Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2097
Views
20
Helpful
6
Replies

REST and XMPP on Finesse 11.6 w. SSO

lvj00000111
Level 1
Level 1

‎03-17-2021 03:59 AM - edited ‎03-17-2021 06:36 AM

After making a solution that used the REST interface (as described in Cisco_Finesse_Web_Services_Developer_Guide_Release_11.6.pdf) for commands and XMPP to receive events, I've run into some problems.

 

The Lab environment ran with nonSSO, so everything was fine. Our customer however, runs with SSO (actually, they use Hybrid).

 

Just to test, we tried with their administrator account (which is nonSSO I've been told), and I tried changing user state to LOGIN. Unlike for my own user, which got a code 401 back, administrator got

<ApiErrors>
    <ApiError>
        <ErrorType>Not Found</ErrorType>
        <ErrorData>finesse.api.not_found</ErrorData>
        <ErrorMessage>User not found: administrator</ErrorMessage>
    </ApiError>
</ApiErrors>

So I tried with administrator's credentials and my user in the URL. I expected that to go wrong of course, and got 

<ApiErrors>
    <ApiError>
        <ErrorType>Invalid Authorization User Specified</ErrorType>
        <ErrorData>ljensen1</ErrorData>
        <ErrorMessage>The user specified in the authentication credentials and the uri don't match</ErrorMessage>
    </ApiError>
</ApiErrors>

which makes sense.

 

I tried for both my user (SSO) and administrator (nonSSO) to subscribe to XMPP events but am told "SASL authentication failed." Should I be able to listen to events without being logged in via the REST interface?

I use port 5222 to connect to the Finesse server, and I use SSL encryption.

 

I also found this:

https://github.com/CiscoDevNet/finesse-sample-code/tree/master/NonGadgetSample 

It seems to me, that this only runs nonSSO (using Basic auth) like I do, so I don't suppose there's something I can use and adapt to my solution there.

Can it be run outside an Apache server?

 

 

EDIT: if there is any way to get events for (all) users, even if I can't log in due to SSO not working as desired in 11.6, that would be an important first step. The top priority is to know when an ingoing call takes place and who calls who.

Labels:
0 Helpful
6 Replies 6

dekwan
Cisco Employee
Cisco Employee

‎03-17-2021 10:11 AM

Hi,

 

Just to test, we tried with their administrator account (which is nonSSO I've been told), and I tried changing user state to LOGIN.

The User-Sign In to Finesse API is restricted for users only. Administrators are not allowed to use the API and therefore an error is correct. 

 

I tried for both my user (SSO) and administrator (nonSSO) to subscribe to XMPP events but am told "SASL authentication failed." Should I be able to listen to events without being logged in via the REST interface?

I use port 5222 to connect to the Finesse server, and I use SSL encryption.

Administrators are not allowed to connect to the XMPP server. For SSO users, you need to use the username and the token from the ids as the password (https://developer.cisco.com/docs/finesse/#faq/notifications-sso)

 

For a secure connection to the XMPP server, you have to use port 5223: https://developer.cisco.com/docs/finesse/#faq/port-notification 

 

EDIT: if there is any way to get events for (all) users, even if I can't log in due to SSO not working as desired in 11.6, that would be an important first step. The top priority is to know when an ingoing call takes place and who calls who.

No, you cannot get events for all users. Finesse is built for users to use REST APIs and get events for themselves only.

 

I hope that helps!

 

Thanx,

Denise

lvj00000111
Level 1
Level 1
In response to dekwan

‎03-18-2021 08:10 AM - edited ‎03-18-2021 08:13 AM

Thank you for the fast response.

 

I have previously tried to get a token for an SSO user, but you told me (with these words) that in 11.6, SSO and especially getting a token via the REST interface was "half baked".

I seem to run into that problem with whatever I try. I will need a token for the SSO users, but can't get one in 11.6 using the REST interface (if I understood things correctly - which might not be the case). Is there any way to get such a token out of the system in 11.6, if you're not running in a gadget? I'm running a windows service written in C#. I think all I need is the token, and I should be happy, because everything worked nice and smoothly on the non-SSO Lab system of yours (those Lab systems are still pretty cool - by far the best testbed offered by any phone (or radio) company ever!). 

From https://developer.cisco.com/docs/finesse/#faq/sso-token it seems that getting a token is not possible, but I'm willing to hack things a bit if possible, and then make the right solution once my customer upgrades to 12.5+

 

0 Helpful

dekwan
Cisco Employee
Cisco Employee
In response to lvj00000111

‎03-18-2021 10:12 AM

Hi,

 

I have previously tried to get a token for an SSO user, but you told me (with these words) that in 11.6, SSO and especially getting a token via the REST interface was "half baked". I seem to run into that problem with whatever I try. I will need a token for the SSO users, but can't get one in 11.6 using the REST interface (if I understood things correctly - which might not be the case).

Yes, that is the case for 11.6 in a hybrid SSO mode system. It is correct that you need a token to authenticate a SSO user, but you are not able to in a 11.6 hybrid mode system.

 

Is there any way to get such a token out of the system in 11.6, if you're not running in a gadget? I'm running a windows service written in C#. I think all I need is the token, and I should be happy, because everything worked nice and smoothly on the non-SSO Lab system of yours (those Lab systems are still pretty cool - by far the best testbed offered by any phone (or radio) company ever!). 

I have not tried this myself, but there is a Java SDK for IDS: https://developer.cisco.com/docs/contact-center-express/#!cisco-identity-service-client-sdk-overview I think that you can get the token directly from the IDS. But again, I have no experience with this. (Even though this link comes from CCX, it is the same on CCE too).

 

I'm glad that you find our testbeds useful. We try hard to include as many features as we can!

 

From https://developer.cisco.com/docs/finesse/#faq/sso-token it seems that getting a token is not possible, but I'm willing to hack things a bit if possible, and then make the right solution once my customer upgrades to 12.5+

With Finesse 11.6 in hybrid mode, it is not possible with the Finesse APIs (I double checked with the Finesse team). Please refresh my memory, are you specifically using 11.6 in hybrid mode because the customer is on 11.6 hybrid mode only? Or, is it because the DevNet system is on non-SSO? If it is because the DevNet system is like that, you can actually change the system to be SSO only mode. In SSO only mode, you can send the cc_username as a cookie.

 

Thanx,

Denise

 

lvj00000111
Level 1
Level 1
In response to dekwan

‎03-19-2021 01:13 AM

I think I've tried the java SDK before (and I think I might've asked the same questions more than once, and if so, I'm sorry about that). I have also been commenting on this thread: https://community.cisco.com/t5/contact-center/finesse-11-6-rest-api-with-sso/m-p/4302072#M11764 

My biggest problem was, that I couldn't tell the system which user I was, as I need several tokens to act on behalf of several users (both commands and events).

But if I can at least get one token, and act on behalf of one user, I can maybe make a client-side interface, running on each workstation rather than the server-side interface where my server talks to Finesse and acts on behalf of all users (with a token/session per user)

 

Our customer's server runs hybrid. System Info:

<SystemInfo>
  <currentTimestamp>2021-03-19T07:48:12.736Z</currentTimestamp>
  <deploymentType>UCCE</deploymentType>
  <lastCTIHeartbeatStatus>success</lastCTIHeartbeatStatus>
  <license></license>
  <peripheralId>5007</peripheralId>
  <primaryNode>
    <host>XXXX.com</host>
  </primaryNode>
  <secondaryNode>
    <host>XXXX.com</host>
  </secondaryNode>
  <status>IN_SERVICE</status>
  <statusReason></statusReason>
  <systemAuthMode>HYBRID</systemAuthMode>
  <timezoneOffset>-240</timezoneOffset>
  <uri>/finesse/api/SystemInfo</uri>
  <xmppDomain>XXXX.com</xmppDomain>
  <xmppPubSubDomain>pubsub.XXXX.com</xmppPubSubDomain>
</SystemInfo>
0 Helpful

lvj00000111
Level 1
Level 1
In response to dekwan

‎03-19-2021 01:18 AM

Another thought: does gadgets have other options, and if so, can they interact with the rest of the world so to speak?

Could I somehow send a request to a gadget, which then gave me a token for a given user? It would be quite a hack, but I'm willing to do anything at the moment to reach my goal. I can always make a nice solution for when our customer upgrades.

dekwan
Cisco Employee
Cisco Employee
In response to lvj00000111

‎03-19-2021 09:44 AM

Hi,

 

But if I can at least get one token, and act on behalf of one user, I can maybe make a client-side interface, running on each workstation rather than the server-side interface where my server talks to Finesse and acts on behalf of all users (with a token/session per user)

Having a client side interface is the ideal way to use Finesse and that is how it was intended to be used.

 

Our customer's server runs hybrid. System Info:

The only way 11.6 on hybrid will work is using that Java SDK (I am pretty sure you can get the token directly from there), so what is the probability that they will upgrade their system? Maybe you can build your application on 12.0 or 12.5 so that it is ready for when they do the upgrade?

 

Another thought: does gadgets have other options, and if so, can they interact with the rest of the world so to speak?

The gadget is just like a mini webpage so yes, it can interact with the rest of the world. You can call external REST APIs.

 

Could I somehow send a request to a gadget, which then gave me a token for a given user? It would be quite a hack, but I'm willing to do anything at the moment to reach my goal. I can always make a nice solution for when our customer upgrades.

Is your goal to create a proof of concept that will just be demoed to them? Or is it something that the customer wants to use until they upgrade? Is this customer's system a lab system or a production system?

 

There are major security issues with passing the token like that, but if this is just a proof of concept, maybe it won't matter? If you make a simple REST API for the gadget to call and send the token, then the gadget can send the token over when the agent logs in. Maybe what you can do is:

  1. Log into the Finesse desktop where the gadget is in the layout. The gadget automatically calls the REST API that you created with the token.
  2. The gadget can automatically log the agent back out via REST API(or you can manually)
  3. Your application can retrieve the token from the REST API request from the gadget.
  4. The application uses the token to log in to the notification service and REST API.

Again, this should only be done if it is just a proof of concept.

 

If this is the customer's lab system, can you temporarily change it to SSO only? You do not need to change the non-SSO agent configuration. You will just not be able to use them for your test, which I assume wouldn't matter.

 

Thanx,

Denise

0 Helpful
Customers Also Viewed These Support Documents