5.2 SAML 2.0 Single Sign-On Integration Guide
Bright Pattern Documentation
Generated: 10/02/2021 7:40 am
Content is available under license unless otherwise noted. Table of Contents
Table of Contents 2 About 3 Audience 3 Prerequisites 3 Installing ADFS on Windows Server 2012 3 Step 1: Create a test ADFS instance 3 Step 2: Save the certificate 3 ADFS Console Setup 3 Procedure 3 Configure Bright Pattern to Use SSO 4 Bright Pattern Applications 4 Procedure 4 Step 1: Enable SSO feature in Service Provider application 4 Step 2: Create SSO integration account in Contact Center Administrator 4 Step 3: Create a user 4 Step 4: Test SSO in Agent Desktop 5 Install ForgeRock on a Windows Machine 5 Prerequisites 5 Configuration 5 Step 1: Get Java 5 Step 2: Get Tomcat 5 Step 3: Get OpenAm 5 Step 4: Verify that Tomcat is running 5 Step 5: Create ForgeRock directory 5 Step Q: Create default configuration 5 Create IdP at ForgeRock Instance 6 Procedure 6 Step 1: Create a hosted identity provider 6 Step 2: Enable SAML 2.0 6 Step 3: Add the entity provider 6 Step 4: Set the name for sign-on 6 Step 4: Change your HTTP method 6 Export Metadata 7 Step 1 7 Step 2 7 Step 3 7 Configuration in Bright Pattern 7 Bright Pattern Applications 7 Procedure 7 Step 1: Enable SSO feature in Service Provider application 7 Step 2: Create SSO integration account in Contact Center Administrator 8 Step 3: Create a user 8 Step 4: Test SSO in Agent Desktop 8 About
Bright Pattern integrates with Security Assertion Markup Language (SAML) 2.0 identity providers such as Okta, ForgeRock, and Active Directory Federation Services (ADFS), allowing you to configure single sign-on (SSO) functionality for Bright Pattern’s Agent Desktop and Contact Center Administrator applications.
The SAML 2.0 Single Sign-On Integration Guide provides instructions on how to install and configure Active Directory Federation Services (ADFS) and ForgeRock to work in an integrated manner with Bright Pattern Contact Center software.
Audience
The Single Sign-On Integration Guide is intended for the IT/technical personnel responsible for the data infrastructure of the contact centers that use Bright Pattern Contact Center solutions for customer interaction processing. Readers of this guide are expected to have expertise and experience in administration of these systems as well as a solid understanding of contact center operations and resources that are involved in such operations.
Prerequisites
For all types of integration described in this guide, Bright Pattern Contact Center version 5.0 or later is required.
Installing ADFS on Windows Server 2012
This section of the SAML 2.0 Single Sign-On Integration Guide explains how to install Active Directory Federation Services (ADFS) on Windows Server 2012. The following procedure outlines how to create a test ADFS instance, save your certificate, and set up the ADFS Console. These steps need to be followed before you can configure Bright Pattern to use ADFS single sign-on.
Step 1: Create a test ADFS instance
1. Read the detailed Microsoft guide to configure ADFS.
Step 2: Save the certificate
1. Download file FederationMetadata.xml.
2. Open the file and find next tag
3. Copy it to file.
4. At the beginning of the file, insert “ -----BEGIN CERTIFICATE-----”
5. At the end of the file, insert “-----END CERTIFICATE-----”
See section ADFS Console Setup for next steps.
ADFS Console Setup
After you have created a test ADFS instance and saved your certificate, you are ready to set up the ADFS Console.
Procedure
1. Go to the ADFS Console.
2. Right-click on Relying Party Trusts and select Add Relying Party Trust.
3. Select option Enter data about the relying party manually and click Next.
4. Enter the name for this relying party (e.g., “BPSPTest”).
5. Select ADFS 2.0 and click Next. Skip the next windows by clicking Next.
6. Enter the Relying Party URL: https://
7. On the next screen, select option Permit all users. 8. Click Next to launch the Claims rules.
9. In the Claims rules screen, click Add Rule.
10. Select Send LDAP Attributes as Claims because Agent Desktop will be used as the Claims supplier.
11. For ClaimRule Name, give a name and enter the Attribute Store.
12. For mapping, use “UPN” as the NameID.
13. Add a new mapping: "UPN = CSIMLoginID"
Configure Bright Pattern to Use SSO
Single sign-on integration configuration is completed in Bright Pattern’s Service Provider application and the Contact Center Administrator application, and it’s tested in the Agent Desktop application.
Bright Pattern Applications
The Service Provider application (i.e., “https://
The Contact Center Administrator application (i.e., “https://
The Agent Desktop application (i.e., “https://
Procedure
Step 1: Enable SSO feature in Service Provider application
By default, SSO functionality is disabled. Enable it by following these steps:
1. In the Service Provider application, go to Tenants and select the name of your contact center from the list.
2. Click the Features tab.
3. In the list of features to enable or allow, select the checkbox for Enable Single Sign-On.
4. Click Apply.
Step 2: Create SSO integration account in Contact Center Administrator
For SSO to work, you must also enable it for your contact center in SSO integration account properties.
1. In the Contact Center Administrator application, go to Call Center Configuration > Integration Account.
2. Click the Add account button (+) to create a new integration account.
3. Select account type Single Sign-On.
4. Name the account (e.g., “ADFS”).
5. In the Agent Desktop SSO section, select the checkbox for Enable Single Sign-On.
6. Enter the Identity Provider Single Sign-On URL, which should be taken from federationmetadata.xml, the file you saved while Installing ADFS:
https://
1. Then, beside Identity Provider Certificate, hover your cursor over “empty” and click EDIT.
2. In the dialog that pops up, paste your certificate to the certificate option. The certificate should be taken from federationmetadata.xml, the file you saved while Installing ADFS.
3. Click Apply to save your changes.
Step 3: Create a user Before you can test that SSO works, you will need to create a dummy user.
1. In the Contact Center Administrator application, go to Users & Teams > Users.
2. Click the Add user button to create a new user.
3. Set the username as “user1” and specify the desired password.
4. Click Apply to save your changes.
Step 4: Test SSO in Agent Desktop
You can try logging in to Agent Desktop with the username and password you just created.
1. Go to the Agent Desktop application (e.g., http://
2. The login page should redirect you to the ADFS login page.
3. Enter the credentials for “user1” that you just created.
4. The system will then redirect you to Agent Desktop as the logged-in user.
Install ForgeRock on a Windows Machine
This section of the SAML 2.0 Single Sign-On Integration Guide explains how to install ForgeRock (OpenAm) on a Windows Machine.
Prerequisites
The Windows machine must have a fully qualified domain name (FQDN).
Configuration
Step 1: Get Java
Download and install the latest Java JRE or JDK.
Tomcat (see Step 2 of configuration) uses Java Runtime Environment (JRE) and is a part of Java Development Kit (JDK). JDK is used for the development of the Java app. Either JRE or JDK will work.
Step 2: Get Tomcat
Download and install Tomcat 9.0.
Step 3: Get OpenAm
1. Download OpenAm distributive.
2. Unzip the file.
3. Find the file with the .war extension, which has a name similar to AM-5.x.x. Eval.
4. Rename the file openam.
Step 4: Verify that Tomcat is running
Check it in the Windows Services option.
Step 5: Create ForgeRock directory
1. Copy the openam.war file to your computer in /Program Files/Apache Software Foundation/Tomcat 9.0/webapps.
2. Wait until Tomcat creates the directory "openam"
Step Q: Create default configuration
1. Go to http://
2. Set the password for "amadmin".
3. Wait until the configuration is created. 4. Go to http://
5. Create a user in the Top Level Realms > Subjects section (i.e., user1:password).
In the sections that follow, you will learn how to create an Identity Provider (IdP) at your ForgeRock Instance, which involves creating a hosted identity provider, enabling SAML 2.0, adding the entity provider, and changing your NameID service options. These steps need to be followed before you can configure Bright Pattern to use ForgeRock single sign-on.
Create IdP at ForgeRock Instance
Procedure
Step 1: Create a hosted identity provider
1. Log in to your ForgeRock instance (i.e., “http://
2. After successful login, go to Top Level Realms > Configure SAMLv2 Provider > Create Hosted Identity Provider.
3. Set name to http://
4. Set signing key to test.
5. In the Circle of trust section, select Add to new.
6. Provide a name for the Circle of trust (e.g., “COT1”)
7. Click Configure.
8. On the next screen, click Finish.
Step 2: Enable SAML 2.0
1. In your ForgeRock instance, go to Top Level Realms > Application > SAML.
2. On the Entity Providers section on the next screen, click New.
3. Choose the SAMLv2 option.
4. Edit the Entity Provider properties in the General section using value http://
5. Edit the Meta Alias properties using value http://
6. In the Service Provider section, in the "Signing certificate alias" field, type test.
7. Save changes.
Step 3: Add the entity provider
1. Go to Circle of Trust Configuration and choose the current Circle of Trust (i.e., “COT1”).
2. Add the second created entity provider.
3. Save changes.
Step 4: Set the name for sign-on
1. Go to the Circle of Trust Configuration option and choose IDP Entity provider.
2. In Certificate Aliases > Signing, add "test" value.
3. Name ID format
1. NameID Format List: remove all values except urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
2. NameID Value Map: remove all and add next value: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified=uid
Step 4: Change your HTTP method
1. Go to the Circle of Trust Configuration option and choose SP Entity provider. 2. Go to the Services tab.
3. Change to "POST" Single Logout Service and Manage NameID Service options.
4. Change parameters in Assertion Consumer Service:
1. Set default HTTP-POST.
2. Change value to http://
5. Change index to 0.
After you have created the identity provider in your ForgeRock instance, you are ready to Export Metadata.
Export Metadata
Follow these steps to get the certificate for your ForgeRock instance.
Step 1
Go to the following page: http://
Step 2
Copy "ds:X509Certificate" content to Notepad++.
Step 3
In the certificate, before content begins, insert the following:
"-----BEGIN CERTIFICATE-----"
At the end of the content, insert the following:
"-----END CERTIFICATE----- "
Configuration in Bright Pattern
Single sign-on integration configuration is completed in Bright Pattern’s Service Provider application and the Contact Center Administrator application, and it’s tested in the Agent Desktop application.
Bright Pattern Applications
The Service Provider application (i.e., “https://
The Contact Center Administrator application (i.e., “https://
The Agent Desktop application (i.e., “https://
Procedure
Step 1: Enable SSO feature in Service Provider application
By default, SSO functionality is disabled. Enable it by following these steps:
1. In the Service Provider application, go to Tenants and select the name of your contact center from the list.
2. Click the Features tab.
3. In the list of features to enable or allow, select the checkbox for Enable Single Sign-On.
4. Click Apply. Step 2: Create SSO integration account in Contact Center Administrator
For SSO to work, you must also enable it for your contact center in SSO integration account properties.
1. In the Contact Center Administrator application, go to Call Center Configuration > Integration Account.
2. Click the Add account button (+) to create a new integration account.
3. Select account type Single Sign-On.
4. Name the account (e.g., “ForgeRock”).
5. In the Agent Desktop SSO section, select the checkbox for Enable Single Sign-On.
6. Enter the Identity Provider Single Sign-On URL:
1. Then, beside Identity Provider Certificate, hover your cursor over “empty” and click EDIT.
2. In the dialog that pops up, paste your certificate to the certificate option.
3. Click Apply to save your changes.
Step 3: Create a user
Before you can test that SSO works, you will need to create a dummy user.
1. In the Contact Center Administrator application, go to Users & Teams > Users.
2. Click the Add user button to create a new user.
3. Set the username as “user1” and specify the desired password.
4. Click Apply to save your changes.
Step 4: Test SSO in Agent Desktop
You can try logging in to Agent Desktop with the username and password you just created.
1. Go to the Agent Desktop application (e.g., http://
2. The login page should redirect you to the ForgeRock login page.
3. Enter the credentials for “user1” that you just created.
4. The system will then redirect you to Agent Desktop as the logged-in user.