1. Using B2C Service
  2. Define an External IdP for Agent Authentication on the Login Window

Define an External IdP for Agent Authentication on the Login Window

Follow this procedure to configure an external identity provider for agent authentication on the Login window.

Before you start

This procedure assumes that:
  • You have added the Single Sign-On Configurations component to the configuration list for the Configuration button. See Create a Navigation Set for the Administrator.
  • You have access to the Identity Provider editor defined by the hidden configuration setting SSO_ENABLE_EXTERNAL_IDP. This setting is not enabled by default. You can enable this setting using B2C Service Configuration Assistant. For more information, refer Single Sign-On Configuration.

Here's what to do

  1. Click Configuration on the navigation pane.
  2. Double-click Single Sign-On Configurations in your navigation list. The Single Sign-On Configurations editor opens with the SAML tab active.
    1. Click New on the ribbon and select SSO Identity Provider.
      The Identity Provider editor opens on the content pane.
    2. Enter field information.

      Identity Provider Editor

      Field Description
      Provider Entity ID Enter a unique name for the IdP in this field.
      Active Select this check box to enable the IdP. You can configure multiple IdPs.
      Web SSO Select this check box to redirect agents to the IdP when they log in on the B2C Service Login window. See Log in with an External Identity Provider on the B2C Service Login Window. Only one active IdP can be enabled for Web SSO.
      Enforce Audience Restriction Select this check box to force the aud attribute (audience) of the SAML token to include the custom audience URL. Enforcing an audience restriction ensures that only tokens meant for the specific site are consumed.
      Custom Audience URL Enter the custom audience URL that the SAML token must match, for example:
      https://customaudience.com/services/saml
      If the Enforce Audience Restriction check box is selected, and the custom audience URL isn't specified, then the token must include the interface URL in its audience list. Entries in this field are ignored when Enforce Audience Restriction isn't selected.
      NameID Format Select either Unspecified or Email Address from the drop-down list. The NameID attribute is used in two places for enhanced validation:
      • Incoming SAML assertion from the IdP
      • Outgoing logout request to the IdP
      Subject Type Click the drop-down list and select the subject type used in the SAML token. The options are Email, Login Name, and Account ID. The default value is Login Name.
      Label Click the arrow next to Labels to expand this section. Enter the name as you want it to display for the IdP in the Label column. You can specify different names to use for different interfaces and languages.
      SAML Token Parameters Click the arrow next to SAML Token parameters to expand this section and configure the SAML token parameters.
      Token Validity Offset Enter the number of seconds that the timestamp on SAML tokens is adjusted by to account for discrepancies between the Oracle Service Cloud and external IdP clocks.
      Token Validity Enter the number of seconds that the timestamp on SAML tokens will be accepted.
      Certificates Click the arrow next to Certificates to expand this section.

      The fields in this section are used to import the certificates you want to use to validate requests and SAML tokens received from the IdP.

      To delete a certificate, click the X icon next to the certificate. Certificates can be deleted if there is more than one certificate configured for the IdP or if the IdP is inactive.
      Do Not Verify Trust Chain for Certificates Select this check box to prevent verification of the trust chain for the certificates you import. This lets you use self-signed certificates or certificates that don't adhere to OpenSSL trust chain verification.
      Import Certificate Click the folder next to the field name to select the location of the certificate you want to use. The certificate displays in the Certificate field.
      Import Alternate Certificate Click the folder next to the field name to select the location of an alternate certificate to use when validation fails using the primary certificate. The certificate displays in the Alternate Certificate field.
      Signing Parameters Click the arrow next to Signing Parameters to expand this section where you can enter information to configure the signing method.
      Add Certificate to Signature Clear this check box to prevent the signing certificate from being added to the SAML response/assertion signature.
      Sign Response Clear this check box to prevent the response part of the SAML token from being signed.
      Sign Assertion Clear this check box to prevent the assertion part of the SAML token from being signed.
      Sign Method Click this drop-down list to select the XML signature method used to sign the SAML token. You can select:
      • RSA + SHA-1
      • RSA + SHA-256
      • RSA + SHA-512
      Sign Digest Method Click this drop-down list to select the digest method used to sign the SAML token signature. You can select:
      • SHA-1
      • SHA-256
      • SHA-512
      Auto Provisioning Click the arrow next to Auto Provisioning to expand this section where you can enable and configure the ability to automatically create staff accounts and enable or disable auto-provisioning for each IdP.
      Enable Auto-Provisioning Select this check box to enable this IdP for auto-provisioning of staff accounts.
      Default Profile Click the Search icon to select the profile you want to associate to this IdP.
      Default Group Click the Search icon to select the group you want to associate to this IdP.
      First Name Enter the value for the staff member as it corresponds to the FName attribute mapping.
      Last Name Enter the value for the staff member as it corresponds to the LName attribute mapping.
      Title Enter the value for the staff member as it corresponds to the JobTitle attribute mapping.
      Phone Enter the value for the staff member as it corresponds to the Phone attribute mapping.
      Email Address Enter the value for the staff member as it corresponds to the EMail attribute mapping.
      User Name Enter the value for the staff member as it corresponds to the Login attribute mapping.
    3. Click Save.
    4. To export the B2C Service metadata to an XML file, click Export SP Metadata on the ribbon and then browse to the XML file that's created into the external IdP’s web server. This establishes a trust relationship between the IdP and B2C Service. If the external IdP encounters a problem with the entity ID in the exported metadata, the entity ID can be changed. Contact your Oracle account manager.
    5. To import the metadata from the external IdP into B2C Service, click Import IdP Metadata on the ribbon and browse to the file you want to import.
    6. Click Save and Close to save your changes and close the editor.
  3. To create or edit a profile, click Permissions on the ribbon, and select the SSO Login (SAML 2.0) check box in the Administration section.
    For more information on profile permissions, see Profiles.
  4. To create or edit a staff account in B2C Service and associate the profile with it. See Add or Edit a Staff Account.
    Note: The staff account must also be a registered user in the external IdP and the user ID must match the B2C Service user name.