SAML Helpers

Getting SAML to work in CX is tricky. Here are some tools that I've found useful in the past:

Configuring RightNow

this will focus on configuring for Agent Login, but much of it is the same for enduser SSO

  1. have Oracle/RightNow enable SAML login for your site
  2. upload your public cert to the additional root certificates directory using the file manager built into CX
  3. using the configuration manager set SAML_20_SIGN_CERTS to 'ANY-TRUSTED' (we'll come back to this later and lock it down)
    UPDATE: The 'ANY-TRUSTED' config value doesn't work in some versions (specifically August 2013), so you may need to use the actual cert thumbprint even for testing. (See Configure your IdP below for generating the thumbprint.)
  4. create a profile that has access to the site, and has the Agent Login enabled (if you don't see this option go back to #1)
  5. create an account and assign it to the previously created profile
  6. Configure the test app
    1. open the private key you generated and set the password (if applicable)
    2. select the Version 2.0 radio button
    3. set Issuer to anything (but not blank)
    4. set the Target and Recipient to: http://[site].custhelp.com/cgi-bin/[interface].cfg/php/admin/sso_launch.php?p_subject=Account.Login
    5. set the Domain to: http://[site].custhelp.com
    6. set the Subject to the login of the account you created above
    7. select the 'Sign Assertion' radio button
  7. hit 'Post Assertion' and pray



If you successfully got logged into the site you need to go buy a lottery ticket... like now... SAML can wait. If you received the wonderfully helpful "SSO login failed" message you have a few things to check:

  • first go back through everything that you did above and ensure that everything is set up properly
  • delete all of the certs on the site and make sure yours is the only one
  • open up your public cert in a text editor, you should see a bunch of base64 data that starts with -----BEGIN CERTIFICATE-----. Now open up the assertion that you're posting to CX, this can be done by either intercepting the traffic using Fiddler or by putting a break point on line 191 of SamlHelper.cs (this is one of the more unfortunate parts of this test app). Now in your assertion find "X509Certificate" this string needs to match the contents of your certificate, if it doesn't you need to re-generate your public key from your private
  • if you're still stuck you've got a problem. There are some pretty helpful error messages in the RightNow trace files, but you're not allowed to have them. So you can call customer care and hope for a helpful person who will read you the contents of the trace file, but more likely they'll tell you to just buy some Consulting hours. And that's going to take the better part of a month... If you can get somebody to read you the trace files you'll want to turn on PHP tracing and have them search for TRERR (there might be some useful certificate errors above that as well)

Configure your IdP

I would recommend sending the certificates you generated to your idP configuration team and make sure that they can get it working with those before attempting to use another. Once you've got that working you can put the production public certificate onto the CX site (you won't need a private cert anymore). Test. Set the thumbprint in the SAML_20_SIGN_CERTS configuration setting to the thumbprint of your cert. In windows you can find this by double clicking on the cert file (rename it to .cer if it isn't being recognized), going to the details tab and scrolling all the way to the bottom. You'll see a string something like "‎c4 b9 62 61 26 f3 21 32 5c fb db 9b 22 74 02 83 d6 bf ae 39". Remove all of the whitespace and convert it to upper case before putting it into the configuration setting.

Comments

The policy may have changed, but when SAML first became available it was not to be enabled/sold without also selling a bucket of consulting hours.

I had also submitted a couple of bugs with product development to improve the error logging so that SAML errors would be logged into the error log that is accessible via the common configuration section. To increase the visibility of this, I would encourage all of your customers to log a support incident that it is an issue that you can't view errors of why a SAML assertion is not passing. This is especially important if a SAML implementation that has been working starts to fail. This can happen is the certificate used to sign & verify the SAML assertion expires or if the clock between the RightNow CX server and the IdP becomes out of sync by a substantial amount.

The steps you mentioned look good and I tried to follow them to configure SSO using SAML 2.0 in RightNow, but have hit a blockage as to how to generate Metadata in RightNow! Without the Metadata, my Oracle Identity Federation 11g doesn't recognize the RightNow application.

Is there a workaround to implement SSO using SAML 2.0? I am trying to configure SSO "using external identity provider" as mentioned in the RightNow documentation. (https://documentation.custhelp.com/euf/assets/docs/may2014/olh/wwhelp/ww...)

From what I understand, from Oracle Identity Federation 11g point, the Metadata would ideally contain all the details of RightNow like URL, Service Provider URL, if any certificates used etc.

I would really appreciate any help in this as I'm unable to figure out any way forward.

Many Thanks,

Saurabh Mathur

Jack -

I've used that SAML POST utility more times than I can count since you originally published this article. It's been an unequivocal lifesaver and it's about time I mentioned it.

Thanks!
R

Hi jack, it was a very nice post. You have described everything clearly. But how can I accomplish the SSO agent login from RightNow to other app ? For example RightNow to Sales cloud?

Zircon - This is a contributing Drupal Theme
Design by WeebPal.