Turn on more accessible mode
Skip Ribbon Commands
Skip to main content
Search
Single Sign On with ICWS
A new feature in CIC 2015 R2 is the ability to do Single Sign On (SSO) with SAML 2.0 from ICWS applications.  The advantage of SSO is that it means there is one less password that your users need to remember and can be tied into an identity provider that you probably already have in place (windows authentication, onelogin, etc).  Details on SSO can be found in the documentation.  This post will show the process to connect and the code used but will not go into the super fun process of configuring SSO on your IC server because each identity provider is slightly different and each environment is also a little different.  The full code example can be found in this gist.  

The authentication flow will look something like this
SSOFlow.png


The first thing that needs to happen is to query the SSO capabilities of the server by making a GET to /icws/connection/server-info?singleSignOnCapabilities=saml2Redirect,saml2Post.  This call will return a list of identity providers with their display names and an id for each.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

{
  "languages": [
    {
      "languageID": "en-US",
      "languageDisplayName": "English (United States)"
    }
  ],
  "acceptLanguage": "en-US",
  "authentication": {
    "allowIcAuth": true,
    "identityProviders": [
      {
        "identityProviderId": "90c22f9b-0a9d-4474-87f4-b48eccbe3095",
        "displayName": "Windows Authentication"
      },
      {
        "identityProviderId": "a54a5d6e-2bb5-4732-9799-ad7746f0f310",
        "displayName": "Salesforce"
      },
      {
        "identityProviderId": "e3e2f3f9-c07b-410e-b474-a5e78ed3cf08",
        "displayName": "Interaction Center Authentication"
      }
    ]
  }
}


 From here, you could prompt you user for the identity provider that they want to use to log in with, or as the example does, just picks one from the list by a hard coded name.  Once the identity provider is selected, a new browser window is opened to perform the authentication.  If the user is already authenticated with the identity provider then the user won't have to do anything in that window, but if the user is not logged in, they will be prompted for their credentials.  Either way, once they are authenticated a redirect back to the cic server occurs and the page that is redirected to will do a postMessage back to the parent window.  The postMessage will contain a single sign on token which is then put into the body of a ICWS connection post.  

1
2
3
4
5
6
7
8
9
10
11
12
13
14

var connectData = {
  '__type': 'urn:inin.com:connection:singleSignOnTokenConnectionRequestSettings',
  'applicationName': "Single Sign On Demo",
  'singleSignOnToken': singleSignOnToken

};

$.ajax({
  method: 'POST',
  withCredentials: true,
  url: CIC_PROXY + "/icws/connection",
  headers: {'Accept-Language': 'en-US'},
  data: JSON.stringify(connectData)
})

Assuming that the POST returns with a 201, that's all you need to do.  Take the response and continue as if you had done a normal username/password login.  The difficult part is getting SAML setup on the CIC server, once that is complete, using it in your application is not much more complicated.  



​​​​