cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5259
Views
35
Helpful
24
Replies

Finesse 11.6 REST API with SSO

cukouncukoun
Level 1
Level 1

Hi all,

is it possible to use REST API when SSO is enabled on the Finesse or this is not currently supported?I tried this on dcloud. I had one agent without SSO and API calls were working as expected from postman but when I tried same API calls for agent with SSO enabled these API calls were not success with 401 - unauthorized response from Finesser server.

Thx

Tomas

1 Accepted Solution

Accepted Solutions

dekwan
Cisco Employee
Cisco Employee

Hi Tomas,

Currently, SSO is not supported for the Finesse REST APIs. It is only supported for the Finesse JavaScript API (where it handles the authentication for you).

Thanx,

Denise

View solution in original post

24 Replies 24

dekwan
Cisco Employee
Cisco Employee

Hi Tomas,

Currently, SSO is not supported for the Finesse REST APIs. It is only supported for the Finesse JavaScript API (where it handles the authentication for you).

Thanx,

Denise

YouTee
Level 1
Level 1
Is there a solution for this yet..?

dekwan
Cisco Employee
Cisco Employee

Hi,

 

Yes and no. Yes, SSO with the REST APIs work. No, because the process to get the auth token needed in the authorization of the REST API is not straightforward. Here is the section in the developer's guide on SSO APIs: https://developer.cisco.com/docs/finesse/#!single-sign-on

 

Thanx,

Denise

Hi Denise,

 

I have a use case when I am using the Finesse Javascript API to make calls and other related actions on my 3rd party gadget inside finesse but I am getting an unauthorised error after a duration of around 75mins when I am logged into the finesse. However at the same time, I am able to do the same actions using the finesse call control gadget.

 

And since I am unable to work with this, I was looking for alternatives on getting the SSO token using finesse rest api’s.

 

Thanks,

Utsav

dekwan
Cisco Employee
Cisco Employee

Hi,

 

Interesting. Let me check with the Finesse team on why you start getting an error after 75 mins. I know that the tokens expire, but the Finesse container should be handling that, which explains why the call control gadget is working fine.

 

Thanx,

Denise

dekwan
Cisco Employee
Cisco Employee

Hi,

 

The Finesse team is not able to reproduce your issue. Can you please share your gadget code?

 

Thanx,

Denise

I'm trying to get my program to use SSO.

I'm developing using the REST interface, and I use C#.

 

I'm not entirely sure if I **can** use SSO, given that I'm not using java or javascript. Is it even possible? If not, could I have some small java program (hopefully made from some sort of demo program, as I'm not well versed in java), that just provides the token for me, which I then use in my other program?

 

Also, can I log in on behalf of another user? I have a server that interacts with Finesse, and handles calls/event receiving etc. for all users. I was curious if I need on token per user, or if I can have a "service user" for my program (windows user that exists just for my server service) that handle everything for everyone?

Hi,

 

You can use SSO as long as you are able to meet the following requirements:

  • Follow server issued redirects.

  • Store and forward cookies.

  • Honor the various cookie attributes.

  • Execute JavaScript in HTML responses.

As you have probably experienced, SSO requires the user to log in with their username/password at least once. As a result, your application needs to be able to redirect to the login page and follow redirects.

 

For the details to integrate Finesse with SSO, please see the doc here: https://developer.cisco.com/docs/finesse/#!rest-api-with-sso-guide-client-integration/client-integration 

 


@lvj00000111 wrote:

Also, can I log in on behalf of another user? I have a server that interacts with Finesse, and handles calls/event receiving etc. for all users. I was curious if I need on token per user, or if I can have a "service user" for my program (windows user that exists just for my server service) that handle everything for everyone?


Unfortunately not. Each Finesse REST API has its own security constraints on who can utilize the API, but a lot of them are restricted to either the user itself. Therefore, you need to get the token per user and cannot have a "service user" to make all of the API calls.

 

Thanx,

Denise

Thank you for the fast response.

 

I tried https://<FQDN>/desktop/sso/token and get a 403- forbidden back. In some cases, I actually get some json back with errorType Request Forbidden" and a message saying that SSO is disabled.

If this works, how does it know that I'm a legal user? Should I add a header with basic auth? Or does it use Windows auth (current user) ? Maybe I'm just doing things wrong...

 

Given that my customer claimed to be using SSO (and we couldn't get on using normal http basic authentication like on the sandbox system of yours), I tried to request a SystemInfo. It is telling me, that systeAuthMode is HYBRID...not sure what that covers (it seemed it could only be SSO or nonSSO).

Also, is there a way to configure this on the 11.6 sandbox? I was on the admin site to set up a client app for SSO, and when I looked at the Settings tab, that page was empty.

 

Hi,

 

Is the system that you made the https://<FQDN>/desktop/sso/token request to the same one that is showing to be in HYBRID mode?

 

For the https://<FQDN>/desktop/sso/token API, you use basic authentication for the user that you are trying to login as. This API will require redirects to pop up the login page for the user to input their credentials.

 

As far as the 11.6 sandbox, the Contact Center Express sandboxes are not configured to be in SSO mode. The Packaged Contact Center Enterprise sandboxes are configured for SSO and are in hybrid mode. I would suggest that you use those sandboxes, but 11.6 is not available.

 

Thanx,

Denise


Is the system that you made the https://<FQDN>/desktop/sso/token request to the same one that is showing to be in HYBRID mode?

Yes. What does Hybrid even mean? I thought only "SSO" or "nonSSO" was allowed...

 

For the https://<FQDN>/desktop/sso/token API, you use basic authentication for the user that you are trying to login as. This API will require redirects to pop up the login page for the user to input their credentials.

So I start out with a "normal" basic authentication call, get my token, and use that for all the following calls for that user?

I guess I can do that, thanks.

Hi,

 


@lvj00000111 wrote:

Is the system that you made the https://<FQDN>/desktop/sso/token request to the same one that is showing to be in HYBRID mode?

Yes. What does Hybrid even mean? I thought only "SSO" or "nonSSO" was allowed...

Hybrid mode means that some users are SSO enabled and some are not. You should use Single Sign-On - Get User Authentication Mode API to make sure the user is SSO enabled. It will not work if they are not.

 


For the https://<FQDN>/desktop/sso/token API, you use basic authentication for the user that you are trying to login as. This API will require redirects to pop up the login page for the user to input their credentials.

So I start out with a "normal" basic authentication call, get my token, and use that for all the following calls for that user?

I guess I can do that, thanks.


When I think about what I said, that makes absolutely no sense because the whole redirect is prompting for the credentials. I guess I got thrown off by the security constraints for that API. So, ignore what I said above.

 

You issue may be that the user you are trying to use the API for is not SSO enabled. I will try to get my hands on a SSO environment and try this out.

 

Thanx,

Denise

 

 

I tried on our customer's server (the Hybrid fellow) to call the https://<FQDN>/desktop/sso/token using basic auth with my credentials (which work fine with Jabber), and got this back.

 

{
"errorType": "Request Forbidden",
"errorData": "",
"errorMessage": "Request could not be processed since SSO is disabled or session is invalid."
}

Hi,

 

Sorry for the delayed response. I had to look into this and reach out to the Finesse team.

 

Ok, so for systems on hybrid mode, you must be on Finesse 12.0 with the latest ES (I think it is ES3?) or 12.5 in order to use the https://<FQDN>/desktop/sso/token API. When using this API, it must be performed on the browser or something that can do a redirect (so not Postman) and the username must be provided via a cookie or if you have 12.5, a query parameter. This username requirement is documented in the client integration page

 

Untitled.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

If your system is in SSO only, then you can use the APIs starting 11.6. You must provide the cc_username via a cookie. Using 12.0, I verified that it works if in SSO mode.

 

I hope this information helps!

 

Thanx,

Denise

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: