Login
    Contents x
    Configure SAML Client
      • Dark
        Light
      Contents

      Configure SAML Client

        • Dark
          Light
        Article summary

        OKTA

        In a Security Assertion Markup Language (SAML) integration setup, Okta acts as the Identity Provider (IdP), responsible for authenticating users and providing identity information. Your application operates as the Service Provider (SP), which relies on the IdP (Okta) to handle user authentication. When a user attempts to access your application, they are redirected to Okta for authentication. Once authenticated, Okta generates a SAML assertion containing user identity information, which is then sent back to your application. Your application can then use this assertion to authorize the user and grant access to the requested resources. For more details on SAML, refer to SAML Documents.

        Prerequisite

        Perform the following steps before creating a new SAML integration in Okta:

        1. Identify the default Assertion Consumer Service (ACS) URL for your integration. It is commonly referred to as the SP sign-in URL. This URL represents the endpoint within the Campaign Manager where SAML responses are posted.

          https://xxx.xxx.xxx.xxx/AESSOAuth/AssertionConsumerService

        2. Locate your Audience URL. This is also known as the SP Entity ID or the Entity ID of the  Campaign Manager, such as AESSOValidator.

        3. Set up a Default Relay State page, which serves as the landing page for users after successful sign-in to the SP using SAML. Ensure that this is a valid URL. This is optional.

          relaystate= https://xxx.xxx.xxx.xxx/AESSOAuth/AssertionConsumerService

        4. Make sure to have both the Email and Username as they are mandatory SAML attributes. You can choose to share Okta user profile field values as SAML attributes with your application. If any specific application requires additional attributes, get those as well.

          Note:

          It is mandatory that SAML integrations use SHA256 encryption for security. If you are using SHA-1 for encryption, upgrade SAML Apps to SHA256. Refer to https://developer.okta.com/docs/guides/updating-saml-cert/overview/.

        Create Integration

        Use the Okta Admin Console and the Application Integration Wizard (AIW) to create your SSO integration within the Okta organization linked to your account.

        1. Log in to the OKTA admin console.

        2. In the Admin Console, go to Applications > Applications.

        3. Click Create App Integration.

        4. Select SAML 2.0 in the Sign-in method section.

        5. Click Next.

        6. In the General Settings tab, enter a name for the integration and optionally upload a logo. You can also choose to hide the integration from the Okta Dashboard or mobile app of end-users.

        7. On the Configure SAML tab, use the SAML information to configure the settings of integration.

          1. In the Single sign on URL field, enter the Assertion Consumer Service (ACS) URL.

          2. Enter the Audience URI into the Audience URI (SP Entity ID) field.

          3. Select the Name ID format and Application username that must be sent to your application in the SAML response such as Email Address and Email or leave the fields with default values.

          4. In the ATTRIBUTE STATEMENTS (OPTIONAL) section, enter the SAML attributes that are needed for sharing with application. See the following examples:

            Name (in SAML application)

            Value (in Okta profile)

            FirstName

            user.firstName

            LastName

            user.lastName

            Email

            user.email

        8. Click Show Advanced Settings to configure Logout details.

          1. Select the Single Logout checkbox and enter the location URL where the logout response has to be sent in Single Logout URL field.

          2. Generate the Certificate with private key and export the certificate from AE server as both .pfx and .cer format.

          3. Upload the certificate (.cer) to verify digital signatures logging out from SP.

          4. Use the .pfx when configuring Service Provider (SP) SAML config, that is, in the AESSOValidator application. You can preview the generated SAML assertion by clicking the Preview button.

          5. Click Next.

        9. Use the Feedback tab to help Okta to understand how you want to position this application.

          1. Select I'm an Okta customer adding an internal app.

          2. Click Finish.

        10. After you complete the above step, in the Sign On tab, you can download the Identity Provider metadata for your integration. This information is needed to configure the SAML connection settings inside your SAML SP, that is, AE application.

        Assigning Users

        First assign your integration to one or more test users in your organization:

        1. Click the Assignments tab.

        2. Click Assign and then select either Assign to People or Assign to Groups.

        3. Enter the appropriate people or groups that you want to have Single Sign-On into your application. Click Assign for each selection.

        4. For any people that you add, verify the user-specific attributes.

        5. Select the checkbox to Save and Go Back.

        6. Click Done.

        Campaign Manager Console SSO Configuration

        Perform the following steps:

        1. Log in into the Campaign Manager Console Host application.

        2. Go to Tenant and select the tenant for whom you are configuring SSO.

        3. Click Edit from the Actions menu.

        4. Go to the SSO Details tab and select SAML 2.0 as the Sign on Method.

        5. Go to the General tab.

        6. Enter the Partner Name. This is the name you get from the OKTA Console as EntityId after adding the application as OAuth client using SAML 2.0.

        7. Enter a value for Token Expiry in Seconds. This the time, in seconds, that a token expires after it is authenticated by the IDP.

        8. Enter the AD Login URL to enable Authentication for Workspace application, for example, if AD is integrated with Amazon Connect, then we must get this URL from AWS. Amazon Connect SAML SSO URL that initiates the configured IDP authentication.

        Campaign Manager SSO Validator SAML Configuration

        To configure SAML configuration in SSO validator application with the data collected in section Creating the Integration - Step 13

        In the saml.config file, check the entries highlighted in yellow with the IDP metadata received from the client. Ensure that the entry highlighted in green in the ServiceProvider is same name as configured in SAML IDP client creation.

        <?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
    <ServiceProvider
      Name="LCMConsoleSP"
      Description="AESSOValidator Service Provider"
      AssertionConsumerServiceUrl="https://localhost/auth/AssertionConsumerService">
        <LocalCertificates>
            <Certificate FileName="App_Data\SamlSignaturekey.pfx" Password="Mypingkey"/>
        </LocalCertificates>
    </ServiceProvider>

    <PartnerIdentityProviders>
        <!-- PingFederate -->
        <PartnerIdentityProvider
          Name="AcqueonSSO"
          Description="PingFederate Identity Provider"
          DisableDestinationCheck="true"
          DisableRecipientCheck="true"
          SignAuthnRequest="false"
          SignLogoutRequest="true"
          SingleSignOnServiceUrl="https://172.16.3.85:9031/idp/SSO.saml2"
          SingleLogoutServiceUrl="https://172.16.3.85:9031/idp/SLO.saml2">
            <PartnerCertificates>
                <Certificate FileName="App_Data\Saml2.crt"/>
            </PartnerCertificates>
</PartnerIdentityProvider>
</PartnerIdentityProviders>
</SAMLConfiguration>

        where:

        • Ensure that the Name entry in the ServiceProvider is same name as configured in SAML IDP client creation.

        • You must verify the following parameters in the above saml.config file: 

          • <LocalCertificates>

            <Certificate

          • <PartnerIdentityProvider

            Name

            SingleSignOnServiceUrl "

            SingleLogoutServiceUrl

            <PartnerCertificates>

            <Certificate FileName

        SAML for Non-Tenant

        The Campaign Manager SSO Auth application is available by default in SaaS tenant model. For on-prem model, deploy the auth application:

        1. Create a new application in IIS and name it as auth. The path for this application is:

          C:\Program Files\LCM\AESSOValidator

        2. In the web.config file, check the following entries:

          <add key="AllowedOrigin" value=".acqueonlab.com" />

          Note:

          The value for the property AllowedOrigin should be the domain where you host LCM and the Authentications application.

        3. Ensure that the Connection String in the web.config of AESSOValidator is mapped to LCM Database.

        4. Open the web.config file of LCMConsole. Modify the properties with the following values:

          <add key="IsSSOAuthenticationEnabled" value="true" />
<add key="SSOAuthBaseUrl" value="https://localhost/auth/"/>    
<add key="AllowedOrigin" value=".acqueonlab.com" />

        5. Open the web.config file of LCMService. Modify the properties with the following values:

          <add key="IsSSOConfigEnabled" value="true" />

        6. In the saml.config file, verify the entries with the IDP metadata received from the client. As mentioned in the point 13 of Creating the Integration section, configure the corresponding details of meta data based on the IDP setup.

          <?xml version="1.0"?>
<SAMLConfiguration xmlns="urn:componentspace:SAML:2.0:configuration">
    <ServiceProvider
      Name="LCMConsoleSP"
      Description="AESSOValidator Service Provider"
      AssertionConsumerServiceUrl="https://localhost/auth/AssertionConsumerService">
        <LocalCertificates>
            <Certificate FileName="App_Data\SamlSignaturekey.pfx" Password="Mypingkey"/>
        </LocalCertificates>
    </ServiceProvider>

    <PartnerIdentityProviders>
        <!-- PingFederate -->
        <PartnerIdentityProvider
          Name="AcqueonSSO"
          Description="PingFederate Identity Provider"
          DisableDestinationCheck="true"
          DisableRecipientCheck="true"
          SignAuthnRequest="false"
          SignLogoutRequest="true"
          SingleSignOnServiceUrl="https://172.16.3.85:9031/idp/SSO.saml2"
          SingleLogoutServiceUrl="https://172.16.3.85:9031/idp/SLO.saml2">
            <PartnerCertificates>
                <Certificate FileName="App_Data\Saml2.crt"/>
            </PartnerCertificates>
</PartnerIdentityProvider>
</PartnerIdentityProviders>
</SAMLConfiguration>

where:
Ensure that the Name entry in the ServiceProvider is same name as configured in SAML IDP client creation.

Where: 
You must verify the following parameters in the above saml.config file: 
1    <LocalCertificates>
        <Certificate
2. <PartnerIdentityProvider
        Name
        SingleSignOnServiceUrl "
        SingleLogoutServiceUrl
        <PartnerCertificates>
            <Certificate FileName

        7. Open the web.config file of LCMConsole. Modify the properties with the following values:

          <add key="IsSSOAuthenticationEnabled" value="true" />
<add key="AllowedOrigin" value=".acqueonlab.com" />

        8. In the OBD_SysParams table, make sure that the TenantID is -1(rjSy1aBQjat+JTBrixPBRA==) and ADATA has a non-tenant License.

        9. Insert a row in OBD_Tenant table to get SSO configuration based on TenantID. For Non-Tenant environment, the Tenant ID is -1.

        10. Execute the following query with necessary data modified for SAML SSO.

          SET IDENTITY_INSERT [dbo].[OBD_Tenant] ON 
Insert into obd_tenant
(ID,Name,Description,DialerType,Language,UserName,Password,
Url,AgentUrl,IsVoiceEnabled,IsEmailEnabled,IsSMSEnabled,AdminPortsAlloted,AgentPortsAlloted,supervisorPortsAlloted,
Remarks,EmailId,AdminPortsUsed,AgentPortsUsed,SupervisorPortsUsed,VCount,VDate,SDate,DBServerName,DBUserName,
DBPassword,VStartDate,IsLocal,ICMId,Continent,IsHAEnabled,ComponentType,
CS,
RCS,
TenantKey,MapICM,Flag,InstanceActivated,InstanceRequestDate,TenantActivated,TenantRequestDate,InstanceName,UUID,PossibleDomains,
TenantMapper,PrimaryTenantProvisionIP,SecondaryTenantProvisionIP,TenantVersion,CreatedVersion,IsUpdated,DatabaseType,Port,
TenantSSOJson,IsInstancePatchUpdated,InstancePatchVersion,IsPrimanryupdated,Issecondaryupdated,Activity,ClickerAgentUrl)
Values(


-1,'Host','Host LCM Console','Cisco','en-US','[email protected]','',
'https://acqvm6220.acqueonlab.com/LCMConsole','',1,0,0,0,0,0,
'Tenant Created Successfully.','',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,1,0,'Asia',1,1,
'',
'',
'',
0,0,1,NULL,1,NULL,'','',NULL,NULL,'',NULL,NULL,NULL,0,'SQL Server',NULL, '{ "SAMLPartnerName":http://www.okta.com/exk1fzjjaYdDNvFvB5d6, "IsSAMLSSOEnabled":true, "SAMLTokenExpiryInSeconds":36000 }', ,NULL,NULL,0,0,NULL,NULL)

SET IDENTITY_INSERT [dbo].[OBD_Tenant] OFF

Where:
UserName, Url, and TenantSSOJson are mandatory fields and should be modified for the instance.
In the TenantSSOJson field, SAMLPartnerName obtained when the OAuth App is created in the OKTA console.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout
        ESC

        Eddy AI, facilitating knowledge discovery through conversational intelligence