SSO: Azure (SAML)
Overview
Use your enterprise Azure authentication on the CCAI Platform platform. When enabled, you can use enterprise-wide Azure credentials to log in to the CCAI Platform Portal and Agent Adapter. The Azure Sign On feature uses SAML authentication protocol.
Prerequisites
To enable Azure Sign In using SAML protocol you must have:
Azure account for Azure to serve as an Identity Provider
Azure developer account
Admin user login
Contact Support to enable.
Configuration
Step 1: Azure developer setup
Log in to your existing Azure account.
Navigate to the Azure Portal and click Enterprise applications:
From the Enterprise applications page, click New application:
In the search box type saml.
Click Azure AD SAML Toolkit.
If desired, change the application Name, then click Create.
Click Set up single sign on.
Click the SAML option.
Beside Basic SAML Configuration, click Edit.
For Identifier (Entity ID), enter https://<environmentname>.domain.co/saml/v1/metadata
For Reply URL (Assertion Consumer Service URL), enter https://<environmentname>.domain.co/saml/v1/consume
For Sign on URL, enter https://<environmentname>.domain.co/
Click Save at the top of the screen.
Beside User Attributes & Claims, click Edit.
Click Unique User Identifier (Name ID).
Change Source attribute to user mail, then click Save.
Verify that the Unique User Identifier has been changed to user mail.
Copy and save the Login URL and Azure AD Identifier to use later in the CCAI Platform Portal.
Click the download link for Certificate (Base64).
Open the file in a text editor for later use.
Enable External Auth/ SSO in CCAI Platform Developer Settings
Go to Settings > DeveloperSettings.
Scroll down to External Authentication / SSO and toggle On.
Select SAML SSO:
Under Identity Provider Issuer (Entity ID), paste the Azure AD Identifier you copied from the Azure portal.
Under Identity Provider Login URL, paste the Login URL you copied from the Azure portal.
Under Email Field Mapping enter NameID.
In the Identity Provider Public Certificate text box, copy the contents of the downloaded Certificate (Base64) file from your text editor. Make sure "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" are included.
Click Save Changes.
On the confirmation dialog, click Yes to acknowledge and confirm the change.
*Do not log out of the CCAI Platform Portal until Step 3: Verify Azure Authentication is completed.*
Step 3: Verify Azure authentication
Navigate to the Agent Adapter in your CRM application. The login page appears.
Click Login with Company SSO. A pop-up window is displayed, prompting you to log in with your Azure credentials
After successfully logging in to the Agent Adapter in the CRM, open a new private (incognito) tab in your web browser and navigate to the CCAI Platform Portal.
Click Login with Company SSO and enter your Azure credentials:
Repeat the login verification steps multiple times to ensure the SAML SSO authentication works without any errors. On successful verification, you can log out of the CCAI Platform Portal, retaining the Login Policy updates.
SSO: Idaptive (SAML)
Overview
The Idaptive Single Sign On feature in CCAI Platform allows you to use your enterprise Idaptive authentication to log in to the CCAI Platform Portal and Agent Adapters. The Idaptive Sign In feature uses SAML authentication protocol.
Prerequisites
To enable Idaptive log in using SAML protocol, you must have:
Idaptive account for Idaptive to serve as an Identity Provider
Idaptive developer account
Admin user login
Idaptive developer setup
Log in to the Idaptive admin portal.
From the left menu, click Web Apps:
Click the Add Web Apps button:
Click the Custom tab:
Locate the SAML web app and click Add:
On the confirmation dialog, click Yes:
On the SAML Web App Settings page, enter a Name and click Save:
On the SAML Web App page, click the Trust tab:
Navigate to the Identity Provider Configuration (IPC) section and select Manual Configuration:
Copy and save the Entity ID for later use in the CCAI Platform Portal.
Download and save the Signing Certificate to a text file.
Copy and save the IDP Login URL for later use in the CCAI Platform Portal.
Navigate to the Service Provider Configuration (SPC) section and select Manual Configuration:
Under SP Entity ID / Issuer / Audience, enter: https://<environmentname>.ujet.co/saml/v1/metadata
Under Assertion Consumer Service (ACS) URL, enter: https://<environmentname>.ujet.co/saml/v1/consume
Beside Recipient, select Same as ACS URL.
From the NameID Format drop-down, select emailAddress, then click Save:
On the SAML Web App page, click the Permissions tab:
Click Add.
In the Select User, Group, or Role dialog, search for and select a user, then click Add.
Click Save to deploy the SAML Web App:
Enabling External Auth/SSO in CCAI Platform Developer Settings
Log in to the CCAI Platform Portal with an Admin user account.
Go to Settings > DeveloperSettings.
Toggle the External Authentication/SSO to On.
Select SAML SSO:
Under Identity Provider Issuer (Entity ID), paste the IDP Entity ID you copied from the Idaptive portal.
Under Identity Provider Login URL, paste the IDP Login URL you copied from the Idaptive portal.
Under Email Field Mapping enter NameID.
In the Identity Provider Public Certificate text box, copy the contents of the downloaded Signing Certificate file from your text editor. Make sure "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" are included:
Click Save.
Click Yes to acknowledge and confirm the change:
*Do not log out of the CCAI Platform Portal until Step 3: Verify SAML SSO Authentication is completed.*
Verify Idaptive authentication
Navigate to the CCAI Platform adapter in your CRM application. The CCAI Platform Agent Adapter login page is displayed:
Click Login with Company SSO. A pop-up window is displayed, prompting you to log in with the Idaptive credentials:
After successfully logging in to the Agent Adapter in the CRM, open a new private (incognito) tab in your web browser and navigate to the CCAI Platform Portal:
Click Login with Company SSO and log in with your Idaptive credentials:
Repeat the login verification steps multiple times to ensure the SAML SSO authentication works without any errors. On successful verification, you can log out of the CCAI Platform Portal, retaining the Login Policy updates.
SSO: OneLogin (OpenID Connect)
Overview
Use your enterprise OneLogin authentication to log in to the CCAI Platform Portal and Agent Adapters.
The OneLogin sign In feature uses OpenID Connect authentication protocol.
Prerequisites
In order to enable OneLogin authentication using OpenID Connect protocol, you must have:
An account with OneLogin to serve as an Identity Provider.
OneLogin developer account.
Admin user login.
Contact Support to use SSO.
OneLogin App configurationdeveloper setup
Log in to the OneLogin admin console.
From the navigation bar, click Applications.
Click Add App:
On the Find Applications page, search for "OpenId Connect" or "oidc", then select the OpenId Connect (OIDC) app:
On the OIDC app configuration page, enter a name in the Display Name field and click Save:
On the OIDC app setting page, select the Configuration tab.
In the Redirect URI's field, enter https://<environmentname>.<domainname>co, then click the Save.
On the OIDC app setting page, click on the SSO tab.
Under Issuer URLs, copy and save your OneLogin V2 URL for later use in the CCAI Platform Portal. Copy and save only the address without the path.
Copy and save the Client ID for use in the CCAI Platform Portal.
Enabling External Auth/SSO in CCAI Platform Developer Settings
Log in to the CCAI Platform Portal with an Admin user account.
Go to Settings> Developer Settings.
Scroll down to External Authorization / SSO and toggle On.
Select OpenID Connect SSO, then select OneLogin from the drop-down menu:
Under OneLogin domain, paste the OneLogin Org URL you previously saved from the OneLogin admin console.
Under OneLogin Client ID, paste the Client ID you previously saved from the OneLogin admin console.
Click Save Changes.
On the confirmation dialog, click Yes to acknowledge and confirm the change. A success message is displayed.
Verify OneLogin authentication (Initial Agent Adapter and CCAI Platform Portal Login)
Navigate to the Agent Adapter in your CRM application.
The Agent Adapter login page is displayed.
Click Login with OneLogin. A pop-up window is displayed, prompting you to enter your Oka credentials.
After successfully logging in to the Agent Adapter in the CRM, open a new private (incognito) tab in your web browser and navigate to the CCAI Platform Portal.
Click Login with OneLogin to log in with your enterprise SSO credentials.
Repeat the login verification steps multiple times to ensure the SAML SSO authentication works without any errors. On successful verification, you can log out of the CCAI Platform Portal, retaining the Login Policy updates.
SSO: Okta (OpenID Connect)
Overview
Use your enterprise Okta authentication to log in to the CCAI Platform Portal and Agent Adapters. The Okta sign In feature uses OpenID Connect authentication protocol.
Prerequisites
To enable Okta log-in using OpenID Connect protocol, you must have:
Okta account for Okta to serve as an Identity Provider.
Okta developer account.
CCAI Platform Admin user login.
Contact Support to use SSO.
Configuration
Step 1: Okta developer setup
Log in to your Okta developer account.
From the Dashboard, copy and save the Org URL for later use in the CCAI Platform Portal:
From the navigation bar, click Applications.
Click Add Application:
From the Create New Application page, click Single-Page App, then click Next:
In the Base URIs, Login redirect URIs, and Logout redirect URIs fields, enter https://<environmentname>.domain.co, then click Done:
From the General Settings page, under Client Credentials, copy and save the Client ID.
From the navigation bar, click API, and select Trusted Origins:
Click on the Trusted Origins tab and verify that the CCAI Platform environment URL has been added. If not, click Add Origin, then add the CCAI Platform environment URL.
Enabling External Auth/SSO in CCAI Platform Developer Settings
Log in to the CCAI Platform Portal with an Admin user account.
Go to Settings > Developer Settings.
Scroll down to External Authorization / SSO and toggle On.
Select OpenID Connect SSO, then select Okta from the drop-down menu:
Under Okta domain, paste the Org URL you previously saved from Okta Developer Console.
Under Okta Client ID, paste the Client ID you previously saved from Okta Developer Console.
Click Save Changes.
On the confirmation dialog, click Yes to acknowledge and confirm the change. A success message is displayed.
*Do not log out of the CCAI Platform Portal until Step 3: Verify Okta authentication is completed.*
Verify Okta authentication
Navigate to the Agent Adapter in your CRM application. The Agent Adapter login page is displayed.
Click Login with Okta. A pop-up window is displayed, prompting you to enter your Oka credentials.
After successfully logging in to the Agent Adapter in the CRM, open a new private (incognito) tab in your web browser and navigate to the CCAI Platform Portal.
Click Login with Okta to log in with your enterprise SSO credentials.
Repeat the login verification steps multiple times to ensure the SAML SSO authentication works without any errors. On successful verification, you can log out of the CCAI Platform Portal, retaining the Login Policy updates.
SSO: Okta (SAML)
In the Okta Admin Dashboard, Go to Applications > Applications
Click Create App Integration
Select SAML 2.0, then Click Next.
Click Next.
Specify a Name and Logo.
Click Next.
On the Configure SAML screen enter these values:
Single sign on URL: https://<environmentname>.domain.co/saml/v1/consume
Check Use this for Recipient URL and Destination URL
Audience URI (SP Entity ID): https://<environmentname>.domain.co/saml/v1/metadata
Name ID format: customer provides, (For example, EmailAddress)
On the Feedback panel provide feedback selections.
Suggested selections:
I'm an Okta customer adding an internal app
This is an internal app that we have created
Click Finish.
On the Sign On tab of the page that displays, click the View Setup Instructions button to launch a new tab.
Enable External Auth/SSO in CCAI Platform Developer Settings
Go Settings > Developer Settings
Toggle on External Authentication / SSO and choose SAML SSO
Copy the Identity Provider Single Sign-On URL value from the Okta page in to the Identity Provider Login URL field.
Copy the Identity Provider Issuer value from the Okta page into the Identity Provider Issuer (Entity ID) field.
Keep the Email Field Mapping value set to NameID, if issues occur, try EmailAddress if that is what the customer has selected for the Name ID format in their Okta settings - this is generally unnecessary. NameID is fairly common.
Download or copy the X.509 Certificate from the Okta page and paste into the Identity Provider Public Certificate field.
Choose to enable or disable the username/password field for agent adapters by checking or unchecking the box.
Save the CCAI Platform configuration; a green confirmation box should appear
You do not need the optional IDP metadata field provided by Okta
Optional
Enable the disable-email-invites feature flag to turn off email notifications to new CCAI Platform users when accounts are created. This email is typically invalid when using SSO.
Disable the Forgot Password functionality for all CCAI Platform users except those with Admin permissions.
SSO: Google Authentication (OpenID Connect)
Overview
Use your enterprise Google authentication to log in to the CCAI Platform Portal and Agent Adapters.
The feature uses the OpenID Connect protocol, which is a simple identity layer on top of the OAuth 2.0 protocol.
Keep the following in mind:
The Google authentication email address must match the CCAI Platform username.
Alias domains do not work.
Only applies to Google for Work domain accounts.
Enabling External Auth/SSO in CCAI Platform Developer Settings
Log in to the CCAI Platform Portal with an Admin user account.
Go to Settings > Developer Settings.
Scroll down to External Authorization / SSO and toggle On.
Select OpenID Connect SSO, then select Google from the drop-down menu:
Click Save Changes.
A Change Login Method confirmation message will display.
Changing the login policy will affect all users in your organization and may end current sessions.Are you sure you want to change the login policy?
Click Yes.
Logging in as an Agent (Initial Login)
An Agent's first log in can be either through the CCAI Platform Portal, using the account creation link or through the CCAI Platform Adapter integrated with your CRM.
The Adapter will display in the CRM.
Logging into the CCAI Platform Portal
When Google authentication is enabled, users are directed to a log-in page in order to access the CCAI Platform Portal.
SSO: OneLogin (SAML)
In the CCAI Platform Portal, invite a user and ensure the user is also invited to the OneLogin app with the same email address.
Ensure you have a OneLogin Admin account: https://www.onelogin.com/
Create a SAML application for CCAI Platform, but first ensure you are in the administration portal by clicking Administration.
Click Applications > Applications.
Click Add App.
Search for saml.
Select the SAML Custom Connector (Advanced), or another SAML app you want to use.
Click Configuration.
Set end points.
Click Save.
Open the SSO page from the menu.
Select the desired SAML Signature Algorithm.
Copy the Issuer URL and the SAML 2.0 Endpoint (HTTP) in OneLogin and save for later use.
Click View Details.
Copy the X.509 Certificate and save for later use.
Navigate to User > Users.
Select a user.
::: note The user's email address must exist in the CCAI Platform portal user's list. :::
Click Applications.
Click the + icon to add the SAML Custom Connector (Advanced) application.
Enable External Auth/ SSO in CCAI Platform Developer Settings
Navigate to Settings > Developer Settings >External Authentication / SSO.
Paste the Issuer URL into the Identity Provider Issuer (Entity ID) field.
Paste the SAML 2.0 Endpoint (HTTP) into the Identity Provider Login URL field.
Paste the X.509 Certificate into the Identity Provider Public Certificate field.
Click Save.
Select a user.
The user's email address must exist in the CCAI Platform Portal user's list.
Click Applications.