our OKTA AD configuration article>
Synchronize Okta users into Control Hub (webex.com)
4. Click on “Test API credentials” and wait for the result.
5. Click “Save” if the result is a success.
After the Cisco Webex App has been configured for the API integration with Webex Control Hub.
We will need to configure the Attributes and users/group assignments for the Webex application in OKTA.
1. Select the Cisco Webex App, click on "Assignments" and add the users or groups to be synched.
NOTE: if this application was already configured for SSO previously, you can skip this step and continue with step 2.
This is because the OKTA admin most likely has already configured the assignments when performing the SSO configuration.
2. After assigning either user or groups to the Cisco Webex app, click on the “Provisioning” tab, and under "Settings: To App", click on “Edit”
3. Enable the following options “Create users”, “Update users attribute”, and “Deactivate Users” and Save.
As per our article, the OKTA integration only supports the following attribute mapping:
- Username
- displayName
- name.familyName
- name.givenName
- externalId
- title
Multivalued attributes, PhoneNumber for mobile and work, as well as Address, aren’t supported by Okta.
Because the operation for PATCH, PUT, or DELETE isn’t passed by the Okta application to Webex.
NOTE: If your organization already uses Directory Connector to synchronize users, you cannot synchronize users from Okta.
Therefore, the OKTA Administrator will need to delete the other attributes that won't be mapped to Webex Control Hub.
- Go to the Webex App within the OKTA portal, click on “Provisioning”, then under Settings: To App, scroll down to <Cisco Webex App Name> Attribute Mappings section.
- Delete the other attributes that aren't supported and keep the ones supported.
Below is a screenshot, showing only the attributes supported by the OKTA integration.
Verification
OKTA AD synchronizes with Control Hub every time a new user or change has been made in the OKTA portal.
You can test the integration by adding a new user/group under the assignments section within the Cisco Webex App.
And check it on Control Hub.