Login
    Contents x
    Configure SSO for Tenant
      • Dark
        Light
      Contents

      Configure SSO for Tenant

        • Dark
          Light
        Article summary

        Open ID Connect

        1. In the LCMService web.config file, set the configuration property "IsSSOConfigEnabled" as true in the host application.

        2. In the LCMService web.config file, set the configuration properties "IsSSOConfigEnabled” as true in Tenant application.

        3. In the LCMConsole web.config file, set the configuration properties

          1. IsSSOAuthenticationEnabled as true;

          2. SSOAuthBaseUrl - provide the base URL of the auth application (Auth).;

          3. AllowedOrigin - hostname of the base URL e.g. .acqueon.com (for hosted) and custmerhostname.com (customer VPC)

        4. In the Auth application web.config file, set the value for configuration property for tenant user as email and AllowedOrigin with allowed Domain URL provided in OKTA application.

        5. OKTA user must be available in the OBD_Users table in the tenant application. If there is no user, insert one using the following sample query:

          INSERT INTO OBD_USERS (USERID, NAME, PASSWORD, ADDRESS1, ADDRESS2, CITY,
STATE, PIN, HOME_PHONE, MOBILE_PHONE, EMAIL_ID, COMMENTS, 
AuthenticationType, UserType, IsSalesForce, IsUserMapped) 
VALUES ( '[email protected]', 'Administrator', '', NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, 2, 1, 0,1)

        6. Login to the LCM Console Host application.

        7. Go to Tenant and select the tenant to configure SSO. Click Edit.

          Note:

          Ensure that the Campaign Manager URL is configured with Fully Qualified Domain Name (FQDN).

        8. In the SSODetails tab, select General.

        9. Enter the ClientID and Client Secret fields. These are available after you successfully create the OAuth configuration. Refer step 7 under Configuring OAuth Client.

          1. IDP Provider, for example, Okta.

          2. Complete the Grant Type field with authorization_code.

            Note:

            Though LCM supports both Authorization Code Flow and Implicit Flow, we recommend using Authorization Code Flow.

          3. Complete the Refresh Grant Type with refresh_token. This is used to get a new access_token on expiry of the current one.

          4. Complete the inform for the Redirect URI, Logout Redirect URL and Scope fields with the same information used while creating OAuth Client App.

          5. If you are using Grant Type as authorization_code, the Response Type is code.

            Note:

            If you are using implicit flow, the Response Type is token.

          6. Turn the Validate Token switch ON if you require validation for the Internal token.

          7. If you are validating the token, complete the Validate Token In secs field. Enter the frequency, in seconds, that you would validate the token.

        10. Go to the Authorize tab.

          1. Turn the Enable switch ON if you want to invoke the API request.

          2. From the Method dropdown list, select GET or POST.

          3. Enter a Content Type that matches the content you require.

          4. The Header, Body, and Query String tabs are used to get values as key value pairs.

          5. Pair the Keys listed on the left with the Values listed on the right by using the Use Variable checkbox. You can add multiple pair of keys.

        11. The following screen shows the request and parameters needed for OKTA. This is a Get Type with no Header and Body fields.

        12. Go to the User Claim tab. Go to the User Claim tab. The GET request type varies based on the identity provider’s configuration. It can pass data in one of three ways: both Body and Query String, only Body, or (3) only Query String. To access the runtime value of access_token, use SSOModel~access_token in the request.

        13. Go to the Token tab. The POST request type varies based on the identity provider’s configuration. It can pass data in one of three ways: both Body and Query String, only Body, or (3) only Query String.The Value of Authorization is basic BASE64(ClientID:ClientSecret).

        14. The following images shows Query String fields:

        15. Go to the Renew tab. The POST request type varies based on the identity provider’s configuration. It can pass data in one of three ways: both Body and Query String, only Body, or (3) only Query String. The Value of Authorization is basic BASE64(ClientID:ClientSecret).

        16. The following images shows Query String fields:

        17. Go to the Logout tab. The POST request type varies based on the identity provider’s configuration. It can pass data in one of three ways: both Body and Query String, only Body, or (3) only Query String.

        18. Go to the OpenID Config tab. Against each Key, enter the API URLs for the requests. You can get these base URLs from the OKTA admin console by calling the API at https://xxxxxxxx-admin.okta.com/.well-known/openid-configuration. You can also call any other appropriate API.

        Non-Tenant

        Perform the following steps to configure single sign-on (SSO) for a non-tenant Mode of LCM instance:

        1. Create a new application in IIS and name it as auth. The path for this application is C:\Program Files\LCM\AESSOValidator

        2. In the web.config file, check the following entries.

          <add key="tenantUser" value="email" />
<add key="AllowedOrigin" value=".acqueonlab.com" />

          The value for the property tenantUser must be email for OKTA. The value for the property AllowedOrigin must be the domain where you host LCM and the Authentication application.

        3. Ensure that the Connection String in the web.config of AESSOValidator is mapped to the LCM database.

        4. Open the web.config file of LCMConsole. Modify the properties with the following values:

          <add key="IsSSOAuthenticationEnabled" value="true" />
<add key="SSOAuthBaseUrl" value="https://localhost/auth/"/>
<add key="AllowedOrigin" value=".acqueonlab.com" />

          The value of SSOAuthBaseUrl is the URL where we host the auth application

        5. Open the web.config file of LCMService. Modify the property with the following values:

          <add key="IsSSOConfigEnabled" value="true" />

        6. In OBD_SysParams table, make sure that the TenantID is -1(rjSy1aBQjat+JTBrixPBRA==) and ADATA has a non-tenant License.

        7. Insert a row in OBD_Tenant table to get SSO configuration based on TenantID. For Non-Tenant environment, the Tenant ID is -1.

        8. Execute the following query with necessary data modified for OKTA:

          SET IDENTITY_INSERT [dbo].[OBD_Tenant] ON

Insert into obd_tenant

(ID,Name,Description,DialerType,Language,UserName,Password,

Url,AgentUrl,IsVoiceEnabled,IsEmailEnabled,IsSMSEnabled,AdminPortsAlloted,AgentPortsAlloted,supervisorPortsAlloted,

Remarks,EmailId,AdminPortsUsed,AgentPortsUsed,SupervisorPortsUsed,VCount,VDate,SDate,DBServerName,DBUserName,

DBPassword,VStartDate,IsLocal,ICMId,Continent,IsHAEnabled,ComponentType,

CS,

RCS,

TenantKey,MapICM,Flag,InstanceActivated,InstanceRequestDate,TenantActivated,TenantRequestDate,InstanceName,UUID,PossibleDomains,

TenantMapper,PrimaryTenantProvisionIP,SecondaryTenantProvisionIP,TenantVersion,CreatedVersion,IsUpdated,DatabaseType,Port,

TenantSSOJson,IsInstancePatchUpdated,InstancePatchVersion,IsPrimanryupdated,Issecondaryupdated,Activity,ClickerAgentUrl)

Values(

-1,'Host','Host LCM Console','Cisco','en-US','[email protected]','',

'https://acqvm6220.acqueonlab.com/LCMConsole','',1,0,0,0,0,0,

'Tenant Created Successfully.','',NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,

NULL,NULL,1,0,'Asia',1,1,

'',

'',

'',

0,0,1,NULL,1,NULL,'','',NULL,NULL,'',NULL,NULL,NULL,0,'SQL Server',NULL,

'{    "client_id": "0oa3bgjb4naYB5tf7357",    "client_secret": "f30GecPYwQz3lw3Q0vVA_UEbYhhLvzSO-DM5V3az",    "resource_id": null,    "resource_secret": null,    "grant_type": "authorization_code",    "refresh_grant_type": "refresh_token",    "scope": "openid profile email offline_access",    "response_type": "code",    "redirect_uri": "https://sso.acqueonlab.com/auth/logincallback",    "logout_redirect_uri": "https://sso.acqueonlab.com/auth/logoutcallback",    "authorize": {      "enabled": true,      "method": "GET",      "query_string": [        {          "key": "client_id",          "value": "SSOModel~client_id"        },        {          "key": "redirect_uri",          "value": "SSOModel~redirect_uri"        },        {          "key": "response_type",          "value": "SSOModel~code"        },        {          "key": "scope",          "value": "SSOModel~scope"        },        {          "key": "state",          "value": "SSOModel~state"        },        {          "key": "nonce",          "value": "SSOModel~nonce"        }      ],      "headers": [],      "content_type": "application/x-www-form-urlencoded",      "body": []    },    "user_claim": {      "enabled": true,      "method": "GET",      "query_string": [],      "headers": [        {          "key": "Authorization",          "value": "Bearer |SSOModel~access_token"        }      ],      "content_type": "application/x-www-form-urlencoded",      "body": []    },    "token": {      "enabled": true,      "method": "POST",      "query_string": [        {          "key": "code",          "value": "SSOModel~code"        },        {          "key": "state",          "value": "SSOModel~state"        },        {          "key": "grant_type",          "value": "authorization_code"        },        {          "key": "redirect_uri",          "value": "SSOModel~redirect_uri"        }      ],      "headers": [        {          "key": "Authorization",          "value": "Basic MG9hM2JnamI0bmFZQjV0ZjczNTc6ZjMwR2VjUFl3UXozbHczUTB2VkFfVUViWWhoTHZ6U08tRE01VjNheg=="        }      ],      "content_type": "application/x-www-form-urlencoded",      "body": []    },    "logout": { "enabled": true, "method": "POST", "query_string": [{ "key": "id_token_hint", "value": "SSOModel~id_token" }],"headers": [], "content_type": "application/x-www-form-urlencoded","body": []}, "renew": {      "enabled": true,      "method": "POST",      "query_string": [        {          "key": "refresh_token",          "value": "SSOModel~refresh_token"        },        {          "key": "grant_type",          "value": "refresh_token"        }      ],      "headers": [        {          "key": "Authorization",          "value": "Basic MG9hM2JnamI0bmFZQjV0ZjczNTc6ZjMwR2VjUFl3UXozbHczUTB2VkFfVUViWWhoTHZ6U08tRE01VjNheg=="        }      ],      "content_type": "application/x-www-form-urlencoded",      "body": []    },    "well_known_config": {      "authorization_endpoint": "https://dev-778046.okta.com/oauth2/v1/authorize",      "token_endpoint": "https://dev-778046.okta.com/oauth2/v1/token",      "userinfo_endpoint": "https://dev-778046.okta.com/oauth2/v1/userinfo",      "introspection_endpoint": "https://dev-778046.okta.com/oauth2/v1/introspect",      "revocation_endpoint": "https://dev-778046.okta.com/oauth2/v1/revoke",      "end_session_endpoint": "https://dev-778046.okta.com/oauth2/v1/logout"    },    "ValidateToken": true,    "ValidateTokenInSecs": 30  }',NULL,NULL,0,0,NULL,NULL)

SET IDENTITY_INSERT [dbo].[OBD_Tenant] OFF

          1. UserName, Url, and TenantSSOJson are mandatory fields and should to be modified for the instance.

          2. In the TenantSSOJson field, ClientID, and Client Secret are obtained when the OAuth App is created in the OKTA console.

          3. Grant Type should be authorization_code. LCM supports both Authorization Code Flow and Implicit Flow. However, we recommend using Authorization Code Flow.

          4. Refresh Grant Type should be refresh_token. This is used to get the new access_token on the expiry of current access_token.

          5. Redirect URI, Logout Redirect URL, and Scope are configured while creating the OAuth Client APP.

          6. Response Type should be code for Authorization Code Flow, token for Implicit Code Flow.

          7. Validate Token is used to specify if we validate the internal token in LCMConsole periodical.

          8. Validate Token in Secs depends on the Validate Token and defines the frequency at which we validate the token.

          9. Authorize, User Claim, Token, Renew, and Logout are the tabs designed to make HTTP requests and the parameters for these are common. The following are the parameters contained in these tabs:

            1. The Enabled switch determines if the API request should be invoked or not.

            2. Method states the request type – GET or POST.

            3. Content Type determines the request content type.

            4. Header, Body, and Query String tabs are used to get values as key value pairs. In the Key Value pairs, Use Variable is used to map the value of the general tab fields to the request.

        Was this article helpful?
        What's Next
        Change password!
        Changing your password will log you out immediately. Use the new password to log back in.
        Change profile
        Success!
        First name must have atleast 2 characters. Numbers and special characters are not allowed.
        Last name must have atleast 1 characters. Numbers and special characters are not allowed.
        Enter a valid email
        Enter a valid password
        Your profile has been successfully updated.
        Logout
        ESC

        Eddy AI, facilitating knowledge discovery through conversational intelligence