Difference between revisions of "Draft: PEC-Hybrid/Current/Admin/About"

Revision as of 16:11, June 4, 2019

This is a draft page; the published version of this page can be found at PEC-Hybrid/Current/Admin/About.

{{Article |Standalone=Yes |DisplayName=Provisioning PureEngage Hybrid Integrations |Platform=PureEngage |TocName=Provisioning |ComingSoon=No |Context=This article describes the essential provisioning steps to enable a hybrid integration between PureEngage On-Prem deployments and Genesys PureCloud services. |Section=

Supported Services

About Provisioning

{{Section

|sectionHeading=PureCloud Provisioning Steps |Type=Unstructured |freetext=Perform the following steps using the PureCloud Admin UI or the PureCloud API.

To allow for better control and monitoring of the components using PureCloud Services, for each PureEngage Service that uses a common service you must create an OAuth client to allow for better control and monitoring of the components using the PureCloud Services and for different rate limiting per client. This does not mean that if you have n number of components on premises that are associated with one another, they cannot share a given client id. Genesys recommends that you consult architecture before performing this step.
1. Create a SAML2 Bearer OAuth Client for the client, such as PureEngage Workspace Desktop Edition, that needs to send a SAMLResponse to exchange for a PureCloud Access Token:
  1. In PureCloud Admin, select Integrations>OAuth, then click Add Client.
  2. Name the Client and select SAML2 Bearer as the Grant Type.
  3. Enter the Authorized redirect URI, for example: https://apps.mypurecloud.com
2. As necessary, for each on-premises service, like the "Agent Pacing Service" (ewt), create OAuth Client Credentials grants:
  - Using the UI, follow these steps,
  - Or using the API, reference these endpoints.
  For more information about Permissions for Altocloud, see the Altocloud permissions overview.
Create your SAML Cert and key. Certificate is base64 string created from PEM file by using this command:
```
openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
```
Pkey is also based64 string but requires additional command to create encrypted private key:
```
openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.pem -out key.pem -nocrypt
```
Once you have created the two PEM files perform the following steps:
- Encode saml.pem into a base64 string (=>’saml.pem.b64’) using this command:
```
openssl base64 -in saml.pem -out saml.pem.b64
```
- Encrypt the key.pem using a password that you specify
```
openssl rsa -in key.pem -out key.pem.enc -aes256
```
- Encode the resulting content into a base64 string (=>’key.pem.enc.b64’) using this command:
```
openssl base64 -in key.pem.enc -out key.pem.enc.b64
```
Create a PureEngage Identity Provider (IDP). You can use the Identity Provider API via the PureCloud Developer Tools, SDKs, or Platform API.
Sample Request:
```
PUT https://api.{{environment}}/api/v2/identityproviders/pureengage
 
{
   "name": "PureEngage",
   "autoProvisionUsers": true,
   "certificate": "Content of the saml.pem file",
   "issuerURI": "http://www.genesys.com/pureengage",
   "ssoTargetURI": "http://example.com/target",
   "disabled": false
}
```
- Developer Tools
- SDKs
  - Java
  - .NET
  - Python
- Platform APIs
Troubleshooting:
- Ensure that the IDP is set with "autoProvisionUsers" = "true"
- Ensure that the issuer URI in your SAML assertion is the same as the issuer URI for the IDP.
- Ensure that you don't have multiple issuers with the same URI.
By default, Altocloud permissions are included in the Admin and AI Agent roles. As auto-provisioned users are created with the employee role, which does not include Altocloud permissions. You must grant the [Altocloud permissions to the employee role. You may grant Altocloud permissions to additional roles as needed.
(Optional as needed) Create additional Admin accounts by adding people to your organization and assigning them to the Admin role.

|Status=No }}

PureEngage On Premises: Transaction object for hybrid integrations

Opening Your Network

}}

@@ Line 50: / Line 50: @@
 |freetext=Perform the following steps using the PureCloud Admin UI or the PureCloud API.
 <ol>
-<li>As necessary, for each on-premises service, create OAuth Client Credentials grants:
+<li>To allow for better control and monitoring of the components using PureCloud Services, for each PureEngage Service that uses a common service you must create an OAuth client to allow for better control and monitoring of the components using the PureCloud Services and for different rate limiting per client. This does not mean that if you have n number of components on premises that are associated with one another, they cannot share a given client id.
+Genesys recommends that you consult architecture before performing this step.
+<ol type="a">
+<li>Create a SAML2 Bearer OAuth Client for the client, such as PureEngage Workspace Desktop Edition, that needs to send a SAMLResponse to exchange for a PureCloud Access Token:
+<ol type="i">
+<li>In '''PureCloud Admin''', select '''Integrations'''>'''OAuth''', then click '''Add Client'''.</li>
+<li>Name the Client and select '''SAML2 Bearer''' as the '''Grant Type'''.</li>
+<li>Enter the Authorized redirect URI, for example: <nowiki>https://apps.mypurecloud.com</nowiki><br>
+[[File:Hybrid_SAML2Bearer_Creation.png|500px]]
+</li>
+</ol>
+</li>
+<li>As necessary, for each on-premises service, like the "Agent Pacing Service" ('''ewt'''), create OAuth Client Credentials grants:
 <ul>
 <li>Using the UI, follow [https://help.mypurecloud.com/articles/create-an-oauth-client/ these steps],</li>
@@ Line 56: / Line 69: @@
 </ul>
 For more information about Permissions for Altocloud, see the [https://help.mypurecloud.com/articles/altocloud-permissions-overview/ Altocloud permissions overview].
-</li>
-<li>Create SAML2 Bearer OAuth Client for the required credentials needed to send SAMLResponse to exchange for a PureCloud Access Token.
-<ol type="a">
-<li>In '''PureCloud Admin''', select '''Integrations'''>'''OAuth''', then click '''Add Client'''.</li>
-<li>Name the Client and select '''SAML2 Bearer''' as the '''Grant Type'''.</li>
-<li>Enter the Authorized redirect URI, for example: <nowiki>https://apps.mypurecloud.com</nowiki><br>
-[[File:Hybrid_SAML2Bearer_Creation.png|500px]]
 </li>
 </ol>
@@ Line 68: / Line 74: @@
 <li>Create your SAML Cert and key. Certificate is base64 string created from PEM file by using this command:<br>
 <source lang="text">
-openssl base64 -in cert.pem -out result _file_name
+openssl req -new -x509 -days 3652 -nodes -out saml.crt -keyout saml.pem
 </source>
 Pkey is also based64 string but requires additional command to create encrypted private key:<br>
 <source lang="text">
-openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.pem -out <span>key.pem</span> -nocrypt
+openssl pkcs8 -topk8 -inform PEM -outform PEM -in saml.pem -out key.pem -nocrypt
-openssl rsa -in key.pem -out key_protected.pem -aes256openssl base64 -in key_protected.pem -out result _file_name
 </source>
 Once you have created the two PEM files perform the following steps:
@@ Line 83: / Line 87: @@
 </source>
 </li>
-<li>Encrypt the saml.pkcs using a password (=>’saml.pkcs.enc.password’) and then encode the resulting content into a base64 string (=>’saml.pkcs.enc.b64’) using this command:
+<li>Encrypt the key.pem using a password that you specify
 <source lang="text">
-openssl rsa -in saml.pkcs8 -out saml.pkcs8.enc -aes256
+openssl rsa -in key.pem -out key.pem.enc -aes256
 </source>
-(specify the value of saml.pkcs.enc.password when prompted)
+</li>
+<li>Encode the resulting content into a base64 string (=>’key.pem.enc.b64’) using this command:
 <source lang="text">
-openssl base64 -in saml.pkcs8.enc -out saml.pkcs8.enc.b64
+openssl base64 -in key.pem.enc -out key.pem.enc.b64
 </source>
 </li>
@@ Line 102: / Line 107: @@
     "name": "PureEngage",
     "autoProvisionUsers": true,
-    "certificate": "-----INSERT CERTIFICATE GENERATED IN STEP 3-----",
+    "certificate": "Content of the saml.pem file",
     "issuerURI": "http://www.genesys.com/pureengage",
     "ssoTargetURI": "http://example.com/target",
@@ Line 131: / Line 136: @@
 </ul>
 </li>
-<li>Request Access Token as SAML IDP:
+<li>By default, Altocloud permissions are included in the Admin and AI Agent roles. As auto-provisioned users are created with the '''employee''' role, which does not include Altocloud permissions. You must grant the [[https://help.mypurecloud.com/articles/altocloud-permissions-overview/ Altocloud permissions] to the employee role. You may grant Altocloud permissions to additional roles as needed.</li>
-<ol type="a">
-<li>Create SAML Response Assertion to automatically provision users with the desired role in PureCloud. The following is sample code. Do not copy/paste this code. You must populate the code with the values particular to your organization:<br>
-<source lang="xml">
-<?xml version="1.0" encoding="UTF-8"?>
-<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="xxxxxxxx" IssueInstant="2019-02-08T18:18:43.979Z" Version="2.0">
-  <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">http://www.genesys.com/pureengage</saml2:Issuer>
-  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
-    <ds:SignedInfo>
-      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
-      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
-      <ds:Reference URI="#b4d16943-17a8-45ed-adfc-c3db20cadd75">
-        <ds:Transforms>
-          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
-          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
-            <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/>
-          </ds:Transform>
-        </ds:Transforms>
-        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
-        <ds:DigestValue>EiF51HI9wRntjC+aJ1M/2/0LfFo=</ds:DigestValue>
-      </ds:Reference>
-    </ds:SignedInfo>
-    <ds:SignatureValue>xxxxx</ds:SignatureValue>
-    <ds:KeyInfo>
-      <ds:X509Data>
-        <ds:X509Certificate>xxxxx</ds:X509Certificate>
-      </ds:X509Data>
-    </ds:KeyInfo>
-  </ds:Signature>
-  <saml2p:Status>
-    <saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
-  </saml2p:Status>
-  <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="d87bb408-523d-496f-a65e-775f986b6813" IssueInstant="2019-02-08T18:18:43.976Z" Version="2.0">
-    <saml2:Issuer>http://www.genesys.com/pureengage</saml2:Issuer>
-    <saml2:Subject>
-      <saml2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">chuckcustomer@example.com</saml2:NameID>
-      <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
-        <saml2:SubjectConfirmationData NotOnOrAfter="2019-02-09T18:18:43.969Z"/>
-      </saml2:SubjectConfirmation>
-    </saml2:Subject>
-    <saml2:AuthnStatement AuthnInstant="2019-02-08T18:18:42.870Z">
-      <saml2:AuthnContext>
-        <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
-      </saml2:AuthnContext>
-    </saml2:AuthnStatement>
-    <saml2:AttributeStatement>
-      <saml2:Attribute Name="OrganizationName">
-        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chuckcustomer</saml2:AttributeValue>
-      </saml2:Attribute>
-    </saml2:AttributeStatement>
-  </saml2:Assertion>
-</source>
-'''Note:''' By default, auto-provisioned users are created with the "employee" role, which does not include Altocloud permissions. To provision users with Altocloud permissions, reference the "AI Admin" role in the SAMLResponse.
-</li>
-<li>Request PureCloud access token with SAMLResponse (assertion):<br>
-Using Curl:
-<source lang="text">
-curl -X POST -u "978e01b1-2549-4fb6-8fab-26b9d513ea81:bJgyH77VGAa-qZd11I-FtaTKdkAkPTJBmTY4SYSGWVU" \
-https://login.inindca.com/token \
--d grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer \
--d assertion=<SAMLResponse with assertion>
--d orgName=chuckcustomer
-</source>
-Or, using Java:
-<source lang="java">
-CloseableHttpClient client = HttpClients.createDefault();
-try {
-    HttpPost httpPost = new HttpPost(loginHost + "/oauth/token");
-    List<NameValuePair> params = new ArrayList<>();
-    params.add(new BasicNameValuePair("grant_type", "urn:ietf:params:oauth:grant-type:saml2-bearer"));
-    params.add(new BasicNameValuePair("orgName", orgName));
-    params.add(new BasicNameValuePair("assertion", assertion));
-    httpPost.setEntity(new UrlEncodedFormEntity(params));
-    UsernamePasswordCredentials creds = new UsernamePasswordCredentials(clientId, clientSecret);
-    String basicAuth = new BasicScheme().authenticate(creds, new org.apache.commons.httpclient.methods.PostMethod());
-    httpPost.addHeader("Authorization", basicAuth);
-    ResponseHandler<String> responseHandler = new ResponseHandler<String>() {
-        @Override
-        public String handleResponse(
-                final HttpResponse response) throws ClientProtocolException, IOException {
-            int status = response.getStatusLine().getStatusCode();
-            if (status >= 200 && status < 300) {
-                HttpEntity entity = response.getEntity();
-                return entity != null ? EntityUtils.toString(entity) : null;
-            } else {
-                throw new ClientProtocolException("Unexpected response status: " + status + " correlation Id: " + response.getFirstHeader("ININ-Correlation-Id"));
-            }
-        }
-    };
-    String responseBody = client.execute(httpPost, responseHandler);
-    System.out.println(responseBody);
-    ObjectMapper mapper = new ObjectMapper();
-    final AuthResponse authResponse = mapper.readValue(responseBody, AuthResponse.class);
-    return authResponse;
-} finally {
-    client.close();
-}
-</source>
-</li>
-<li>Request users/me details from new access token using PureCloud SDK:<br>
-<source lang="text">
-UsersApi api = new UsersApi(ApiClient.Builder.standard().withBasePath(apiHost).withAccessToken(authResponse.getAccess_token()).build());
-UserMe me = api.getUsersMe(new GetUsersMeRequest() {{ setExpand(Arrays.asList("authorization","organization","orgproducts","token"));}});
-ObjectMapper mapper = new ObjectMapper();
-System.out.println("User Details\n" + mapper.writerWithDefaultPrettyPrinter().writeValueAsString(me));
-</source>
-</li>
-</ol>
-</li>
-<li>By default, Altocloud permissions are included in the Admin and AI Agent roles. You may grant [https://help.mypurecloud.com/articles/altocloud-permissions-overview/ Altocloud permissions] to additional roles as needed.
-</li>
 <li>(Optional as needed) Create additional Admin accounts by [https://help.mypurecloud.com/articles/add-people-organization/ adding people to your organization] and [https://help.mypurecloud.com/articles/assign-roles-divisions-licenses-and-add-ons/ assigning them] to the Admin role.</li>
 </ol>