Webex Control Hub Duo SSO

I am having an issue with getting Duo SSO to work with webex and control hub:

I followed the documentation very carefully multiple times: Duo Single Sign-On for Cisco Webex (with Control Hub) | Duo Security

The error I get by following the above documentation is: “Single Sign On failed. Name Identifier format is incorrect”

I checked the xml Idp file and it does have the nameID that webex requires. I rebuilt the application multiple times to no avail.

Eventually I tried setting up the “Generic duo hosted SSO” application. using this I was able to get “SSO successful” in the test for Webex. Unfortunately, when I tried to sign into control hub “admin.webex.com” I got an error that I was not authorized and to contact my admin.

-Assuming this was due to an attribute issue?

Any help is appreciated. I created both a tac case and a duo support case, but they both have not been responsive this past week…

I would like to also add: Our webex control hub had SSO set up originally for OneLogin. We are trying to move away from it. Not sure if related but I did remove all connections our onelogin environment had with webex control hub already

Hi @Kurt,

I’m Jamie, an engineer on the SSO team!

Thanks for the information! We’ve seen this happen before with the named application for Webex ControlHub when the account is older and the backend of the Webex ControlHub account wasn’t upgraded to support the emailAddress NameIDFormat.

If you reach out to the Webex support team, they should be able to upgrade your Webex account to support the newer NameIDFormat on their side.

For the attribute error using the Generic SAML application, I’d double-check that the NameID value you’ve populated is the attribute that has the email address in it.

Feel free to contact support@duo.com and they should be able to help you in more detail!

1 Like

Thanks for the response, this is the most helpful info I’ve been given on the subject. I asked about this upgrade last week in my TAC case but have yet to hear back unfortunately. My tac engineer doesn’t seem to be the most responsive

Also still awaiting first contact from duo support. Created the case a week ago with no response.