Knowledge Center

Set Up SSO Login

Login with Credentials but bypass Tenfold Login

Agent SSO into LivePerson is now available. However, please note that if you still choose to login with credentials, you may set up SSO with Tenfold using Salesforce as the identity provider. This will mitigate multiple logins for the agent users in Salesforce. Please use the following directions to setup SSO. If this is not enabled, the agents will need to login with credentials twice, once into Tenfold and then again into LivePerson. The agents will need to provide the LivePerson account ID and credentials.

* Please note, if SSO is enabled in your LivePerson account for a subset of agents and you still choose to login with credentials you must be sure to migrate from IDP to SP Initiated authentication and Oath in LivePerson.

If SSO is not enabled and agents try to login to LivePerson, this is what they see:

After providing their account ID, the agent will need to input the credentials.

Agent SSO

LivePerson has recently added the ability for agents to use SSO with their LP accounts, that is, instead of using credentials to authenticate with LivePerson, they can instead login with their identity provider such as Okta or Salesforce.

In order for SSO to work, LivePerson accounts must be migrated from the IDP initiated flow to the SP initiated flow and Oath. Please reach out to your account team to enable this.

For an account that has SSO enabled, this is what the agent would see:

When SSO is enabled, agents have the ability to login with credentials as well as using SAML. It’s also possible to entirely disable credentials login for a brand, forcing agents to login using SSO. What that implies is that after providing their account ID, they will be taken directly to their identity provider webpage. If you would like to disable the option to login with credentials, you may reach out to your account team.

Once they click the “Continue with SAML“ button, they will be taken to their identity provider of choice to login, and then back to LivePerson.

🚨 Whether SSO is enabled or not the agent is asked to provide the account ID to initiate authentication. That is required because the first time you access LivePerson, the website doesn’t know who you are or what are the settings for your account. When you provide your brand ID, LivePerson fetches the settings for your account and decides what options you have access to, as shown in the example videos above. It’s understood that we want to minimize clicks and information agent needs to provide, but this step cannot be avoided.

This section covers how to setup SSO in all the different touch points involved.

1.1 Configuring your IDP

There is a variety of Identity Providers and LivePerson should be able to support most IDPs. Fortunately, the technologies behind SSO (such as SAML) are well standardized, so as long as their IDPs implement SAML as per specification, their IDPs should work with LivePerson. This section covers instructions on how to setup two different identity providers.

Using Okta as an IDP

Before configuring the SSO application in Okta, we need to add some additional fields to Okta to hold information that needs to be sent to LP as part of the SAML authentication. To do so,

1 - Click Profile Editor

2 - Select “Okta”

3 - Click on Add Attribute

4 - In the modal that opens, give the new attribute a display name and a variable name. All the other fields can be left as is. This field will be used to store the LivePerson account ID

5 - Click in “Save and Add Another”. Repeat the step and create a second field to store the LivePerson username for each user:

It’s important to highlight that the instructions below are specific to the identity providers demonstrated and there will be differences for other identity providers

6 - Save and go to the Directory > People tab

7 - For each user in the “People“ list and open the user profile:

8 - Click on Edit and add the LivePerson brand ID and LivePerson username for that user in the two new attributes you created in the previous steps:

9 - Save and repeat for other users.

Once that’s done, we’re ready to create the SSO app in Okta

1 - Login to your Okta account with an admin account

2 - Go to the “Applications“ tabs and click in “Create App Integration“

3 - In the modal that opens, select SAML 2.0 and click “Next”

4 - Give your app a name and an optional icon:

5 - In the next screen, provide the following fields:

Single sign-on URL: https://AUTH0_DOMAIN/login/callback?connection=CONNECTION_NAME<br>Audience URI (SP Entity ID): urn:auth0:AUTH0_DOMAIN:CONNECTION_NAME<br>Where AUTH0_DOMAIN and CONNECTION_NAME should be replaced according to the instructions found in this document

6 - scroll down and in the “Attributes Statements“ section, add two new fields like below:

Note that the values in the “Name“ column must be siteId and loginName. The values in the “Value“ column

must be user.FIELD_NAME where FIELD_NAME is the “variable name“ you gave to the custom attributes you created in the previous steps. For example, if you created a custom attribute called liveperson_account_id to store the account ID, the “Value” in the screenshot above would be user.liveperson_account_id<br>

7 - Hit next

8 - In the “Feedback“ section, just hit “Finish”

9 - Your app should be visible under Applications > Applications:

10 - Click on your app and go to the “Sign On” tab

11 - In the SAML 2.0 section, expand the details and locate the “Sign on URL“. This value needs to be sent to the security team when you ask them to enable SSO for your LP account.

This step is effectively instructing Okta what information to pass to LivePerson to help it locate what agent has logged in. The siteId field informs the brand ID, and the loginName contains data of the agent username.

12 - A bit further down, click in “Download“ to download the signing certificate. This also needs to be sent to your LivePerson team when enabling SSO for your LivePerson account

13 - Now you have to add assign this app to your users. Click in the “Assign Users to App” button seen in the screenshot above

14 - In the next screen, select your app, and the users that should be assigned to it:

15 - Hit “Next” and then “Confirm Assignments“

After you take all the steps above, your Okta account should be ready to use as your identity provider. Don’t forget to send the “Sign on URL“ and the “Signing Certificate“ to the security team when you ask them to enable SSO for your LP account.

1.2 Enabling and configuring SSO in LivePerson

After completing the steps above provide the following to your LivePerson account team:

Brand ID
IDP certificate
IDP sign-in URL

If you wish you may also ask to have credentials login to be completely disabled.

1.3 Configuring SSO in Tenfold

On the Tenfold side of things the setup is quite simple. All you need to do is:

1. Go to Company Settings > Messaging in the Tenfold Dashboard:

2. If you do not have the “Enable Messaging for this organization“ option checked, go ahead and do so:

3. In the Authentication Type, select the “Login with OAuth“ option

4. Click “Save”

5. Click in Connect with LivePerson. You will be taken to LivePerson and then to your identity provider for authentication. Once you successfully authenticate, you should be taken back to dashboard with a confirmation that everything worked: