Get Started with Cisco Spaces

This chapter provides an overview of Cisco Spaces, its features, the process flow, license packages, and system requirements for Cisco Spaces.

This chapter contains the following sections:

Overview of Cisco Spaces

Cisco Spaces is a multichannel engagement platform that enables you to connect, know, and engage with visitors at their physical business locations.

Cisco Spaces is the industry's most scalable end-to-end indoor location services cloud platform that empowers customers to achieve business outcomes at scale. With its comprehensive suite of services, it offers a robust solution for all your location-based needs.

Cisco Spaces provides solutions for monitoring and managing the assets in your premises.

It covers various verticals of business such as

  • retail

  • manufacturing

  • hospitality

  • healthcare

  • education

  • financial services

  • enterprise workspaces, and so on.

With Cisco Spaces, users gain centralized access to all location technology and intelligence via a unified dashboard interface. Designed for compatibility with existing Cisco Aironet, Cisco Catalyst, and Cisco Meraki infrastructure, Cisco Spaces stands out as a versatile solution for location-based service needs.

Log In

As a Cisco Spaces user, you can log in to Cisco Spaces using the existing account login credentials. The domain specific URL to log in to Cisco Spaces is https://spaces-gov.cisco/.

Cisco Federation Process

The Cisco Federation Process enables Single Sign-On (SSO) integration with external partner organizations, allowing seamless authentication while maintaining security boundaries. This system uses Cisco's CCI-Okta infrastructure to federate with external Identity Providers (IdPs).

Key benefits

  • Enhanced Security: Passwords remain with the partner domain; Cisco never stores or accesses them

  • Seamless User Experience: Single sign-on across Cisco applications

  • Just-in-Time Provisioning: Automatic user provisioning with minimal required attributes

  • Flexible Authentication Flow: Multiple entry points for user authentication

Cisco Customer Identity integration

Cisco Customer Identity (CCI) is a unified authentication platform that enhances security and accessibility for users across Cisco Spaces applications. It serves as a common authentication layer, replacing individual application-specific identity providers (IDPs) to streamline user access and improve streamline user access and improve security management.

Legacy onboarding used separate IDPs for Cisco Spaces, which created challenges when enabling other applications. Cisco Customer Identity (CCI) provides a common authentication interface that prevents future integration issues for non-CCI customers. To ensure compatibility with the evolving Cisco product ecosystem, users are being transitioned to CCI integration.

CCI integration centralizes user authentication for all Cisco applications, ensuring consistent security policies and simplifying user management. This approach supports future scalability, enabling seamless activation of additional Cisco products that rely on CCI for authentication.

Key attributes:

  • Provides a single sign-on (SSO) experience across all Cisco URLs for users with authorized email domains (e.g., @abc.com).

  • Replaces legacy or individual application IDPs to avoid fragmentation and complexity.

  • Supports SAML-based authentication with metadata exchange between customer IDPs and Cisco.

  • Requires mandatory user attributes in SAML responses, such as firstName, lastName, email, company, and countryCode.

  • Facilitates both authentication-only and combined authentication and authorization workflows.

Figure 1. Authentication workflow

Set Up SSO with Cisco Customer Identity

Enable Single Sign-On (SSO) across all Cisco applications for users in specified domains by integrating your organization’s identity provider with Cisco Customer Identity (CCI). This unified authentication enhances user experience and strengthens application security.

Use this task when you need centralized authentication for Cisco applications. The SSO setup is performed at the Cisco domain level, not at the individual application level, to provide consistent, secure access for all users in your organization. You will work with Cisco's SSO enablement team to exchange required metadata and certificates, ensuring that SSO functions reliably and meets organizational security requirements.

Before you begin

Ensure that these requirements are met:

  • CCI-Okta: Cisco's Identity Provider

  • Federated Partner Domain: External organization's Identity Provider

  • Protected Applications: Cisco applications requiring authentication

  • SAML Protocol: Secure authentication messaging

Follow these steps to configure SSO.

Procedure

Step 1

As a user, provide these details or metadata file to enable SSO integration to Cisco Spaces SSO enablement team.

  • SubjectNameID: Key account linking attribute (usually the user’s email).

  • Remote IDP Issuer URI: SAML Metadata EntityID of the customer’s IdP.

  • Remote IDP Single Sign-On URL: Endpoint receiving SAML authentication requests from CCI.

  • Remote IDP Signature Certificate: Public key certificate (PEM or DER) to verify SAML signatures.

Step 2

In return, Cisco provides these details:

  • Assertion Consumer Service URI: Endpoint to receive SAML assertions after authentication.

  • Audience URI: Cisco’s entity descriptor for the IdP.

  • SP Signature Certificate: Public key certificate to verify authentication request signatures.

Step 3

In the response, provide these mandatory attributes with Cisco.

  • firstName

  • lastName

  • email

  • company (company name)

  • countryCode (two char codes e.g. US, UK, BE)

Standard Federation User Journey

  1. Navigate to the Cisco application that requires authentication. The application is protected by CCI/Okta security layer.

  2. To initiate login process, click Login.The system redirects to the authentication flow.

  3. In the CCI Login window, enter the email address (format: username@PartnerDomain.com) that belongs to your partner organization domain. This email domain must be pre-configured in the federation setup.


    Note

    The system automatically detects your partner domain from the email and you will be redirected to your organization's federated partner domain login page (home organization's identity provider (IdP).

  4. In the organization's login page, enter your username and password. Ensure that you use the same credentials you normally use for your organization's systems

  5. Complete any additional authentication requirements (MFA, if configured).


    Note

    After successful authentication, you will be automatically redirected back to CCI. Your organization's IdP sends a secure SAML assertion to CCI confirming your identity.

  6. CCI processes the authentication and redirects back to the original Cisco application. The application receives confirmation of your authenticated status.

  7. Access is granted and your authentication is complete. You successfully land on the application front page. Full access to the application is now available based on your permission settings.

Single Sign-On for Cisco Spaces

Cisco Spaces supports Single Sign-On (SSO) so that users can login to Cisco Spaces using their SSO credentials. For example, if the Cisco domain is SSO-enabled, Cisco employees, who have a Cisco Spaces account, can access Cisco Spaces using their Cisco e-mail address and password. Additionally, if a Cisco employee is already logged in to the Cisco domain through any other Cisco website or application, that Cisco employee can access Cisco Spaces by simply specifying the Cisco e-mail address.

When you click the Login button, only the e-mail ID field will appear in the Login window along with a Continue button. If the user is already logged into the SSO-enabled domain, then the user will be directly taken to the Cisco Spaces Dashboard after clicking the Continue button. If the Cisco Spaces account supports multiple customer names, then the Select Customer window will be displayed. If the user has not logged into the domain, then the user will be redirected to the IDP page for login authentication, and user can login by specifying the SSO credentials.

  • Account name

  • Domain name (for which SSO needs to be enabled)

  • Application Name

  • SSO type: Currently, only SAML is supported.

  • If only authentication is needed or both authentication and authorization needs to be enabled. This is done by setting the authenticateOnly flag to True or False.

    • True: Only authentication is enabled for the user.

    • False: Both authentication and authorization is enabled for the user.


      Note

      • If you set authenticateOnly to False:

        • You need to pass additional information from the IDP while sending the user details. For example, role=dnaspaces:174923535949:Dashboard_Admin.

        • The value for role is mandatory and must be available in the IDP while sending the user details.

        • You need not invite individual users from the Cisco Spaces dashboard > Admin Management. User invitation and activation is based on both authentication and authorization process by the specific customer IDP & Cisco Spaces.

          You can use the Cisco Spaces dashboard existing default roles or create a new role in the Cisco Spaces dashboard and use that specific role name.

          The available role in Cisco Spaces dashboard is Dashboard Admin Role that provides full admin permission to the user for the selected account. If you use this role, you must pass the role string value in the specified format: role": "dnaspaces:<account number>:Dashboard Admin Role",.

          If you use custom roles, create these custom roles in Cisco Spaces > Admin Management > Roles and pass the role name as the role string value in the IDP response.

  • The following information from the metadata.xml file:

    • SSO Details

    • Entity

    • Entry point

Once you provide the above details, the Cisco Spaces support team will send you the following so that you can configure your application:

You need to configure your IDP metadata to return the firstName, lastName and email fields as below:

nameid-format:"emailAddress","firstName":"Jane","lastName":"Doe","phone":"9876543210","level":"info","

Start Working with Cisco Spaces

Before starting working with Cisco Spaces ensure that you have the prerequisites mentioned in System Requirements.


Note
Initially, you must contact the Cisco Spaces support team for creating a Cisco Spaces account. You will get an invite to activate your Cisco Spaces account through e-mail. Click the Accept Activate button, and in the window that displays configure the log in credentials, and click Activate Account. You are now logged into Cisco Spaces. If you are a Dashboard Admin, you can now invite other Cisco Spaces users.

To start working with Cisco Spaces, perform the following steps:

Procedure

Step 1

Log in to Cisco Spaces.

Note

 

You can enable Single Sign-On for Cisco Spaces.

Step 2

Connect to your wireless network and configure the wireless network for Cisco Spaces referring to the instructions in the Setup section of the Cisco Spaces dashboard.

The setup instructions are also available in the following sections of this guide:

Note

 
Cisco Spaces provides a universal account so that you can connect Cisco Spaces to multiple wireless networks.

Step 3

Add your team members, and assign them roles and permissions. For more information about adding Cisco Spaces users, see Managing Cisco Spaces Users.

Step 4

Import the location hierarchy defined in your wireless network to Cisco Spaces. For more information on configuring the location hierarchy, see Chapter: Overview of Location Hierarchy..

Step 5

Monitor the Cisco Spaces domain and apps using the Monitor section.

Note

 

Cisco Spaces allows you to change your password even after your password is expired. After entering your credentials when you click the Continue button, a pop-up window to change the password appears.

Onboard Workflow

Follow these steps to log in to Cisco Spaces.

Before you begin

We recommend that you completed FRMOD onboarding process and have the FRMOD credentials available. For a successful onboarding experience, use your organization specific Identity Provider (IDP) by configuring the domain.

Procedure

Step 1

Complete the FRMOD onboarding process.

Step 2

Use your IDP and configure the domain.

For example, Cisco uses the frmod-cisco domain for Production onboarding and fedmod-cisco domain for staging environmemt.

Step 3

Use your organization's email address to request invite for Cisco Spaces Dashboard and Administrator Management access.

Step 4

Use the frmod-company.com email address and proceed with the activation instructions.

Step 5

Use the same frmod-company.com credentials to log in to Cisco Spaces.

What to do next

Idle Timeout for Cisco Spaces

A user who is logged in to the Cisco Spaces dashboard can remain idle only for a specific time period. If inactive for 15 minutes, the user is automatically logged out of the dashboard. A notification is displayed 5 minutes before the idle timeout and the title of the browser window where the Cisco Spaces application is open changes to INACTIVE: You will be logged out in 5 mins. Any action performed on the corresponding window extends the user's session.

Cisco Spaces Documentation

You can access the documentation for Cisco Spaces including Configuration Guides and Release Notes using the Cisco Spaces Support icon () displayed at the top-right of the Cisco Spaces dashboard.

You can also view the documentation, announcements, deployment guides, use cases and support information from the Spaces LaunchPad section. To do this, click the Spaces LaunchPad icon that is available at the bottom-right in Cisco Spaces UI.