APPENDIX A: PING Federate SETUP example

This is a list of Ping FS (version 6.3) screenshots, showing the steps to create a RightNow (Agent Console) Service provider connection. Note that these steps assume that an IdP adapter has been created on PingFS (see Figure 19) that would have the right attributes to pass in to the SAML_SUBJECT for the connection (see figure Figure21). Also while there are places extra data could be passed to the assertion (see for example Figure 17 or Figure 20) RightNow currently doesn’t support this in Phase 1.

Figure 6 – Create an SP connection

Figure 7
No template for connection

Figure 8
Use Browser SSO Profiles (SAML 2.0)

Figure 9

Figure 10
In Phase 1 we do not plan support SAML 2.0 metadata

Figure 11
Set the connection name as required by Ping

Figure 12

Figure 13
We only support IdP initiated SSO in Phase 1

Figure 14 – Set the SAML 2.0 validity range
+/- 5 minutes is probably a good default value
(note, that it is expected that servers are time-synced!)

Figure 15

Figure 16
We need a “known” value to as the SAML subject (like the account ID), so we can map it to an account in our DB.

Figure 17
The SAML Subject’s format is not specified
(it could be an account ID, login, etc.)

Figure 18

Figure 19
Need to select an existing IdP adapter

Figure 20
Do not retrieve any extra attributes

Figure 21
As an example, use acct_login as the SAML 2.0 assertion subject. See supported values in 5.2.3.2 and 5.2.4.2 (any Ping adapter needs to support at least one of those).

Figure 22

Figure 23

Figure 24

Figure 25

Figure 26

Figure 27
POST binding only, URL is from 5.2.3.1 (or 5.2.4.1).
Notice https link used (see 11.3.4for background)

Figure 28

Figure 29
Need the signature to be able to verify the assertion (see 5.1.6)

Figure 30
We do not support encryption in SAML messages in Phase 1. Use SSL connections for confidentiality (see Figure 27)

Figure 31

Figure 32

Figure 33

Figure 34

Figure 35
The certificate used for the signing the assertion needs to be included with the assertion (see 5.1.6.2)

Figure 36

Figure 37

Figure 38

APPENDIX B: PING Idp application example

Once a RightNow SP is created in Ping (as shown in APPENDIX C), one can test it using the IdP sample App from Ping’s Java Integration Kit (which first needs to be installed on the Ping FS machine). Here is a list of screenshots that show how one might go about doing an IdP initiated login to the agent console using this sample application.

Figure 39 – SP selection
The user selects the RightNow Agent Console SP (2) at the IdP then initiates the SSO login (3)

Figure 40 – IdP login
If the user does not yet have a valid session at the IdP a login will be needed.
Note that this example assumes there is an “admin” user at the IdP – that is also available (i.e. provisioned) as a RightNow account
Also note browser compatibility/settings needed for automatic Agent login (APPENDIX H)

Figure 41 – RightNow ClickOnce application install
The IdP SSO redirects to the RightNow ClickOnce URL.
If the RighNow application is not installed yet, the prompt to install it should come up

Figure 42 – Automatic Login
The RightNow application should automatically log in the user

APPENDIX C: Windows ADFS Relying party setup

Windows ADFS services can also generate SAML 2.0 assertions for IdP initiated SSO. In this Appendix we detail how this feature of ADFS can be set up to point to a RightNow SAML enabled site.

Figure 43
Log into the ADFS server and start the ADFS 2.0 Management Console

Figure 44
Add a new Relying Party Trust (Starts the Wizard)

Figure 45

Figure 46

Figure 47
Ideally the name of the Relying party includes whether it is Agent or CP and the site/interface (so it is distinguishable for SSO testing inAPPENDIX F)

Figure 48

Figure 49
At this point we do not support encryption

Figure 50
Set the SAML 2.0 Assertion consumer URL (either the console SSO launch page (5.2.3.1) or the CP SSO controller URL (5.2.4.1) for the site/interface.

Figure 51
The Relying party ID(s) will be listed as the Audience Restriction in the SAML assertion. Currently we won’t use that (instead using the recipient field – which is set to the Assertion consumer URL)

Figure 52

Figure 53

Figure 54

Figure 55

Figure 56

Figure 57
Map the principal name (i.e. login name) to the SAML NameID(Subject) parameter (that RightNow needs). Various LDAP (AD) mappings could be experimented with here to testthe RightNow SSO mappings (see 5.2.3.2 and 5.2.4.2)

Note #1: To change the certificate (key) or method of how the SAML response/assertion is signed one must use a command line power shell: See the details on that in MS technet.

Note #2: The ADFS generated SAML 2.0 assertion validity range seems to be a fixed 5 minutes for Subject.SubjectConfirmationData.NotOnOrAfter and a fixed 1 hour for Subject.Conditions.NotOnOrAfter. That does not seem to be adjustable – at least not from the UI or the command line – unlike in PingFS (see Figure 14). However the bigger issue is that the validity starts at the issue time: i.e. the local time of the ADFS server. The problem with this is that if the relying party’s time is off (behind) by even one second the assertion validity check with fail. To counter that, MS introduced a parameter (“notbeforeskew”) that can be used to tune the Subject.Conditions.NotBefore value. To set this parameter one has to use the PowerShell prompt and issue the following commands, e.g.:

PS C:\Users\Administrator> add-pssnapinmicrosoft.adfs.powershell

PS C:\Users\Administrator> set-adfsrelyingpartytrust -targetname “<relying party name>” -NotBeforeSkew 2

In both use cases above the endpoints are for Agent login via SSO. If the requirement is for login to Customer Portal then the following endpoint would be used instead. If a SAML subject isn’t passed as a GET parameter in the URL, then the contacts login will be used to identify the user logging in.

To map the SAML Subject to another field in the contacts table you can pass the subject as a GET parm.

site>/ci/openlogin/saml/subject/{SAML_subject}

For Example (The SAML subject in the assertion would map to the contacts email address):

An additional URL parameter can be passed to send the user to a specific page in Customer Portal after authenticated.

Below are some examples of different pages that could be redirected to

1)Redirecting to Answers List page -

2)Redirecting to Ask a Question page

3)Redirecting to RightNowSocial Instance (Assumes the social configuration and SSO has been already setup)