1. Using B2C Service
  2. How You Identify the SAML Subject for Agent Login

How You Identify the SAML Subject for Agent Login

The parameter used to identify the SAML subject contents must be passed to the SSO launch page as a GET parameter.

The subject value must be unique for the single sign-on to be successful. For example, if multiple staff members can have the same value for an account custom field, then do not use that custom field as the subject.

The value defines how the SAML subject is mapped to an existing staff account in the Oracle database. Only one field can be passed in the assertion subject, whose parameter name is p_subject.

Acceptable values for p_subject depend on whether the flow is IdP-initiated SSO or SP-initiated SSO. If SSO is initiated by B2C Service (in other words, SP-initiated SSO), the only allowed value for p_subject is Account.Login. If SSO is initiated by an external provider (in other words, IdP-initiated SSO), the p_subject value can be any one of the following:

  • Account.Login—The assertion subject is the account login, which is the preferred mapping since it requires no additional lookup from the database. That is, the value can be passed to the sso_account_login() API. This is the default mapping value if p_subject isn't set. The Account.Login value is case sensitive.
    Note: This is the only value permitted for p_subject when the SSO is initiated by B2C Service in an SP-initiated process.
  • Account.Emails.Address—The assertion subject is the account email address. The Account.Emails.Address value is case insensitive.
  • Account.ID—The assertion subject is the account ID in the Oracle database.
  • Account.CustomFields.[customfield-name]—The customfield-name variable is the actual name of the custom field in the database (and the name of the database column), and the assertion subject is the account custom field value. The custom field name is the last name in the dot-separated value. It is automatically defined with lowercase notation and the c$ prefix.
The custom field value is case insensitive. These staff account custom field data types aren't supported for use in an assertion:
  • Menu
  • Yes/No
  • Date/Time
  • Date Field

This is an example of an assertion URL that passes the value of a custom field called accounts.c$external_id field for the staff account being verified.

https://my_site/cgi-bin/my_interface.cfg/php/admin/sso_launch.php?p_subject=Account.CustomFields.ExternalPhone
Caution: The latest version of the single sign-on URL for agents no longer accepts custom fields. Previously, custom fields in the query helped identify the SAML subject type. However, the SAML subject type passed by the external entity provider is now specified in the single sign-on configuration. An example of a URL using the new configuration follows.
https://my_site/cgi-bin/my_interface.cfg/php/sso/saml2/sp/post/acs.php