OpenLogin: PTA, SAML, and OAuth/OpenID Ernie Turner Chris Fellows RightNow Technologies, Inc.
Why should you care about these features?
Why should you care about these features? Because users hate creating new online accounts
Pass Through Authentication (PTA) RightNow Technologies, Inc.
Purpose Single sign-on between your website and Customer Portal Your Contact Datastore Customer Portal DB
Flow Users logs in on your site User clicks link to CP Your site sends user data and redirect location to CP PTA endpoint Contact is created/updated, logged in, and sent to the redirect location
Flow <CP_Site>/ci/pta/login/redirect/{CP Page}/ p_li/{pta_data} CP Page = Page to take user after login Home Page: /ci/pta/login/redirect/home Answers List Page: /ci/pta/login/redirect/answers/list Custom Controller: /ci/pta/login/redirect/cc/yourcontroller/endpoint
Flow PTA_DATA = Base64 encoded contact data Query string format p_userid=login&p_email=jdoe@example.com... cf91c2vyawq9bg9naw4mcf9lbwfpbd1qzg9lq GV4YW1wbGUuY29t Username is only required field
PTA Data Name Email Password Address Fields Org ID Custom Fields Channel Fields
PTA Configuration RightNow Technologies, Inc.
PTA_ENABLED Will CP accept PTA requests?
PTA_EXTERNAL_LOGIN_URL Where should CP take the user when they ask to login? What is the page on your site where users login? %next_page% %session% mymainsite.com/login?nextpage=%next_p age%&session=%session%
http://bigfishgames.custhelp.com/
https://susi.bigfishgames.com/login.php
PTA_SECRET_KEY What value should we use to authenticate the request? No Encryption: p_li_passwd Encryption: Used as encryption key, don t send in URL!
PTA_ERROR_URL If an error occurs during the login process, where should we redirect the user? %error_code% %session% mymainsite.com/ptaerror?code= %error_code%&session=%session%
PTA_ERROR_URL Missing PTA data Failed decoding Invalid PTA_SECRET_KEY Missing login Password length exceeded Login failed (bad username/password combo) Various encryption failure states
PTA_EXTERNAL_LOGOUT_SCRIPT_URL If a user clicks logout from within CP, where should we take them on your site to logout? If not set, logout link won t show %source_page% mymainsite.com/logout?next= %source_page%
PTA_EXTERNAL_POST_LOGOUT_URL <CP SITE>/ci/pta/logout If a user logs out from your site and you take them to the /ci/pta/logout URL, where should we take them afterwards?
PTA Encryption PTA_ENCRYPTION_METHOD Triple DES or AES (128, 192, 256 bit) PTA_ENCRYPTION_KEYGEN PTA_ENCRYPTION_PADDING Raw data -> Encrypt -> Base64 encode Do not send p_li_passwd!
PTA_IGNORE_CONTACT_PASSWORD Should we store a password for the contact? Requires use of encryption Removes password syncing problem and multi-interface problem
Hooks pre_pta_decode Run before any manipulation of PTA data pre_pta_convert Run after data has been decoded/decrypted and converted into an array [p_user_id] => jdoe [p_email] => jdoe@example.com [p_postal_code] => 38392 etc
Additional Features rn:condition external_login_used standard/input/forminput allow_external_login_updates attribute
Additional Features
OAuth & OpenID RightNow Technologies, Inc.
Purpose Remove requirement for users to create new account Allow them to use existing web credentials from a trusted authority
Flow
Flow
Flow
Configuration FACEBOOK_OAUTH_APP_ID FACEBOOK_OAUTH_APP_SECRET TWITTER_OAUTH_APP_ID TWITTER_OAUTH_APP_SECRET
OpenLogin Widget Attributes controller_endpoint Prebuilt URL s for Facebook, Twitter, Google, Yahoo display_in_dialog Used by default in mobile redirect_url
How Data Is Stored Twitter/Facebook (oauth) Entry in contact2channel_type table Allows automatic use with Cloud Monitor Everything else (OpenID) Entry in openid_accounts table Stores unique endpoint for each contact
SSO SAML 2.0 Support RightNow Technologies, Inc.
Federated Authentication (SSO) Agent Desktop RightNow CX provides the capability of authenticating agents through the SAML protocol. SAML 2.0 protocol/http Post Binding RightNow agent desktop would be a service provider Identity Provider initiated login Agent profile determines SSO or manual authentication. Staff accounts have to be provisioned/updated through one of the API s
Federated Authentication (SSO) Agent Desktop Session 5 Agent Request Agent 3 Desktop Login 2 Identity Manager 1 Identity Sync Identity Provider Account 1 Provisioning 4 RightNow 1 ) Ongoing sync of identity to RightNow and IdP 2) Agent logs into Identity Manager 3) Agent requests Agent Desktop 4) IdP creates SAML assertion and sends to RightNow 5) Session is created and agent is logged in
Federated Authentication (SSO)- Customer Portal RightNow CX provides the capability of authenticating contacts through the SAML protocol. SAML 2.0 protocol/http Post Binding RightNow Customer Portal and RightNow Social would be service providers Identity Provider initiated login Contacts can be redirected to RightNow Social or RightNow Customer Portal after authentication. Configuration setting for error redirect Contacts have to be provisioned/updated through one of the API s
Federated Authentication (SSO) Customer Portal/Social Session 5 Contact Request CP or Social Page Login 2 3 Identity Manager 1 Identity Sync Identity Provider Contact 1 Provisioning 4 RightNow 1 ) Ongoing sync of identity to RightNow and IdP 2) Contact logs into Identity Manager 3) Contact requests Customer Portal/Social Page 4) IdP creates SAML assertion and sends to RightNow 5) Session is created and contact is logged in
SAML Transaction Steps (Customer Portal/Social) RightNow (Service Provider) User travels to CP or Social Page 1 User (Browser) Identity Provider 2 RightNow checks Customer Portal Configuration for authentication option RightNow validates SAML 3 6 Browser sends SAML Assertion to RightNow SAML Endpoint User logged into Customer Portal 5 Customer Portal redirects browser to config setting URL with redirect Parameter 3 Encoded SAML Assertion sent to browser 4 5 Identity Provider verifies session or authenticates user Identity provider generates SAML Assertion
Federated Authentication (SSO)- Customer Portal Quick Demo
Questions? RightNow Technologies, Inc.