Welcome to Oracle Service Cloud Ask the Experts Best Practices for Implementing & Maintaining SSO Presenter: Shane Parsons Dial-In: 1-866-682-4770 Conference Code: 7817715 Security Passcode: 1234 Lines have automatically been muted. #6 to unmute *Ignore the attendee ID that appears in the pop up once logging into WebEx.* Global Numbers: Australia: +61 2 9491 2888 Brazil (San Paulo): +55 11 5189 7347 Brazil (Rio de Janeiro): +55 21 3534 6200 Canada (Vancouver): +1 604 637 9200 Canada (Toronto): +1 647 775 1275 Hong Kong: +85 236 551 900 India (Bangalore): +91 803 989 0080 India (Chennai): +91 443 989 0080 India (Kolkata): +91 333 989 0080 India (New Delhi): +91 113 989 0060 Netherlands: +31 30 669 9100 Pakistan: +65 6436 1118 Romania: +40 21 367 8899 Spain: +34 9 1414 3755 Switzerland: +41 227 999 898 United Kingdom: +44 20 8118 1001
Topics Covered Concepts to understand before implementing SSO Implementing different types of SSO Common mistakes during implementation Demo Questions 2
Concepts to understand before implementing SSO
Concepts to understand before implementing SSO General understanding of how SSO works Saml response decoders Fiddler https://www.samltool.com Saml Chrome extensions Saml tracer in Firefox Decode and read assertion Certificate Management Is certificate valid Does certificate require intermediate certificates for validation 4
Implementing different types of SSO
Customer portal SSO Supports identity provider (IDP) initiated SSO only Assertion Consumer Service (ACS) url https://<vhost>/ci/openlogin/saml/<login parameter> Ex. contact.login or contact.emails.address Entity ID can be any value in IDP Redirect added to assertion consumer service (ACS) url Ex. /ci/openlogin/saml/redirect/app/ask 6
Agent console IDP SSO Version 1 ACS url https://<vhost>/cgi-bin/>interface>.cfg/php/admin/sso_launch.php?p_subject=<login parameter> Ex. Account.Login or Account.Emails.Address Version 2 Must be used if implementing for AgentWeb ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php Configuration performed in console via component Single Sign On Configurations Export out metadata file and import into IDP Import IDP metadata file into Oracle Service Cloud Active checkbox should only be checked Entity ID can be any value in IDP Must use Internet Explorer to launch console 7
Agent console IDP SSO login process 8
Browser User Interface (Browser UI) IDP SSO ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php Configuration performed in console via component Single Sign On Configurations Export out metadata file and import into IDP Import IDP metadata file into Oracle Service Cloud Active checkbox only Relay State set to https://<vhost>/agentweb 9
Agent Console and Browser UI service provider (SP) SSO ACS url https://<vhost>/cgi-bin/<interface>.cfg/php/sso/saml2/sp/post/acs.php Configuration performed in console via component Single Sign On Configurations Export out metadata file and import into IDP Import IDP metadata file into CX Supports single logout Active and Web SSO checkbox No setup for Agent Web needed Entity ID for console must match in IDP 10
Mandatory requirements for all SSO types Signing certificate uploaded into File Manager Additional Root Certificates folder Intermediate certificates must also be uploaded Config SAML_20_SIGN_CERTS Fingerprint of signing cert Remove colons 11
Common mistakes during implementation SAML_20_SIGN_CERTS Colons not removed Hidden spaces at either front or back of fingerprint Wrong value all together IDP using http instead of https for ACS url Causes assertion to get lost during redirect to https Entity id doesn t meet requirements of IDP - SP initiated SSO Some IDPs don t support special characters such as plus sign Subject not passed over since request unable to be validated 12
Common mistakes during implementation Signing certificate unable to be validated Expired Requires intermediate/chain certificates Wrong certificate uploaded Subject incorrect Value doesn t match authenticating column in database Case sensitive Email not set as login Account or Contact not in database ANY-TRUSTED used in production Signing certificate not validated against uploaded certificates 13
Demo 14
Q&A Chat and Phone Lines Send your chats to ALL PANELISTS Lines are muted. Press #6 to unmute. Recommend unmuting and then muting via your device or desk phone 15
Have a Question? Ask the Experts! SAVE Extending Data Into Your Site Thursday, Jan. 25 @ 11 a.m. EST Troubleshooting Wizardry Thursday, Feb. 8 @ 11 a.m. EST Register at: http://bit.ly/osvcexperts
Continue the Conversation www.cx.rightnow.com 18
Your Feedback Once I end the meeting, You will get a notification that the host has ended the meeting. Click OK. A short feedback survey will appear in your browser. 19
Thank You! 20