SAML SSO

Integrate SAML SSO with the Conversational Cloud

    LivePerson now supports agent login by SAML SP-Initiated SSO flow

    Introduction

    The SAML federation is usually initiated by the service provider (in LivePerson's case, by the Conversational Cloud). The Conversational Cloud redirects the user to authenticate using the brand's IDP which redirects the user back to the Conversational Cloud with a SAML assertion containing information about the user identity and the authentication metadata for completing the login flow. 

    Is this feature relevant to me?

    In order to use SAML SSO, your Conversational Cloud account needs to be migrated to the Enhanced Login System.
    Please read this to check if your account is already migrated.

    Configuration

    How to configure a Conversational Cloud account to authenticate its Agents using a SAML SP-Initiated flow?

    1. Login to the Conversational Cloud using your admin user

    2. From the sidebar menu, browse to Manage-> Management Console

    Image

    3. Search for the Account Access Control page and open it up

    Image

    Image

    4. Open the Single Sign-ON (SSO) Settings tab

    5. Click on the + Add Connection card

    Image

    6. Choose the SAML connection type and click next

    Image

    7. Create a SAML Connection

      1. Enter a unique Connection name (this name will be used to represent this SAML connection)
      2. Enter your IDP's SAML Sign In URL
      3. Upload your IDP’s SAML Signing Certificate (.pem or .cer files)
      4. Click Create connection
    Image

    8. Now, you will be able to see your connection in the Identity Providers gallery. Note, this is where you can manage it in the future (enable/disable or update the certificate).

    Image

    The following definitions will be needed for your IDP application setup

    * Before you start, please note that the configuration steps below refer to an SP-Initiated application. The application could not be launched from your IDP hub (as an IDP-initiated app) without an adjustment. For more information, please read the next section 

    1. Application Callback URL (also known as redirect URL/URI, Single Sign-On (SSO) URL, Direct Relay State, or Assertion Consumer Service (ACS) URL):

    Two variables structure the callback URL:

    1. See: Login_Tenant_Domain , Full_Connection_Name
    2. It looks like this:
      https://<Login_Tenant_Domain>/login/callback?connection=<Full_Connection_Name>

      For example, an account 1234 with the connection name My-brand-name-Okta will be: https://auth-z1-a.liveperson.net/login/callback?connection=SAML-1234-my-brand-name-okta

    2. SAML Assertion Structure

         1. loginName attribute
        Your SAML Response must contain the loginName attribute.
        The loginName value must be equal to the Conversational Cloud Login Name for the requester user.

    Image

         2. ‘Audience’ attribute (optional)
        
    If your IDP SAML Response contains the ‘Audience’ attribute, it is the Full_Connection_Name.

    3. Encrypted SAML Assertion (optional)

    If you are interested in encrypting your SAML assertion, you will need to download our login service’s public key and use it to encrypt it.

    The public key can be found here in different formats: 

    Accessing the Conversational Cloud

    After completing the configuration parts, your users can use SSO to login to the Conversational Cloud using the SP-Initiated flow.

    There are two ways to do this:

    1. Access the Conversational Cloud login page directly
      1. The user goes to https://authentication.liveperson.net/
      2. Enter your account number
      3. The user will automatically redirected to the Conversational Cloud with a session or to your IDP to complete the login 
    2. Access the brand's IDP dashboard (hub)
      1. The user opens the brand's hub SSO portal 
      2. The user clicks the Conversational Cloud application
      3. The user will be redirected to the Conversational Cloud.

    * In order to accomplish the above user experience in an SP-initiated flow, there is a need to imitate an IDP-initiated with a bookmark app in your IDP service. If you need help with configuring that, you can read the following example by Okta

    The link to be used for this bookmarked app is: https://authentication.liveperson.net/accountSelection.html?stId=<ACCOUNT_ID>&prompt=none

    Bookmarks

    Login Tenant Domains

    Alpha - auth-z1-a.liveperson.net
    VA -  auth-z1.liveperson.net
    EU - auth-z2.liveperson.net
    APAC - auth-z3.liveperson.net

    Full Connection Name Structure:

    SAML-<account id>-<connection name>
    For example SAML-122334-my_conection



    Missing Something?

    Check out our Developer Center for more in-depth documentation. Please share your documentation feedback with us using the feedback button. We'd be happy to hear from you.