welcome to oracle service cloud ask the experts€¢import idp metadata file into oracle service...

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |

Welcome to Oracle Service Cloud Ask the Experts

Best Practices for Implementing & Maintaining SSO

Presenter: Shane Parsons

Dial-In: 1-866-682-4770

Conference Code: 7817715Security Passcode: 1234

Global Numbers: Australia: +61 2 9491 2888Brazil (San Paulo): +55 11 5189 7347Brazil (Rio de Janeiro): +55 21 3534 6200Canada (Vancouver): +1 604 637 9200Canada (Toronto): +1 647 775 1275Hong Kong: +85 236 551 900India (Bangalore): +91 803 989 0080India (Chennai): +91 443 989 0080India (Kolkata): +91 333 989 0080India (New Delhi): +91 113 989 0060Netherlands: +31 30 669 9100Pakistan: +65 6436 1118Romania: +40 21 367 8899Spain: +34 9 1414 3755Switzerland: +41 227 999 898United Kingdom: +44 20 8118 1001

Lines have automatically been muted. #6 to unmute

*Ignore the attendee ID that appears in the pop up once logging into WebEx.*


Topics Covered

2

• Concepts to understand before implementing SSO

• Implementing different types of SSO

• Common mistakes during implementation

• Demo

• Questions


Concepts to understand before implementing SSO


Concepts to understand before implementing SSO

• General understanding of how SSO works

• Saml response decoders

– Fiddler

– https://www.samltool.com

– Saml Chrome extensions

– Saml tracer in Firefox

• Decode and read assertion

• Certificate Management

– Is certificate valid

– Does certificate require intermediate certificates for validation

4

https://www.samltool.com/


Implementing different types of SSO


• Supports identity provider (IDP) initiated SSO only

• Assertion Consumer Service (ACS) urlhttps://<vhost>/ci/openlogin/saml/<login parameter>

• Ex. contact.login or contact.emails.address

• Entity ID can be any value in IDP

• Redirect added to assertion consumer service (ACS) url

• Ex. /ci/openlogin/saml/redirect/app/ask

6

Customer portal SSO


Agent console IDP SSO

– Version 1• ACS url https://<vhost>/cgi-bin/>interface>.cfg/php/admin/sso_launch.php?p_subject=<login parameter>

• Ex. Account.Login or Account.Emails.Address

– Version 2• Must be used if implementing for AgentWeb

• ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php

• Configuration performed in console via component “Single Sign On Configurations”

• Export out metadata file and import into IDP

• Import IDP metadata file into Oracle Service Cloud

• “Active” checkbox should only be checked

– Entity ID can be any value in IDP

–Must use Internet Explorer to launch console

7

Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 8

Agent console IDP SSO login process


Browser User Interface (Browser UI) IDP SSO

– ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php

– Configuration performed in console via component “Single Sign On Configurations”

– Export out metadata file and import into IDP

– Import IDP metadata file into Oracle Service Cloud

– “Active” checkbox only

– Relay State set to https://<vhost>/AgentWeb

9


Agent Console and Browser UI service provider (SP) SSO

– ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php

– Configuration performed in console via component “Single Sign On Configurations”

– Export out metadata file and import into IDP

– Import IDP metadata file into CX

– Supports single logout

– “Active” and “Web SSO” checkbox

– No setup for Agent Web needed

– Entity ID for console must match in IDP

10


Mandatory requirements for all SSO types

• Signing certificate uploaded into File Manager

– Additional Root Certificates folder

– Intermediate certificates must also be uploaded

• Config SAML_20_SIGN_CERTS– Fingerprint of signing cert

– Remove colons

11


Common mistakes during implementation

• SAML_20_SIGN_CERTS

– Colons not removed

– Hidden spaces at either front or back of fingerprint

–Wrong value all together

• IDP using http instead of https for ACS url

– Causes assertion to get lost during redirect to https

• Entity id doesn’t meet requirements of IDP - SP initiated SSO

– Some IDPs don’t support special characters such as plus sign

– Subject not passed over since request unable to be validated

12


Common mistakes during implementation

• Signing certificate unable to be validated

– Expired

– Requires intermediate/chain certificates

–Wrong certificate uploaded

• Subject incorrect

– Value doesn’t match authenticating column in database• Case sensitive

• Email not set as login

– Account or Contact not in database

• ANY-TRUSTED used in production– Signing certificate not validated against uploaded certificates

13


Demo

14


Chat and Phone Lines• Send your chats to ALL PANELISTS

• Lines are muted. Press #6 to unmute.

• Recommend unmuting and then muting via your device or desk phone

15

Q&A


Have a Question? Ask the Experts!

Extending Data Into Your Site Thursday, Jan. 25 @ 11 a.m. EST

Troubleshooting WizardryThursday, Feb. 8 @ 11 a.m. EST

Register at: http://bit.ly/OSVCexperts

SAVE


Continue the Conversation

18

www.cx.rightnow.com


Your Feedback

• Once I end the meeting,

– You will get a notification that the host has ended the meeting.

– Click OK.

– A short feedback survey will appear in your browser.

19


Thank You!

20

welcome to oracle service cloud ask the experts€¢import idp metadata file into oracle service...

Documents