Solved: Re: Performing REST API Login and BOSH Connection with SSO

loydv · ‎04-12-2018

We have a customer that is wanting to use SSO with a custom thick client Finesse desktop client that will consume the REST API and BOSH interfaces directly.

I understand that 11.6+ of Finesse now supports sending SSO access token instead of AgentID and Password on the REST API and BOSH connection. The Client would embed the SSO SDK to enable the SSO login to retrieve the access token and would then use the token on the REST and BOSH HTTP connection. There are code examples on the SSO SDK site that shows how to do this:

https://developer.cisco.com/site/contact-center-express/docs/#cisco-identity-service-client-sdk-overview

https://developer.cisco.com/site/contact-center-express/docs/#cisco-identity-service-client-sdk-guide

https://developer.cisco.com/site/contact-center-express/docs/#cisco-identity-service-client-sdk

However, their isn't an example of how you would do the Login to Finesse using the REST API, that I can find anywhere. The 11.6 Web Service guide doesn't mention anything about SSO. I understand that you can use the SSO SDK to get an access token, and then send the SSO access token on the REST API Requests instead of the AgentID/Password with basic authentication. But what I don’t understand is how to get the AgentID for the resource ID beforehand? The OOTB Desktop is doing this in the Shindig container with a dip to the AWDB. It then preforms the REST API call to Tomcat using the AgentID it retrieved to perform the actual login to UCCE. The only way that I can see the customer being able to use SSO would be to prompt the Agent for both the SSO Login ID and the AgentID, Right?

For example, when you issue the Login request to the REST API you have to have the AgentID in the ResourceID of the URL.

PUT to http://<FQDN>/finesse/api/User/<id>

with body:

<User>

<state>LOGIN</state>

</User>

There must be a step that I am missing here? In my opinion, there is a missing component. A Web Service call that the client can make using the SSO access token for authentication, and the Agent Login Name (i.e. SSO User Name) to retrieve the User object including the AgentID. Once the client has the AgentID then, it is business as usual, except using the SSO Access Token instead of the AgentID/Password and basic authentication.

Loyd Vest,

Senior Custom Software Engineer,

AS Custom Application and Integration Team.

dekwan · ‎05-04-2018

Hi,

Just as an update, there are single sign on APIs that was the missing step. They have now been added to the Finesse Developers guide: https://developer.cisco.com/docs/finesse/#!single-sign-on-apis

Thanx,

Denise

View solution in original post

dekwan · ‎04-16-2018

Hi Loyd,

Sorry for the slow reply, I was away for most of last week. I currently don't have a good answer for you, but I will look into it.

Thanx,

Denise

dekwan · ‎05-04-2018

Hi,

Just as an update, there are single sign on APIs that was the missing step. They have now been added to the Finesse Developers guide: https://developer.cisco.com/docs/finesse/#!single-sign-on-apis

Thanx,

Denise

manoj.km · ‎11-27-2019

HI,

All of finess API are working with Bearer attached to it

We are problem with BOSH events are not working with for SSO user , for non-sso user we have attaching b64Encode(username +':'+password) in header , in the same way we tried for SSO user by attaching Bearer token to it(BOSH events) , But it doesn't work

Can you kindly help us on this

Thanks

Manoj

dekwan · ‎12-02-2019

Hi,

Unfortunately SSO for the XMPP/BOSH connection is not supported at this time.

Thanx,

Denise

loydv · ‎12-02-2019

The OOTB Desktop uses a WebSocket for the XMPP Event Feed in Finesse 12.0 using Strophe. If you are on 12.0, you can use a WebSocket via Strophe.js. You can then pass the Bearer Token in the Password field to Strophe.Connection.connect function, for SSO.

Have a look at the EventTunnel.js at http://<hostname>:<port>/tunnel/EventTunnel.js on your Finesse Server.