welcome to oracle service cloud ask the experts€¢import idp metadata file into oracle service...
TRANSCRIPT
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Welcome to Oracle Service Cloud Ask the Experts
Best Practices for Implementing & Maintaining SSO
Presenter: Shane Parsons
Dial-In: 1-866-682-4770
Conference Code: 7817715Security Passcode: 1234
Global Numbers: Australia: +61 2 9491 2888Brazil (San Paulo): +55 11 5189 7347Brazil (Rio de Janeiro): +55 21 3534 6200Canada (Vancouver): +1 604 637 9200Canada (Toronto): +1 647 775 1275Hong Kong: +85 236 551 900India (Bangalore): +91 803 989 0080India (Chennai): +91 443 989 0080India (Kolkata): +91 333 989 0080India (New Delhi): +91 113 989 0060Netherlands: +31 30 669 9100Pakistan: +65 6436 1118Romania: +40 21 367 8899Spain: +34 9 1414 3755Switzerland: +41 227 999 898United Kingdom: +44 20 8118 1001
Lines have automatically been muted. #6 to unmute
*Ignore the attendee ID that appears in the pop up once logging into WebEx.*
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Topics Covered
2
• Concepts to understand before implementing SSO
• Implementing different types of SSO
• Common mistakes during implementation
• Demo
• Questions
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Concepts to understand before implementing SSO
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Concepts to understand before implementing SSO
• General understanding of how SSO works
• Saml response decoders
– Fiddler
– https://www.samltool.com
– Saml Chrome extensions
– Saml tracer in Firefox
• Decode and read assertion
• Certificate Management
– Is certificate valid
– Does certificate require intermediate certificates for validation
4
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Implementing different types of SSO
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
• Supports identity provider (IDP) initiated SSO only
• Assertion Consumer Service (ACS) urlhttps://<vhost>/ci/openlogin/saml/<login parameter>
• Ex. contact.login or contact.emails.address
• Entity ID can be any value in IDP
• Redirect added to assertion consumer service (ACS) url
• Ex. /ci/openlogin/saml/redirect/app/ask
6
Customer portal SSO
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Agent console IDP SSO
– Version 1• ACS url https://<vhost>/cgi-bin/>interface>.cfg/php/admin/sso_launch.php?p_subject=<login parameter>
• Ex. Account.Login or Account.Emails.Address
– Version 2• Must be used if implementing for AgentWeb
• ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php
• Configuration performed in console via component “Single Sign On Configurations”
• Export out metadata file and import into IDP
• Import IDP metadata file into Oracle Service Cloud
• “Active” checkbox should only be checked
– Entity ID can be any value in IDP
–Must use Internet Explorer to launch console
7
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. | 8
Agent console IDP SSO login process
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Browser User Interface (Browser UI) IDP SSO
– ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php
– Configuration performed in console via component “Single Sign On Configurations”
– Export out metadata file and import into IDP
– Import IDP metadata file into Oracle Service Cloud
– “Active” checkbox only
– Relay State set to https://<vhost>/AgentWeb
9
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Agent Console and Browser UI service provider (SP) SSO
– ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php
– Configuration performed in console via component “Single Sign On Configurations”
– Export out metadata file and import into IDP
– Import IDP metadata file into CX
– Supports single logout
– “Active” and “Web SSO” checkbox
– No setup for Agent Web needed
– Entity ID for console must match in IDP
10
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Mandatory requirements for all SSO types
• Signing certificate uploaded into File Manager
– Additional Root Certificates folder
– Intermediate certificates must also be uploaded
• Config SAML_20_SIGN_CERTS– Fingerprint of signing cert
– Remove colons
11
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Common mistakes during implementation
• SAML_20_SIGN_CERTS
– Colons not removed
– Hidden spaces at either front or back of fingerprint
–Wrong value all together
• IDP using http instead of https for ACS url
– Causes assertion to get lost during redirect to https
• Entity id doesn’t meet requirements of IDP - SP initiated SSO
– Some IDPs don’t support special characters such as plus sign
– Subject not passed over since request unable to be validated
12
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Common mistakes during implementation
• Signing certificate unable to be validated
– Expired
– Requires intermediate/chain certificates
–Wrong certificate uploaded
• Subject incorrect
– Value doesn’t match authenticating column in database• Case sensitive
• Email not set as login
– Account or Contact not in database
• ANY-TRUSTED used in production– Signing certificate not validated against uploaded certificates
13
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Chat and Phone Lines• Send your chats to ALL PANELISTS
• Lines are muted. Press #6 to unmute.
• Recommend unmuting and then muting via your device or desk phone
15
Q&A
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Have a Question? Ask the Experts!
Extending Data Into Your Site Thursday, Jan. 25 @ 11 a.m. EST
Troubleshooting WizardryThursday, Feb. 8 @ 11 a.m. EST
Register at: http://bit.ly/OSVCexperts
SAVE
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Continue the Conversation
18
www.cx.rightnow.com
Copyright © 2018, Oracle and/or its affiliates. All rights reserved. |
Your Feedback
• Once I end the meeting,
– You will get a notification that the host has ended the meeting.
– Click OK.
– A short feedback survey will appear in your browser.
19