Difference between revisions of "Draft: PEC-Hybrid/Current/Admin/About"
From Genesys Documentation
| Line 31: | Line 31: | ||
|Type=Unstructured | |Type=Unstructured | ||
|freetext=Perform the following steps using the PureCloud Admin UI or the PureCloud API. | |freetext=Perform the following steps using the PureCloud Admin UI or the PureCloud API. | ||
| − | + | <ol> | |
| − | + | <li>As necessary, for each on-premises service, create OAuth Client Credentials grants: | |
| − | + | <ul> | |
| − | + | <li>Using the UI, follow [https://help.mypurecloud.com/articles/create-an-oauth-client/ these steps],</li> | |
| − | For more information about the different kinds of Client Grants, see the [https://developer.mypurecloud.com/api/rest/authorization/ Authorization] reference.<br | + | <li>Or using the API, reference [https://developer.mypurecloud.com/api/rest/v2/oauth/ these endpoints].</li> |
| + | </ul> | ||
| + | For more information about the different kinds of Client Grants, see the [https://developer.mypurecloud.com/api/rest/authorization/ Authorization] reference.<br> | ||
For more information about Permissions for Altocloud, see the [https://help.mypurecloud.com/articles/altocloud-permissions-overview/ Altocloud permissions overview]. | For more information about Permissions for Altocloud, see the [https://help.mypurecloud.com/articles/altocloud-permissions-overview/ Altocloud permissions overview]. | ||
| − | + | </li> | |
| − | Sample Request:<br | + | <li>Create a PureEngage Identity Provider (IDP). You can use the Identity Provider API via the PureCloud Developer Tools, SDKs, or Platform API.<br> |
| + | Sample Request:<br> | ||
<source lang="text"> | <source lang="text"> | ||
PUT https://api.{{environment}}/api/v2/identityproviders/pureengage | PUT https://api.{{environment}}/api/v2/identityproviders/pureengage | ||
| Line 51: | Line 54: | ||
} | } | ||
</source> | </source> | ||
| − | + | <ul> | |
| + | <li>[https://developer.mypurecloud.com/developer-tools/#/api-explorer Developer Tools]<br> | ||
[[File:Hybrid_Identity_Provider_Tools_PureEngage.png|500px]] | [[File:Hybrid_Identity_Provider_Tools_PureEngage.png|500px]] | ||
| − | + | </li> | |
| + | <li>[https://developer.mypurecloud.com/api/rest/client-libraries/ SDKs]<br> | ||
[[File:Hybrid_Identity_Provider_SDK_PureEngage.png|500px]] | [[File:Hybrid_Identity_Provider_SDK_PureEngage.png|500px]] | ||
| − | + | <ul> | |
| − | + | <li>[https://developer.mypurecloud.com/api/rest/client-libraries/java/IdentityProviderApi.html Java]</li> | |
| − | + | <li>[https://developer.mypurecloud.com/api/rest/client-libraries/dotnet/IdentityProviderApi.html .NET]</li> | |
| − | + | <li>[https://developer.mypurecloud.com/api/rest/client-libraries/python/IdentityProviderApi.html Python]</li> | |
| + | </ul> | ||
| + | </li> | ||
| + | <li>[https://developer.mypurecloud.com/api/rest/v2/identityprovider/ Platform APIs]<br> | ||
[[File:Hybrid_Identity_Provider_API_PureEngage.png|500px]] | [[File:Hybrid_Identity_Provider_API_PureEngage.png|500px]] | ||
| − | + | </li> | |
| + | </ul> | ||
Authorization: | Authorization: | ||
| − | + | <ul> | |
| − | + | <li>Type: OAuth 2.0</li> | |
| − | + | <li>Access Token: request new token</li> | |
| − | + | <li>Add authorization data to: Request Headers</li> | |
| + | </ul> | ||
Troubleshooting: | Troubleshooting: | ||
| − | + | <ul> | |
| − | + | <li>Ensure that the IDP is set with "autoProvisionUsers" = "true"</li> | |
| − | + | <li>Ensure that the issuer URI in your SAML assertion is the same as the issuer URI for the IDP.</li> | |
| + | <li>Ensure that you don't have multiple issuers with the same URI.</li> | ||
| + | </ul> | ||
| − | + | </li> | |
| − | + | <li>By default, Altocloud permissions are included in the Admin and AI Agent roles. You may grant [https://help.mypurecloud.com/articles/altocloud-permissions-overview/ Altocloud permissions] to additional roles as needed. | |
| − | + | </li> | |
| + | <li>(Optional as needed) Create additional Admin accounts by [https://help.mypurecloud.com/articles/add-people-organization/ adding people to your organization] and [https://help.mypurecloud.com/articles/assign-roles-divisions-licenses-and-add-ons/ assigning them] to the Admin role.</li> | ||
| + | </ol> | ||
|Status=No | |Status=No | ||
| − | }}{{Section | + | }} |
| + | {{Section | ||
|sectionHeading=Transaction object for hybrid integrations | |sectionHeading=Transaction object for hybrid integrations | ||
|Type=Unstructured | |Type=Unstructured | ||
|anchor=TransactionObjHybrid | |anchor=TransactionObjHybrid | ||
| − | |freetext=A transaction object is needed for Genesys components to authenticate with Genesys Cloud. | + | |freetext=A transaction object is needed for Genesys components to authenticate with Genesys Cloud. |
| − | + | <ol> | |
| − | + | <li>Create a transaction object (and alias) of type '''list''' named '''hybrid_integration''' in the '''Script''' folder of the '''Environment''' tenant. | |
| − | + | <ul> | |
| − | + | <li>Usage characteristics: the transaction object should be acquired at start-up and used until the component gets an error from a given API call. If an error occurs, your component should retrieve the hybrid_integration object from config server and try again. If the component still has problems, your component should end the associated processing with an error.</li> | |
| − | + | <li>Tenant characteristics: the transaction object should be cretaed at the Environment level so it can be shared by multiple tenants. The transaction object allows for support of both single tenant and multi-tenant Configuration Servers. This can be overridden by putting the object in under a specific tenant level.</li> | |
| − | + | </ul> | |
| − | + | </li> | |
| − | + | <li>Create the following Object options in the '''general''' section: | |
| − | + | <ul> | |
| − | + | <li>'''organization_sname''': The PureCloud organization short name for this tenant.</li> | |
| − | + | <li>'''organization_id''': The PureCloud organization id for this tenant.</li> | |
| − | + | <li>'''default_agent_role_name''': The default PureCloud agent role name.</li> | |
| − | + | <li>'''default_supervisor_role_name''': The default PureCloud supervisor role name.</li> | |
| − | + | <li>'''default_admin_role_name''': The default PureCloud admin role name.</li> | |
| − | + | <li>'''base_auth_url''': The base auth URL that can be used for any PureCloud service; for example: '''base_auth_url''' should be <nowiki>https://[region_host]/oauth/token</nowiki>. <nowiki>[region_host]</nowiki> is the authentication-based FQDN for the region; the regions are listed on [https://developer.mypurecloud.com/api/rest/ this page].</li> | |
| − | + | <li>'''base_service_url''': The base URL that can be used for any PureCloud service; for example: '''base_service_url''' should be <nowiki>https://[region_host]/api/</nowiki>. <nowiki>[region_host]</nowiki> should be the API-based FQDN for the region; the regions are listed on [https://developer.mypurecloud.com/api/rest/ this page]. The rest of the URL is PureCloud service and version specific; for example: '''...v2/conversations'''. The '''base_service_url''' and the service specific portion is combined in your component code.</li> | |
| − | + | </ul> | |
| − | + | </li> | |
| + | <li>Create the following Object options in the '''saml''' section: | ||
| + | <ul> | ||
| + | <li>'''issuer''': The SAML IDP URI that you created in the PureCloud Provisioning steps above (for example: <nowiki>https://www.genesys.com/pureengage</nowiki>).</li> | ||
| + | <li>'''certificate''': The public key of the SAML related certificate (a base64 PEM encoded key).</li> | ||
| + | <li>'''pkey''': The encrypted SAML related certificate private key (a private key encrypted in aes256 with a password (see password option below) and encoded in base64).</li> | ||
| + | <li>'''password''': The password to decrypt the private key.</li> | ||
| + | <li>'''expire_time''': The expiration time (in hours) for the access token. The default is 24 hours. This might be overridden on the server side.<br> | ||
| + | Certificate is base64 string created from PEM file by using this command:<br> | ||
<source lang="text"> | <source lang="text"> | ||
openssl base64 -in cert.pem -out result _file_name | openssl base64 -in cert.pem -out result _file_name | ||
</source> | </source> | ||
| − | + | Pkey is also based64 string but requires additional command to create encrypted private key:<br> | |
<source lang="text"> | <source lang="text"> | ||
openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.pem -out <span>key.pem</span> -nocrypt | openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.pem -out <span>key.pem</span> -nocrypt | ||
| Line 107: | Line 130: | ||
openssl rsa -in key.pem -out key_protected.pem -aes256openssl base64 -in key_protected.pem -out result _file_name | openssl rsa -in key.pem -out key_protected.pem -aes256openssl base64 -in key_protected.pem -out result _file_name | ||
</source> | </source> | ||
| − | + | </li> | |
| − | + | </ul> | |
| − | + | </li> | |
| − | + | <li>To allow for better control and monitoring of the components using PureCloud Services, for each PureEngage Service that uses a common service you must create multiple sections, one for each OAuth client, in Configuration Server to allow for better control and monitoring of the components using the PureCloud Services and for different rate limiting per client. This does not mean that if you have ''n'' number of components on premises that are associated with one another, they cannot share a given client id.<br /> | |
| − | + | Genesys recommends that you consult architecture before performing this step. | |
| − | + | ||
| − | + | Create the following two options in each section: | |
| − | + | <ul> | |
| − | + | <li>'''client_id''': The Client Credential Grant Client ID.</li> | |
| − | + | <li>'''password''': The Client Credential Grant Client secret.</li> | |
| − | + | </ul> | |
| + | For example: | ||
| + | <ul> | ||
| + | <li>Create the following Object options in the '''saml_auth''' section for the OAuth client for SAML Authentication from the client (such as Workspace Desktop Edition): | ||
| + | <ul> | ||
| + | <li>'''client_id'''</li> | ||
| + | <li>'''password'''</li> | ||
| + | </ul> | ||
| + | </li> | ||
| + | <li>For each Service or component using a Genesys API, such as the Agent Pacing Service, create the following Object options in the '''ewt''' section for the pacing engine to connect to PureCloud: | ||
| + | <ul> | ||
| + | <li>'''client_id'''</li> | ||
| + | <li>'''password'''</li> | ||
| + | </ul> | ||
| + | </li> | ||
| + | </ul> | ||
| + | </li> | ||
| + | </ol> | ||
|Status=No | |Status=No | ||
| − | }}{{Section | + | }} |
| + | {{Section | ||
|sectionHeading=Opening Your Network | |sectionHeading=Opening Your Network | ||
|Type=Unstructured | |Type=Unstructured | ||
Revision as of 15:54, May 28, 2019
This is a draft page; the published version of this page can be found at PEC-Hybrid/Current/Admin/About.
Contents
This article describes the essential provisioning steps to enable a hybrid integration between PureEngage On-Prem deployments and Genesys PureCloud services.