How to set up SAML 2.0 Single Sign-On via an Identity Provider
BoldChat provides Single Sign-On support based on SAML 2.0 protocol. It accepts SAML Assertions using the SAMLResponse parameter where the NameID of the authenticated user is a mandatory claim.
- Protocol type: SAML 2.0
- Service type: AssertionConsumerService
- Binding type: HTTP-POST
- WantAssertionsSigned: True
Alternatively, you can set up the connection using the BoldChat metadata XML below that contains the required parameters.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <EntityDescriptor entityID="https://yyyyyyyyyy/aid/xxxxxxxxxx/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yyyyyyyyyy/aid/xxxxxxxxxx/"/> </SPSSODescriptor> </EntityDescriptor>
- Go to Main Setup tab. and select the
Remember: You must configure SSO on the Identity Provider side first.Click Test to check the authentication process.
You are redirected to the Identity Provider's URL in a popup. If you get back SAMLResponse from the ID Provider than its response will be presented on this setting form. If no SAMLResponse parameter returns or you simply misconfigured your URL, the popup window may stay open.Important: The Identity Provider URL must be a common link that authenticates and redirects the user to the BoldChat SSO URL with SAMLResponse token, if the user have the necessary rights.
Result Description SAMLResponse is returned
The response is presented in the form.Note: Copy the public key for later use.
SAMLResponse is not returned
The popup may stay open.
It is likely that you have simply misconfigured your URL.
NameID is a mandatory claim in the
You must add this claim on the Identity Provider side to be a unique attribute of the authenticated user, for example their e-mail address. When you map an authenticated user later on, the NameID field must be the SSO Name ID on the operator field.
- Under the Public Key Setup tab, paste the public key of your signed SAMLResponse token that you received in Step 2.
Save the public key.
Web Workspace setup. To access Web Workspace by SSO,
use the following URL format:
- https://agent.boldchat.com/sso/account-id/ACCOUNTID (Replace ACCOUNTID with your account ID)
- https://agent.boldchat.com/sso/username/USERNAME (Replace USERNAME with your username)
Desktop Operator Client setup. You can use the desktop
Operator Client in SSO mode with version 7.40 or newer. To configure the
desktop Operator Client, do either of the following:
- Go to .
Use the following registry commands.
SSO Launch Enabled Registry Script
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "BoldChat-SSOAID"="xxxxxxxxxx" "BoldChat-SSOENA"="True"
SSO Launch Disabled Registry Script
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "BoldChat-SSOENA"="False"
Web Client SSO setup. Once you have configured SSO on
both sides, launch your WebClient SSO lookup mode with either of the following
URL Description https://yyyyyyyyyyy/aid/xxxxxxxxxx/ xxxxxxxxxx is your Account ID ; yyyyyyyyyy is the URL with server set https://yyyyyyyyyyy/un/uuuuuuuuuu/ uuuuuuuuuu is any BoldChat username defined under your account; yyyyyyyyyy is the URL with server set
- Web Workspace setup. To access Web Workspace by SSO, use the following URL format:
Check that parsing was successful to ensure that BoldChat servers
understand the response as a SAML 2.0 Assertion Token.
Remember: First you must make sure that the SAMLResponse token is returned correctly.
Once parsing has completed successfully, you can check the following:
- Issuer found: A required attribute in the SAML 2.0 protocol
- IssueInstant: A required attribute that contains the issuer timestamp. It must be in UTC format by default. BoldChat accepts tokens within a valid time frame.
- NameID: Required for mapping a BoldChat operator record with the authenticated user.
- Public key: Required and must be stored in BoldChat settings as well for signature validation.