This document is designed to guide you through the integration steps for Agent SSO, including the end-to-end configuration process for three distinct providers that support the SAML 2.0 protocol.
The 3 providers are:
- Okta: Okta is a cloud-based identity and access management platform that facilitates secure and seamless authentication, including Single Sign-On (SSO), for various applications.
- Azure: Azure, Microsoft's cloud computing platform, offers robust identity services, including Single Sign-On (SSO), enabling users to access a wide range of applications with unified authentication.
- PingIdentity: PingIdentity provides identity and access management solutions, specializing in secure authentication and Single Sign-On (SSO) capabilities to enhance user access across diverse applications and systems.
Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. The SSO Unified Login feature (“Agent SSO”) enables LiveEngage agents and site administrators to authenticate once, in their own environment, and then to seamlessly access the LiveEngage platform while already authenticated.
Okta Configuration
Okta SSO provides a centralized and secure way for organizations to manage user authentication and authorization.
Users can authenticate through Okta, and once authenticated, they can seamlessly access a range of applications, including cloud-based services, on-premises applications, and other integrated systems.
Prerequisites:
These are some of the information that must be collected from the clients' side in order to configure Agent SSO:
- a) Login URL (Mandatory)
- b) Logout URL (Optional)
- c) Error URL (Optional)
- d) SAML x509 signature certificate (Mandatory)
A majority of the configuration is done on the clients' side, the SE/SA are required to know the procedure to guide the customer through in case of queries or if the client is not familiar with the process.
Step 1 to 5 is creating and configuring the customers end of the process. Step 5 consists of the portion that an SE/SA are typically required to configure for the client.
1. Create a developer account:
Navigate to
https://developer.okta.com/signup/
to create a developer account on Okta.
Follow the instructions provided to create your account. Once created, your Admin page appears.
2. Add an Application on Okta:
Navigate to the Applications pane
Click Applications > Create App Integration, the Create a new app integration dialog appears.
Select SAML 2.0 and click Next. The Create SAML integration page appears.
Provide the app name, leave other options as default and click Next. The Configure SAML section appears.
To configure SAML we require the URL LivePerson provides for SSO service which is always in the following format
https://<LP-DOMAIN>/hc/s-xxxxxx/web/mLP/samlAssertionMembersArea/home.jsp?lpservice=liveEngage&servicepath=a%2F~~accountid~~%2F%23%2C~~ssokey~~
- LP-Domain = The Domain Your Account Is On
- s-xxxxxxx = Site ID customer is using
Reach out to your LivePerson Account Manager to set both of these on Supportal, our configuration page.
Based on these we should get the URL to use within Okta configuration in Single sign-on URL.
Provide information into the following fields:
- Single sign-on URL = (Example)
- Audience URL (SIP Entity ID) = (Example) LPAgentConsole
- Default Relay State = Leave empty
- Name ID format = Unspecified
- Application username = Select Okta username.
Scroll down to Attribute Statements to add mandatory details.
Note, Attribute Statements are case sensitive.
- siteId = your site id number - MANDATORY
- loginName = unique user ID that will match Login Name in LiveEngage
Leave Group Attribute Statements empty.
Upon completion scroll further down to for the option to Preview the SAML Assertion that was generated based on this form.
Example of SAML Assertion based on our form
html:
<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="id13815152406829449514331" IssueInstant="2018-03-16T15:50:26.097Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">http://www.okta.com/Issuer</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">userName</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2:SubjectConfirmationData NotOnOrAfter="2018-03-16T15:55:26.097Z" Recipient="https://server.lon.liveperson.net/hc/s-43465475/web/m-LP/samlAssertionMembersArea/home.jsp?lpservice=liveEngage&servicepath=a%2F~~accountid~~%2F%23%2C~~ssokey~~"/>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2018-03-16T15:45:26.097Z" NotOnOrAfter="2018-03-16T15:55:26.097Z">
<saml2:AudienceRestriction>
<saml2:Audience>LPAgentConsole</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2018-03-16T15:50:26.097Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="siteId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">43465475
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="loginName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">aoprawko@liveperson.com
</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
Press Next. The Feedback section appears.
On the last screen select the above options and click Finish. Your new application has been created, ensure it states as Active.
3. Download SAML Certificate
Scroll below to SAML Signing Certificates, click Actions dropdown > Download Okta Certificate as we would require this later for LiveEngage configuration.
4. Assign Application:
For the application to be visible in your profile it requires to be assigned, click Assignments tab > Assign dropdown.
Click Assign to People. A new window appears with the username you used to create Okta.
Press Assign. The Assign Agent SSO Test to People modal appears.
LoginName is hardcoded in Attribute Statements, however we could have used a dynamic variable of user.userName. This is how most of our customers will use SSO and thus would suggest for this value to match our Login Name in LiveEngage
Click Done to add user into the list
On the Okta end user dashboard, click My Applications to see your newly created app.
If all the steps have been completed correctly then you should see the following screen with a new application assigned against your profile.
5. Configure Agent SSO:
With the customer end set up, we're ready to adjust LiveEngage to link the two together.
Open your downloaded Okta Certificate in the text editor of your choice.
Copy its contents. Reach out to your LivePerson Account manager to set the configuration on Supportal.
6. Test Agent SSO:
To test if the SSO is enabled correctly.
Go back to Okta and click on your new application.
If everything has been setup correctly you will be logged in with SSO user.
Azure Configuration
Azure offers SSO, a centralized and secure solution for organizations to handle user authentication and authorization.
Users can authenticate via Azure's SSO, gaining seamless access to a variety of applications, including cloud-based services, on-premises applications, and other integrated systems once authenticated.
A majority of the configuration is done on the clients' side, the SE/SA are required to know the procedure to guide the customer through in case of queries or if the client is not familiar with the process.
Step 1 to 2 is creating and configuring the customers end of the process. Step 3 consists of the portion that an SE/SA are typically required to configure for the client.
Prerequisites:
- Access to Azure Admin portal.
The following are some information that must be collected from the clients' side in order to configure Agent SSO:
- a) Login URL (Mandatory)
- b) Logout URL (Optional)
- c) Error URL (Optional)
- d) SAML x509 signature certificate (Mandatory)
Single URL Bind
A Single URL Bind involves connecting to a specific web address or service using a binding method, associating a certificate with a singular URL.
1. Create Azure Application
Go to the Azure portal and browse to Azure Active Directory. In the top center search field, type in Enterprise Applications.
Select Enterprise Applications from the search results. The Enterprise Applications page appears.
Click New Application. The Browse gallery page appears.
Click Create your own application. The Create your own application modal appears.
Provide a name for the app then select the Non-gallery option. Click Create, the application overview page appears.
Click Single sign-on. The Single sign-on page appears.
Select SAML as the single sign-on method. The SAML-based Sign-on page appears.
Click on the three dot menu > Edit option icon to edit the Basic SAML Configuration.
Fill in the form as per below:
- Identifier = (Example) - LPAgentConsole
- Reply URL = (Example)
- Sign On URL = Empty
- Relay State = Empty
Scroll further down to User Attributes.
Fill in the field as per below:
- User Identifier = user.userprincipalname - this is an Active Directory (AD) unique ID which would equal value in LiveEngage Login Name.
Scroll down to SAML Token Attributes.
Change the Signing Option to Sign SAML response. Save, and close the form.
2. Download SAML Certificate
Download Certificate from the website to reuse within LiveEngage settings.
3. Configure Agent SSO:
Reach out to your LivePerson Account Manager to set up on Supportal, our configuration page.
Once assigned to a user, the application will be in your Microsoft hub. Ensure required fields are filled, and avoid populating non-mandatory fields as LiveEngage may not support certain values, leading to potential launch errors.
Multi URL Bind
Azure supports binding to federation services certificates. If a customer wants to set up connections for all lpservices, including MCS and RTD, a different approach is needed.
For example:
1. Bind Federation Certificates
Request customer federation services metadata:
Within Metadata locate the SSODescriptor
html:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_6f3edccb-3cf8-493b-bde6-7ffa7e4fe856" entityID="https://sts.windows.net/7acc61c5-e4a5-49d2-a52a-3ce24c726371/">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<Reference URI="#_6f3edccb-3cf8-493b-bde6-7ffa7e4fe856">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<DigestValue>9ORMtgZfrP7UdU4TzXlky/FuPbKFgBolDNFuTM/d0KQ=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>GpccAUmGGNvR6KADeHuUTPxQPl/qwNFh6zQNgNeIzq9RO31ZdHhbqominsySDhCeojg2qvBFdb1FTIsy37FeCG0tBCoH2umdw6ehegayQ6WaLQL7ZivYnL8IpGDAg6cW6DZi3wEu/UXucieiMzaoOIb11pZsO4uSApU/0fBC9odwSvikQYpww8efLHAwiEEzX85fQ9ffj3jzm+7+EjGJhsb0RAPwvafImP1EqKjz87pObA9iUgbWtC/8mxDPka3x3jrBwW1s3ubSp5nh1jyKwRs4P+gymbWBF8kiCCGbHg/u2bKrr0LQS3pHmOLja2uvEBV7XY0JgWpHYgLddUHj1w==</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIC/TCCAeWgAwIBAgIISlx9oAuA2/MwDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDAeFw0yMzEyMDUxNzE2NTdaFw0yODEyMDUxNzE2NTdaMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDft/FsFDx4A/vOeqTwHyRTBUUR1Xs3xZdJ+WiMcl/200LKqsx3iCwC7hFTOHCUGUAfBguGbAw2BGz4HiAuwRRpYlSPHk7g3Fx+iQL7pMvWn8igswZ6rAU4xIG3FrU6ecvd4BAPUPs7Sk6MkGy3X9Jk+zCF1XNMQahah3/W8wUO7TZ3eiA/+26/bOXkl33a3Xti6pvrXAMovMegJ5QxNUTNBLjifSZetYmeJpjT7/OzyinDCZQdFbckn+bSLkHWb2UWZxVRQqHlVhk9p5zl10I7jsn3WdmLS1yAAOGo/OEAkXbRwES+QI/2RImKK/ayx52URtNJkZBO4Ls6U/0by2+9AgMBAAGjITAfMB0GA1UdDgQWBBR6Y4Oi5GGItIomQ0yZfH/woCAogzANBgkqhkiG9w0BAQsFAAOCAQEAaNbWUtHv3+ryZecDc7m6V1V1rWrVkUwC2QO78a2TprEN3owOeP0IHP42fbd/wcSsufTTtkk/J+fqL5dtsQ6zk2kDQfY5CgOyVCsaxVqHsg3t8fAWBkHiNScjZvRhLx4ll9QMOtLAwL4Os3Of0qtvP61zONP9sCJoUB6hkB33SRma1OyPZnYK/l3r0Y49+Ov0wahcdI4yZI72hFXlyyLnOT8dMbJDwZ9LNXA/BauEff4qTI4nIQk/lQKS6BjHzvXZbkHYEV/6M7r1g1syeahDmnaII+ZiBwp6tmAZKZC0Q0O7y3DmcPrHiZdv35AHadZY5cGWy1rw8NIMkaHWZ0mP6Q==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC/TCCAeWgAwIBAgIISlx9oAuA2/MwDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDAeFw0yMzEyMDUxNzE2NTdaFw0yODEyMDUxNzE2NTdaMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDft/FsFDx4A/vOeqTwHyRTBUUR1Xs3xZdJ+WiMcl/200LKqsx3iCwC7hFTOHCUGUAfBguGbAw2BGz4HiAuwRRpYlSPHk7g3Fx+iQL7pMvWn8igswZ6rAU4xIG3FrU6ecvd4BAPUPs7Sk6MkGy3X9Jk+zCF1XNMQahah3/W8wUO7TZ3eiA/+26/bOXkl33a3Xti6pvrXAMovMegJ5QxNUTNBLjifSZetYmeJpjT7/OzyinDCZQdFbckn+bSLkHWb2UWZxVRQqHlVhk9p5zl10I7jsn3WdmLS1yAAOGo/OEAkXbRwES+QI/2RImKK/ayx52URtNJkZBO4Ls6U/0by2+9AgMBAAGjITAfMB0GA1UdDgQWBBR6Y4Oi5GGItIomQ0yZfH/woCAogzANBgkqhkiG9w0BAQsFAAOCAQEAaNbWUtHv3+ryZecDc7m6V1V1rWrVkUwC2QO78a2TprEN3owOeP0IHP42fbd/wcSsufTTtkk/J+fqL5dtsQ6zk2kDQfY5CgOyVCsaxVqHsg3t8fAWBkHiNScjZvRhLx4ll9QMOtLAwL4Os3Of0qtvP61zONP9sCJoUB6hkB33SRma1OyPZnYK/l3r0Y49+Ov0wahcdI4yZI72hFXlyyLnOT8dMbJDwZ9LNXA/BauEff4qTI4nIQk/lQKS6BjHzvXZbkHYEV/6M7r1g1syeahDmnaII+ZiBwp6tmAZKZC0Q0O7y3DmcPrHiZdv35AHadZY5cGWy1rw8NIMkaHWZ0mP6Q==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC6TCCAdGgAwIBAgIIV6K/4n2M5VAwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMB4XDTIzMTEzMDAwMTAxNVoXDTI4MTEzMDAwMTAxNVowIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6Jiu4AU4ZWHBFEbO1+41P6dxKgGx7J31i5wNzH5eoJlsNjWrWoGlZip8ey/ZppcNMY0GY330p8YwdazqRX24mPkyOxbYF1uGEGB/XtmMOtuG45WyPlbARQl8hok7y/hbydS8uyfm/ZQXN7MLgju0f4/cYo+dgic5OaR3W6CWfgOrNnf287ZZ2HtJ8DZNm+oHE2/Tg9FFTIIkpltNIZ4rJ0uwzuy7zkep/Pfxptzmpd0rwd0F87IneYu+jtKUvHVVPJQ7yQvgin0rZR8tXIp/IzComGipktu/AJ89z3atOEt0/vZPizQIMRpToHjUTNXuXaDWIvCIJYMkvvl0HJxf1QIDAQABoyEwHzAdBgNVHQ4EFgQUTtiYd3S6DOacXBmYsKyr1EK67f4wDQYJKoZIhvcNAQELBQADggEBAGbSzomDLsU7BX6Vohf/VweoJ9TgYs4cYcdFwMrRQVMpMGKYU6HT7f8mDzRGqpursuJTsN9yIOk7s5xp+N7EL6XKauzo+VHOGJT1qbwzJXT1XY6DuzBrlhtY9C7AUHlpYAD4uWyt+JfuB+z5Qq5cbGr0dMS/EEKR/m0iBboUNDji6u9sUzGqUYn4tpBoE+y0J8UttankG/09PPHwQIjMxMXcBDmGi5VTp9eY5RFk9GQ4qdQJUp2hhdQZDVpz6lcPxhG92RPO/ca3P/9dvfI5aNaiSyV7vuK2NGCVGCTeo/okA+V5dm5jeuf0bupNEPnXSGyM8EHjcRjR+cHsby5pIGs=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<fed:ClaimTypesOffered>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<auth:DisplayName>Name</auth:DisplayName>
<auth:Description>The mutable display name of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier">
<auth:DisplayName>Subject</auth:DisplayName>
<auth:Description>An immutable, globally unique, non-reusable identifier of the user that is unique to the application for which a token is issued.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
<auth:DisplayName>Given Name</auth:DisplayName>
<auth:Description>First name of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
<auth:DisplayName>Surname</auth:DisplayName>
<auth:Description>Last name of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/identity/claims/displayname">
<auth:DisplayName>Display Name</auth:DisplayName>
<auth:Description>Display name of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/identity/claims/nickname">
<auth:DisplayName>Nick Name</auth:DisplayName>
<auth:Description>Nick name of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant">
<auth:DisplayName>Authentication Instant</auth:DisplayName>
<auth:Description>The time (UTC) when the user is authenticated to Windows Azure Active Directory.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod">
<auth:DisplayName>Authentication Method</auth:DisplayName>
<auth:Description>The method that Windows Azure Active Directory uses to authenticate users.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/identity/claims/objectidentifier">
<auth:DisplayName>ObjectIdentifier</auth:DisplayName>
<auth:Description>Primary identifier for the user in the directory. Immutable, globally unique, non-reusable.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/identity/claims/tenantid">
<auth:DisplayName>TenantId</auth:DisplayName>
<auth:Description>Identifier for the user's tenant.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/identity/claims/identityprovider">
<auth:DisplayName>IdentityProvider</auth:DisplayName>
<auth:Description>Identity provider for the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
<auth:DisplayName>Email</auth:DisplayName>
<auth:Description>Email address of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/groups">
<auth:DisplayName>Groups</auth:DisplayName>
<auth:Description>Groups of the user.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/identity/claims/accesstoken">
<auth:DisplayName>External Access Token</auth:DisplayName>
<auth:Description>Access token issued by external identity provider.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/expiration">
<auth:DisplayName>External Access Token Expiration</auth:DisplayName>
<auth:Description>UTC expiration time of access token issued by external identity provider.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/identity/claims/openid2_id">
<auth:DisplayName>External OpenID 2.0 Identifier</auth:DisplayName>
<auth:Description>OpenID 2.0 identifier issued by external identity provider.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/claims/groups.link">
<auth:DisplayName>GroupsOverageClaim</auth:DisplayName>
<auth:Description>Issued when number of user's group claims exceeds return limit.</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/role">
<auth:DisplayName>Role Claim</auth:DisplayName>
<auth:Description>Roles that the user or Service Principal is attached to</auth:Description>
</auth:ClaimType>
<auth:ClaimType xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706" Uri="http://schemas.microsoft.com/ws/2008/06/identity/claims/wids">
<auth:DisplayName>RoleTemplate Id Claim</auth:DisplayName>
<auth:Description>Role template id of the Built-in Directory Roles that the user is a member of</auth:Description>
</auth:ClaimType>
</fed:ClaimTypesOffered>
<fed:SecurityTokenServiceEndpoint>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://login.microsoftonline.com/7acc61c5-e4a5-49d2-a52a-3ce24c726371/wsfed</wsa:Address>
</wsa:EndpointReference>
</fed:SecurityTokenServiceEndpoint>
<fed:PassiveRequestorEndpoint>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://login.microsoftonline.com/7acc61c5-e4a5-49d2-a52a-3ce24c726371/wsfed</wsa:Address>
</wsa:EndpointReference>
</fed:PassiveRequestorEndpoint>
</RoleDescriptor>
<RoleDescriptor xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706" xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC/TCCAeWgAwIBAgIISlx9oAuA2/MwDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDAeFw0yMzEyMDUxNzE2NTdaFw0yODEyMDUxNzE2NTdaMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDft/FsFDx4A/vOeqTwHyRTBUUR1Xs3xZdJ+WiMcl/200LKqsx3iCwC7hFTOHCUGUAfBguGbAw2BGz4HiAuwRRpYlSPHk7g3Fx+iQL7pMvWn8igswZ6rAU4xIG3FrU6ecvd4BAPUPs7Sk6MkGy3X9Jk+zCF1XNMQahah3/W8wUO7TZ3eiA/+26/bOXkl33a3Xti6pvrXAMovMegJ5QxNUTNBLjifSZetYmeJpjT7/OzyinDCZQdFbckn+bSLkHWb2UWZxVRQqHlVhk9p5zl10I7jsn3WdmLS1yAAOGo/OEAkXbRwES+QI/2RImKK/ayx52URtNJkZBO4Ls6U/0by2+9AgMBAAGjITAfMB0GA1UdDgQWBBR6Y4Oi5GGItIomQ0yZfH/woCAogzANBgkqhkiG9w0BAQsFAAOCAQEAaNbWUtHv3+ryZecDc7m6V1V1rWrVkUwC2QO78a2TprEN3owOeP0IHP42fbd/wcSsufTTtkk/J+fqL5dtsQ6zk2kDQfY5CgOyVCsaxVqHsg3t8fAWBkHiNScjZvRhLx4ll9QMOtLAwL4Os3Of0qtvP61zONP9sCJoUB6hkB33SRma1OyPZnYK/l3r0Y49+Ov0wahcdI4yZI72hFXlyyLnOT8dMbJDwZ9LNXA/BauEff4qTI4nIQk/lQKS6BjHzvXZbkHYEV/6M7r1g1syeahDmnaII+ZiBwp6tmAZKZC0Q0O7y3DmcPrHiZdv35AHadZY5cGWy1rw8NIMkaHWZ0mP6Q==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC6TCCAdGgAwIBAgIIV6K/4n2M5VAwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMB4XDTIzMTEzMDAwMTAxNVoXDTI4MTEzMDAwMTAxNVowIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6Jiu4AU4ZWHBFEbO1+41P6dxKgGx7J31i5wNzH5eoJlsNjWrWoGlZip8ey/ZppcNMY0GY330p8YwdazqRX24mPkyOxbYF1uGEGB/XtmMOtuG45WyPlbARQl8hok7y/hbydS8uyfm/ZQXN7MLgju0f4/cYo+dgic5OaR3W6CWfgOrNnf287ZZ2HtJ8DZNm+oHE2/Tg9FFTIIkpltNIZ4rJ0uwzuy7zkep/Pfxptzmpd0rwd0F87IneYu+jtKUvHVVPJQ7yQvgin0rZR8tXIp/IzComGipktu/AJ89z3atOEt0/vZPizQIMRpToHjUTNXuXaDWIvCIJYMkvvl0HJxf1QIDAQABoyEwHzAdBgNVHQ4EFgQUTtiYd3S6DOacXBmYsKyr1EK67f4wDQYJKoZIhvcNAQELBQADggEBAGbSzomDLsU7BX6Vohf/VweoJ9TgYs4cYcdFwMrRQVMpMGKYU6HT7f8mDzRGqpursuJTsN9yIOk7s5xp+N7EL6XKauzo+VHOGJT1qbwzJXT1XY6DuzBrlhtY9C7AUHlpYAD4uWyt+JfuB+z5Qq5cbGr0dMS/EEKR/m0iBboUNDji6u9sUzGqUYn4tpBoE+y0J8UttankG/09PPHwQIjMxMXcBDmGi5VTp9eY5RFk9GQ4qdQJUp2hhdQZDVpz6lcPxhG92RPO/ca3P/9dvfI5aNaiSyV7vuK2NGCVGCTeo/okA+V5dm5jeuf0bupNEPnXSGyM8EHjcRjR+cHsby5pIGs=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<fed:TargetScopes>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://sts.windows.net/7acc61c5-e4a5-49d2-a52a-3ce24c726371/</wsa:Address>
</wsa:EndpointReference>
</fed:TargetScopes>
<fed:ApplicationServiceEndpoint>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://login.microsoftonline.com/7acc61c5-e4a5-49d2-a52a-3ce24c726371/wsfed</wsa:Address>
</wsa:EndpointReference>
</fed:ApplicationServiceEndpoint>
<fed:PassiveRequestorEndpoint>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>https://login.microsoftonline.com/7acc61c5-e4a5-49d2-a52a-3ce24c726371/wsfed</wsa:Address>
</wsa:EndpointReference>
</fed:PassiveRequestorEndpoint>
</RoleDescriptor>
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC/TCCAeWgAwIBAgIISlx9oAuA2/MwDQYJKoZIhvcNAQELBQAwLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDAeFw0yMzEyMDUxNzE2NTdaFw0yODEyMDUxNzE2NTdaMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDft/FsFDx4A/vOeqTwHyRTBUUR1Xs3xZdJ+WiMcl/200LKqsx3iCwC7hFTOHCUGUAfBguGbAw2BGz4HiAuwRRpYlSPHk7g3Fx+iQL7pMvWn8igswZ6rAU4xIG3FrU6ecvd4BAPUPs7Sk6MkGy3X9Jk+zCF1XNMQahah3/W8wUO7TZ3eiA/+26/bOXkl33a3Xti6pvrXAMovMegJ5QxNUTNBLjifSZetYmeJpjT7/OzyinDCZQdFbckn+bSLkHWb2UWZxVRQqHlVhk9p5zl10I7jsn3WdmLS1yAAOGo/OEAkXbRwES+QI/2RImKK/ayx52URtNJkZBO4Ls6U/0by2+9AgMBAAGjITAfMB0GA1UdDgQWBBR6Y4Oi5GGItIomQ0yZfH/woCAogzANBgkqhkiG9w0BAQsFAAOCAQEAaNbWUtHv3+ryZecDc7m6V1V1rWrVkUwC2QO78a2TprEN3owOeP0IHP42fbd/wcSsufTTtkk/J+fqL5dtsQ6zk2kDQfY5CgOyVCsaxVqHsg3t8fAWBkHiNScjZvRhLx4ll9QMOtLAwL4Os3Of0qtvP61zONP9sCJoUB6hkB33SRma1OyPZnYK/l3r0Y49+Ov0wahcdI4yZI72hFXlyyLnOT8dMbJDwZ9LNXA/BauEff4qTI4nIQk/lQKS6BjHzvXZbkHYEV/6M7r1g1syeahDmnaII+ZiBwp6tmAZKZC0Q0O7y3DmcPrHiZdv35AHadZY5cGWy1rw8NIMkaHWZ0mP6Q==</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<KeyDescriptor use="signing">
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIC6TCCAdGgAwIBAgIIV6K/4n2M5VAwDQYJKoZIhvcNAQELBQAwIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMB4XDTIzMTEzMDAwMTAxNVoXDTI4MTEzMDAwMTAxNVowIzEhMB8GA1UEAxMYbG9naW4ubWljcm9zb2Z0b25saW5lLnVzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6Jiu4AU4ZWHBFEbO1+41P6dxKgGx7J31i5wNzH5eoJlsNjWrWoGlZip8ey/ZppcNMY0GY330p8YwdazqRX24mPkyOxbYF1uGEGB/XtmMOtuG45WyPlbARQl8hok7y/hbydS8uyfm/ZQXN7MLgju0f4/cYo+dgic5OaR3W6CWfgOrNnf287ZZ2HtJ8DZNm+oHE2/Tg9FFTIIkpltNIZ4rJ0uwzuy7zkep/Pfxptzmpd0rwd0F87IneYu+jtKUvHVVPJQ7yQvgin0rZR8tXIp/IzComGipktu/AJ89z3atOEt0/vZPizQIMRpToHjUTNXuXaDWIvCIJYMkvvl0HJxf1QIDAQABoyEwHzAdBgNVHQ4EFgQUTtiYd3S6DOacXBmYsKyr1EK67f4wDQYJKoZIhvcNAQELBQADggEBAGbSzomDLsU7BX6Vohf/VweoJ9TgYs4cYcdFwMrRQVMpMGKYU6HT7f8mDzRGqpursuJTsN9yIOk7s5xp+N7EL6XKauzo+VHOGJT1qbwzJXT1XY6DuzBrlhtY9C7AUHlpYAD4uWyt+JfuB+z5Qq5cbGr0dMS/EEKR/m0iBboUNDji6u9sUzGqUYn4tpBoE+y0J8UttankG/09PPHwQIjMxMXcBDmGi5VTp9eY5RFk9GQ4qdQJUp2hhdQZDVpz6lcPxhG92RPO/ca3P/9dvfI5aNaiSyV7vuK2NGCVGCTeo/okA+V5dm5jeuf0bupNEPnXSGyM8EHjcRjR+cHsby5pIGs=</X509Certificate>
</X509Data>
</KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/7acc61c5-e4a5-49d2-a52a-3ce24c726371/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/7acc61c5-e4a5-49d2-a52a-3ce24c726371/saml2"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/7acc61c5-e4a5-49d2-a52a-3ce24c726371/saml2"/>
</IDPSSODescriptor>
</EntityDescriptor>
Azure would present 3 certificate entries which relate to cert format, it will be unformatted.
Copy 1st or 2nd certificate entry (complete line) from XML.
html:
MIIDKDCCAhCgAwIBAgIQBHJvVNxP1oZO4HYKh+rypDANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwHhcNMTYxMTE2MDgwMDAwWhcNMTgxMTE2MDgwMDAwWjAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQChn5BCs24Hh6L0BNitPrV5s+2/DBhaeytOmnghJKnqeJlhv3ZczShRM2Cp38LW8Y3wn7L3AJtolaSkF/joKN1l6GupzM+HOEdq7xZxFehxIHW7+25mG/WigBnhsBzLv1SR4uIbrQeS5M0kkLwJ9pOnVH3uzMGG6TRXPnK3ivlKl97AiUEKdlRjCQNLXvYf1ZqlC77c/ZCOHSX4kvIKR2uG+LNlSTRq2rn8AgMpFT4DSlEZz4RmFQvQupQzPpzozaz/gadBpJy/jgDmJlQMPXkHp7wClvbIBGiGRaY6eZFxNV96zwSR/GPNkTObdw2S8/SiAgvIhIcqWTPLY6aVTqJfAgMBAAGjWDBWMFQGA1UdAQRNMEuAEDUj0BrjP0RTbmoRPTRMY3WhJTAjMSEwHwYDVQQDExhsb2dpbi5taWNyb3NvZnRvbmxpbmUudXOCEARyb1TcT9aGTuB2Cofq8qQwDQYJKoZIhvcNAQELBQADggEBAGnLhDHVz2gLDiu9L34V3ro/6xZDiSWhGyHcGqky7UlzQH3pT5so8iF5P0WzYqVtogPsyC2LPJYSTt2vmQugD4xlu/wbvMFLcV0hmNoTKCF1QTVtEQiAiy0Aq+eoF7Al5fV1S3Sune0uQHimuUFHCmUuF190MLcHcdWnPAmzIc8fv7quRUUsExXmxSX2ktUYQXzqFyIOSnDCuWFm6tpfK5JXS8fW5bpqTlrysXXz/OW/8NFGq/alfjrya4ojrOYLpunGriEtNPwK7hxj1AlCYEWaRHRXaUIW1ByoSff/6Y6+ZhXPUe0cDlNRt/qIz5aflwO7+W8baTS4O8m/icu7ItE=
Go to Samltool to convert this to valid x.509 cert entry. Copy the converted cert and add it to SiteGenProps
Once completed proceed to create your service on Azure.
2. Create Azure Application
Click New Application. The Browse gallery page appears.
Click Create your own application. The Create your own application modal appears.
Provide a name for the app then select the Non-gallery option. Click Create, the application overview page appears.
Click Single sign-on. The Single sign-on page appears.
Select SAML as the single sign-on method. The SAML-based Sign-on page appears.
Click on the three dot menu > Edit option icon to edit the Basic SAML Configuration.
Fill in the form as per below:
- Identifier = (Example) - LPAgentConsole
- Reply URL = (Example)
Other services will follow same logic but URL will change to relevant lpservice
Scroll further down to User Attributes.
Fill in the field as per below:
- User Identifier = user.userprincipalname - this is an Active Directory (AD) unique ID which would equal value in LiveEngage Login Name.
Scroll down to SAML Token Attributes. Signing Option = DO NOT CREATE NEW CERTIFICATE
Microsoft Azure advises against creating a certificate; instead, use Federation certificates. Once the process is finished, the app will appear in the console.
Ensure proper user mapping, and users will have access to various services. For MCS and RTDASHBOARD, Admin privileges in LiveEngage are necessary; otherwise, SSO won't grant access.
Tips & Troubleshooting:
Ensure “Sign on URL” is empty for Basic SAML configuration.
When adding new claims, the input field looks to be a dropdown menu which makes it seem as though only user attributes (e.g. user.userprincipalname) can be assigned. But the field also allows text input to assign constant values e.g. to assign a constant string to siteId.
For IDP-initiated SSO, use the “User access URL” found under the Properties tab as the login page (not “Login URL” under the SIngle Sign-On tab)
If presented with the following screen before login:
- Ensure “Sign on URL” field is empty in Basic SAML Configuration.
- Ensure that login is through the “User access URL” and not the “Login URL”.
PingIdentity Configuration
PingIdentity SSO provides organizations with a centralized and secure solution for managing user authentication and authorization.
Users can authenticate through PingIdentity SSO, enabling effortless access to a diverse range of applications, encompassing cloud-based services, on-premises applications, and other integrated systems upon successful authentication.
A majority of the configuration is done on the clients' side, the SE/SA are required to know the procedure to guide the customer through in case of queries or if the client is not familiar with the process.
Step 1 to 3 is creating and configuring the customers end of the process. Step 3 consists of the portion that an SE/SA are typically required to configure for the client.
Prerequisites:
These are some of the information that must be collected from the clients' side in order to configure Agent SSO:
- a) Login URL (Mandatory)
- b) Logout URL (Optional)
- c) Error URL (Optional)
- d) SAML x509 signature certificate (Mandatory)
1. Create a developer account:
Navigate to https://www.pingidentity.com/register.developer and sign up to developer options to begin with the process.
Login to your newly created account.
2. Add an Application on PingIdentity:
Click Applications tab > Applications > +. The Add Application modal appears.
Fill in the details within the form:
- Application Name: Your application service name
- Application Description: Add a few words to describe what your app will be doing.
Select SAML Application and click Configure. The SAML configuration modal appears.
Fill in the fields as per below:
- Assertion Consumer Service (ACS) URL = (Example)
- Entity ID = (Example) - liveperson
Click Protocol SAML.
The edit configuration modal appears.
Ensure that Signing Algorithm is set to RSA_SHA256 from the dropdown. Once done click Download Metadata, to download the certificate.
Once completed click the slider to enable the application.
In case you do not have a User created proceed with moving to Users tab where you will be able to do so.
Click +. The Add user modal appears.
Fill in the details in the form with Username being equal to your Login Name in LiveEngage. Once done ensure that groups are added and save it.
3. Configure Agent SSO:
Ensure that radio option is turned to On. Scroll to the bottom, click Update Features to apply configuration.
The SSO option is now enabled.