Embed Size (px)
Citation preview
www.rightnow.com
APPENDIX A : PING FEDERATE SETUP EXAMPLE
This is a list of Ping FS (version 6.3) screenshots, showing the steps to create a RightNow (Agent Console) Service provider connection. Note that these steps assume that an IdP adapter has been created on PingFS (see Figure 14) that would have the right attributes to pass in to the SAML_SUBJECT for the connection (see figure Figure 16). Also while there are places extra data could be passed to the assertion (see for example Figure 12 or Figure 15) RightNow currently doesn’t support this in Phase 1.
Figure 1 – Create an SP connection
Figure 2No template for connection
Figure 3Use Browser SSO Profiles (SAML 2.0)
Figure 4
Figure 5In Phase 1 we do not plan support SAML 2.0 metadata
Figure 6Set the connection name as required by Ping
©2010 RightNow Technologies. All rights reserved. RightNow and RightNow logo are trademarks of RightNow Technologies Inc. All other trademarks are the property of their respective owners.
Figure 7
Figure 8We only support IdP initiated SSO in Phase 1
Figure 9 – Set the SAML 2.0 validity range+/- 5 minutes is probably a good default value
(note, that it is expected that servers are time-synced!)
Figure 10
Figure 11We need a “known” value to as the SAML subject (like the
account ID), so we can map it to an account in our DB.
Figure 12The SAML Subject’s format is not specified
(it could be an account ID, login, etc.)
Figure 13
Figure 14Need to select an existing IdP adapter
Figure 15Do not retrieve any extra attributes
Figure 16As an example, use acct_login as the SAML 2.0 assertion
subject. See supported values in Error: Reference source notfound and Error: Reference source not found (any Ping adapter
needs to support at least one of those).
Figure 17
Figure 18
Figure 19
Figure 20
Figure 21
Figure 22POST binding only, URL is from Error: Reference source not
found (or Error: Reference source not found). Notice https link used (see Error: Reference source not found
for background)
Figure 23
Figure 24Need the signature to be able to verify the assertion (see Error:
Reference source not found)
Figure 25We do not support encryption in SAML messages in Phase 1.
Use SSL connections for confidentiality (see Figure 22)
Figure 26
Figure 27
Figure 28
Figure 29
Figure 30The certificate used for the signing the assertion needs to be included with the assertion (see Error: Reference source not
found)
Figure 31
Figure 32
Figure 33
www.rightnow.com
APPENDIX B : PING IDP APPLICATION EXAMPLE
Once a RightNow SP is created in Ping (as shown in APPENDIX A), one can test it using the IdP sample App from Ping’s Java Integration Kit (which first needs to be installed on the Ping FS machine). Here is a list of screenshots that show how one might go about doing an IdP initiated login to the agent console using this sample application.
Figure 34 – SP selectionThe user selects the RightNow Agent Console SP (2) at the IdP then initiates the SSO login (3)
Figure 35 – IdP loginIf the user does not yet have a valid session at the IdP a login will be needed.
Note that this example assumes there is an “admin” user at the IdP – that is also available (i.e. provisioned) as a RightNow accountAlso note browser compatibility/settings needed for automatic Agent login (Error: Reference source not found)
©2010 RightNow Technologies. All rights reserved. RightNow and RightNow logo are trademarks of RightNow Technologies Inc. All other trademarks are the property of their respective owners.
Figure 36 – RightNow ClickOnce application installThe IdP SSO redirects to the RightNow ClickOnce URL.
If the RighNow application is not installed yet, the prompt to install it should come up
Figure 37 – Automatic LoginThe RightNow application should automatically log in the user
APPENDIX C : WINDOWS ADFS RELYING PARTY SETUP
Windows ADFS services can also generate SAML 2.0 assertions for IdP initiated SSO. In this Appendix we detail how this feature of ADFS can be set up to point to a RightNow SAML enabled site.
Figure 38Log into the ADFS server and start the ADFS 2.0
Management Console
Figure 39Add a new Relying Party Trust (Starts the Wizard)
Figure 40
Figure 41
Figure 42Ideally the name of the Relying party includes whether it
is Agent or CP and the site/interface (so it is distinguishable for SSO testing in Error: Reference
source not found)
Figure 43
Figure 44At this point we do not support encryption
Figure 45Set the SAML 2.0 Assertion consumer URL (either the
console SSO launch page (Error: Reference source notfound) or the CP SSO controller URL (Error: Reference
source not found) for the site/interface.
Figure 46The Relying party ID(s) will be listed as the Audience Restriction in the SAML assertion. Currently we won’t
use that (instead using the recipient field – which is set to the Assertion consumer URL)
Figure 47
Figure 48
Figure 49
Figure 50
Figure 51
Figure 52Map the principal name (i.e. login name) to the SAML NameID (Subject) parameter (that RightNow needs).
Various LDAP (AD) mappings could be experimented with here to test the RightNow SSO mappings (see
Error: Reference source not found and Error: Referencesource not found)
Note #1: To change the certificate (key) or method of how the SAML response/assertion is signed one must use a command line power shell: See the details on that in MS technet.
Note #2: The ADFS generated SAML 2.0 assertion validity range seems to be a fixed 5 minutes for Subject.SubjectConfirmationData.NotOnOrAfter and a fixed 1 hour for Subject.Conditions.NotOnOrAfter. That does not seem to be adjustable – at least not from the UI or the command line – unlike in PingFS (see Figure 9). However the bigger issue is that the validity starts at the issue time: i.e. the local time of the ADFS server. The problem with this is that if the relying party’s time is off (behind) by even one second the assertion validity check with fail. To counter that, MS introduced a parameter (“notbeforeskew”) that can be used to tune the Subject.Conditions.NotBefore value. To set this parameter one has to use the PowerShell prompt and issue the following commands, e.g.:
PS C:\Users\Administrator> add-pssnapin microsoft.adfs.powershellPS C:\Users\Administrator> set-adfsrelyingpartytrust -targetname “<relying party name>” -NotBeforeSkew 2
In both use cases above the endpoints are for Agent login via SSO. If the requirement is for login to Customer Portal then the following endpoint would be used instead. If a SAML subject isn’t passed as a GET parameter in the URL, then the contacts login will be used to identify the user logging in.
https://site.custhelp.com/ci/openlogin/saml
To map the SAML Subject to another field in the contacts table you can pass the subject as a GET parm.
<site>/ci/openlogin/saml/subject/{SAML_subject}
For Example (The SAML subject in the assertion would map to the contacts email address):
https://site.custhelp.com/ci/openlogin/saml/subject/contact.emails.address
An additional URL parameter can be passed to send the user to a specific page in Customer Portal after authenticated.
Below are some examples of different pages that could be redirected to
1) Redirecting to Answers List page - https://site.custhelp.com/ci/openlogin/saml/redirect/app/answers/list
2) Redirecting to Ask a Question page
https://site.custhelp.com/ci/openlogin/saml/redirect/app/ask3) Redirecting to RightNowSocial Instance (Assumes the social configuration and SSO has
been already setup)https://site.custhelp.com/ci/openlogin/saml/redirect/ci/social/login
