Configure Nice CXOne as an IDP
The purpose of this article is to detail the specific steps to configure Nice CXOne as an IDP for CXone Mpower Expert. For customers using Copilot, this is required for cross-platform (CXone User Hub and CXone Mpower Expert) authentication and user synchronization. This article is for internal purposes only and should not be shared with customers.
Prerequisites
- Admin Access to an Expert Site
Requesting a CXOne IDP:
- Complete the CXOne Application Registration form
- Required Inputs:
- Name
- Business Unit
- Name of application: Expert
- Describe your application: Knowledge base (Please also include environments to create the IDP in. Example: ***Please create in test/dev/prod***). See list of environments below.
- Technical Contacts
- Method to receive password: Email
- Tenancy of application: Single Tenant
- Which authentication method will you use: client_secret_post
- What CXOne ACD API scopes do you require: None
- Which type of application are you registering: User, Confidential
- What are your authentication redirect URLS:
https://{{expert-site-url}}/@app/auth/{{service ID}}/code1 - What are your web browser origins:
https://{{expert-site-url}} - What are your logout URLs:
https://{{expert-site-url}}/Special:userlogout
- Required Inputs:
The service ID is a unique identifier for IDPs configured with an Expert site. Expert supports multiple IDPs. To determine that you have the correct service ID, please follow the steps for Creating the SSO Service in Expert below with dummy information first so that the correct service ID is set. Then you can update that service with the correct information later
- Collect necessary metadata from the CXOne .well-known configurations for your environment(s). (well-known - The OpenID Connect (OIDC) configuration endpoint,
/well-known/openid-configuration, is a well-known configuration for Identity Providers (IDPs). This URI defines a discovery document that contains information about the IDP, such as its API endpoints and supported claims. Client applications can use this metadata to find the URLs and public signing keys needed for authentication.) - Wait 2-3 days after form submission to receive client id and client secret via email
CXone Environments:
well-known details are found at the links below to connect CXone User Hub as an IDP to Expert
|
Test |
|
| Dev |
https://cxone.dev.niceincontact.com/.well-known/openid-configuration |
| Staging | https://cxone.staging.niceincontact.com/.well-known/openid-configuration |
|
Production |
Creating the SSO Service in Expert:
- Obtain an Expert Server Token
- Use Postman to create a new login service on the Expert site with the generated client id and secret
- Update the Pre-Request Script (below blue text) with the Server Token from Step 1.
- Update the Request body (below blue text)
- Execute Test below
- Remove any created Postman API calls and discard the Server Token.
Method
POST https://{{expert-site-url}}/@api/deki/site/services
Headers:
Key: x-deki-token
Value: {{token}}
Pre-request Script
// Server API Token key and secret are available from API token management dashboard when Server API Token is generated
const key = 'REPLACE_KEY';
const secret = 'REPLACE_SECRET';
// include username prefixed with '='
let user = '=admin';
// hash time, key, user with secret
const epoch = Math.floor(Date.now() / 1000);
var hash = CryptoJS.HmacSHA256(`${key}_${epoch}_${user}`, secret);
const token = `tkn_${key}_${epoch}_${user}_${hash}`;
pm.request.headers.add({
key: 'x-deki-token',
value: token
});
Request Body
Note: Replace {{cxone-environment}} in the below code sample with the value that corresponds with the environment needed:
| Environment | Value |
|
Test |
cxone.test |
| Dev | cxone.dev |
| Staging | cxone.staging |
|
Production |
cxone |
Note: Replace {{tenantId}} in the below code sample with the value that corresponds with the user's tenant from the idp:
<service>
<sid>sid://mindtouch/2019/03/sso/oidc</sid>
<type>auth</type>
<description>OIDC Connection</description>
<config>
<value key="idp-authorize-url">https://{{cxone-environment}}.niceincontact.com/auth/authorize</value>
<value key="idp-issuer">https://{{cxone-environment}}.niceincontact.com</value>
<value key="idp-keys-url">https://{{cxone-environment}}.niceincontact.com/auth/jwks</value>
<value key="idp-token-url">https://{{cxone-environment}}.niceincontact.com/auth/token</value>
<value key="idp-userinfo-url">https://cxone.niceincontact.com/auth/userinfo</value>
<value key="rp-client-id">{{client id}}</value>
<value key="rp-client-secret">{{client secret}}</value>
<value key="idp-token-url-auth">client_secret_post</value>
<value key="claims-additional">tenantId, tenant, icClusterId, icBUId</value>
<!-- For multi value support for claims-authorization-allowed-pattern and claims-seated-pattern by using pgrep regex syntax i.e /tenantId:123/tenantId:456 -->
<value key="claims-authorization-allowed-pattern">tenantId:{{tenantId}}</value>
<value key="claims-seat-pattern">tenantId:{{tenantId}}</value>
</config>
</service>
Configure CXOne as Default IDP
To make the newly created IDP your site's default login, please reach out to Expert support team.
Test
Validate that the IDP works as intended. The CXOne IDP should look like:
Flow One:
- Sign out of Expert
- Follow a direct link to a page of content that requires authentication
- Confirm authentication routes through the CXOne IDP
- Confirm access to content
Flow Two:
- Sign out of Expert
- Click Sign In from Expert
- Confirm authentication routes through the CXOne IDP
- Confirm access to content
Permissions
Users provisioned from Nice are defaulted to authenticated viewers. Further fine tuning of user permissions must be modified through Control Panel after the user has logged in.