About Customer Single Sign-On

Customer single sign-on is a feature that allows customers to access secure domains, which they can use to contact and interact with agents without having to enter redundant authentication information.

• Customer 360 is a mobile response template through which website visitors can access contact channels of the application. Configuring single sign-on to use Customer 360 also applies to secure message centers configured in the system. For more information, see Secure Message Center.

• Secure Chat, also known as Chat Customer Single Sign-On, allows chat entry points to transfer customer context information from the company website to the application through SAML. This allows customers who are already recognized on the company website to use a SSO-enabled entry point to chat with a customer without having to provide redundant information. This feature is available for auto-login configuration only. To learn how to enable auto-login for chat, and how to configure entry points for Secure Chat, see Enabling Auto-Login.

Since customer single sign-on can be utilized in multiple ways on a variety of different web domains, all types of customers with different identity providers may be trying to access those resources. When configuring your system for customer single sign-on, you have the option of configuring the system for multiple identity providers to accommodate for this.

For example, a single portal can provide entry into a chat through different areas of the portal. These can be owned by different vendors, such as a virtual assistance provided by a different vendor. Thus, the application must allow customers to login to chat SSO through multiple identity providers.

Setting up customer single sign-on configurations requires the following be performed:

• Creating Identity Providers

• Configuring Customer Single Sign-On

Customer Single Logout

Customer Single Logout is only supported for the Customer 360 type of SSO authentication.

It is a common scenario for customers to be logged in to multiple secure channels at a time. To help make it easier for customers to handle their secure interactions, and to coincide with the capabilities of single sign-on for customers, SAML used for customer single sign-on contains a built-in feature called SAML Single Logout (SLO). This allows customers, who logged in to multiple secure interaction channels (secure messaging center, secure chat, etc) through single sign-on, to immediately logout of all of the various applications they are currently accessing without having to do it individually. This ensures that, when a customer terminates an online session that was initiated through single sign-on, all other related sessions are terminated at once, ensuring their information remains secure. SLO is initiated from either the Identity Provider (IdP) or any of the involved Service Providers (SP).

Setting up customer single logout configurations requires the following be performed:

• Configure Single Logout for the Identity Provider: This involves providing SLO endpoints exposed by the application to the IdP. For more information, see “Planning Your Configuration,” below.

• Enable and Configure Customer SLO in the Application: This involves turning on single logout services for each provider configured in the application, as well as providing additional details required by these services. For more information, see Creating Identity Providers.

Planning Your Configuration

Before configuring Chat Customer Single Sign-On, perform the following:

• Identify the entry points for which you want to enable this feature.

• Identify the attributes you want to transfer through SAML and configure your identity provider to generate SAML assertion with these attributes.

• Obtain the SAML configuration details, such as the Assertion Consumer Service URL (https://web_server /context_root/authentication/sso/saml2), Entity ID, and the Public key certificate used to validate the SAML assertion. Have these ready when enabling the Chat Customer SSO feature. For information on obtaining these details, consult your IT department.

• If you are configuring SLO for Customer 360, you must provide eGain SLO endpoints to each Identity Provider you want to enable for SLO.

  • To configure IdP initiated SLO, provide the following POST endpoint to IdP: https://web_server /context_root/SAML/SSO/customer/logout/request?providerId=ID.

  • To configure SP initiated SLO, provide the following POST endpoint to IdP: https://web_server /context_root/SAML/SSO/customer/logout/response?providerId=ID.

Note, the providerId query parameter is optional. If it is omitted, the service exposed at the specified URL assumes default provider ID configured in the application.

Related Topics

• Configuring Settings for Chat Customer SSO

• Enabling Chat Entry Points for Customer SSO

• Troubleshooting Chat Customer SSO