SAML SSO

Integrate SAML SSO with the Conversational Cloud

    LivePerson now supports agent login by SAML SP-Initiated SSO flow

    Introduction

    The SAML federation is usually initiated by the service provider (in LivePerson's case, by the Conversational Cloud). The Conversational Cloud redirects the user to authenticate using the brand's IDP which redirects the user back to the Conversational Cloud with a SAML assertion containing information about the user identity and the authentication metadata for completing the login flow. 

    Is this feature relevant to me?

    Your Conversational Cloud account needs to be migrated to the Advanced Login System in order to use SAML SSO.
    Please read this to check if your account is already migrated.

    Configuration

    Create a SAML Application in your IDP application setup

    * Before you start, please note that the configuration steps below refer to an SP-Initiated application. The application could not be launched from your IDP hub (as an IDP-initiated app) without an adjustment. For more information, please read the next section.

    The explanation below is generic for creating the configuration for your identity provider. If you are using one of these providers; Azure, PING, OKTA, then please check out refer to the specific user guides. 

    1. Application Callback URL (also known as redirect URL/URI, Single Sign-On (SSO) URL, Direct Relay State, or Assertion Consumer Service (ACS) URL):

    Two variables structure the callback URL:

    1. See: Login_Tenant_Domain , Full_Connection_Name
    2. It looks like this:
      https://<Login_Tenant_Domain>/login/callback?connection=<Full_Connection_Name>

      For example, an account 1234 with the connection name My-brand-name-Okta will be: https://auth-z1.liveperson.net/login/callback?connection=SAML-1234-my-brand-name-okta

    2. SAML Assertion Structure

         1. loginName attribute
        Your SAML Response must contain the loginName attribute. 

    Please note that the attribute names, such as “loginName” are case sensitive

      The loginName value must be equal to the Conversational Cloud Login Name for the requester user.

    Image

         2. ‘Audience’ attribute (optional)
        If your IDP SAML Response contains the ‘Audience’ attribute, it is the Full_Connection_Name.

    3. Encrypted SAML Assertion (optional)
    You can sign or encrypt both your requests and your responses in the SAML protocol.
    For encrypting your SAML content, you need to download our login service’s public key.

    The public key can be found here in different formats: 

    Please note, in the URLs below, you need to use "?cert=connection" literally and not replace "connection" with the above <Connection Name> or the <Full Connection Name>.

    Configure a Conversational Cloud account to authenticate its Agents using a SAML SP-Initiated flow

    1. Login to the Conversational Cloud using your admin user

    2. From the sidebar menu, browse to Manage-> Management Console

    Image

    3. Search for the Account Access Control page and open it up

    Image

    Image

    4. Open the Single Sign-ON (SSO) Settings tab

    5. Click on the + Add Connection card

    Image

    6. Choose the SAML connection type and click next

    Image

    7. Create a SAML Connection

      1. Enter a unique Connection name (this name will be used to represent this SAML connection)
      2. Enter your IDP's SAML Sign In URL
      3. Upload your IDP’s SAML Signing Certificate (.pem or .cer files)
      4. Click Create connection
    Image

    8. Now, you will be able to see your connection in the Identity Providers gallery. Note, this is where you can manage it in the future (enable/disable or update the certificate).

    Image

    Accessing the Conversational Cloud

    After completing the configuration parts, your users can use SSO to login to the Conversational Cloud using the SP-Initiated flow.

    There are two ways to do this:

    1. Access the Conversational Cloud login page directly
      1. The user goes to https://authentication.liveperson.net/
      2. Enter your account number
      3. The user will automatically redirected to the Conversational Cloud with a session or to your IDP to complete the login
    2. Access the brand's IDP dashboard (hub)
      1. The user opens the brand's hub SSO portal 
      2. The user clicks the Conversational Cloud application
      3. The user will be redirected to the Conversational Cloud.

    In order to accomplish the above user experience in an SP-initiated flow, there is a need to imitate an IDP-initiated with a bookmark app in your IDP service. If you need help with configuring that, you can read the following example by Okta

    In order for the mock IdP-initiated bookmark link to work, the Local Login feature must be disabled, and only a single SSO (if there is more than one) connection should be enabled.


    The link to be used for this bookmarked app is: https://authentication.liveperson.net/accountSelection.html?stId=<ACCOUNT_ID>&prompt=none

    Bookmarks

    Login Tenant Domains

    Alpha - auth-z1-a.liveperson.net
    North America -  auth-z1.liveperson.net
    Europe - auth-z2.liveperson.net
    Asia Pacific - auth-z3.liveperson.net

    Full Connection Name Structure:

    * The Connection name is defined by you when you register the SAML Connection in the Conversational Cloud

    SAML-<account id>-<connection name>
    For example SAML-122334-my_conection

    Popular IDP integrations

    Azure 

    Okta


    Missing Something?

    Check out our Developer Center for more in-depth documentation. Please share your documentation feedback with us using the feedback button. We'd be happy to hear from you.