Draft: PEC-Hybrid/Current/Admin/About

This is a draft page; the published version of this page can be found at PEC-Hybrid/Current/Admin/About.

{{Article |Standalone=Yes |DisplayName=Provisioning PureEngage Hybrid Integrations |Platform=PureEngage |TocName=Provisioning |ComingSoon=No |Context=This article describes the essential provisioning steps to enable a hybrid integration between PureEngage On-Prem deployments and Genesys PureCloud services. |Section=

Supported Services

About Provisioning

{{Section |sectionHeading=PureCloud Provisioning Steps |Type=Unstructured |freetext=Perform the following steps using the PureCloud Admin UI or the PureCloud API.

To allow for better control and monitoring of the components using PureCloud Services, for each PureEngage Service that uses a common service you must create an OAuth client to allow for better control and monitoring of the components using the PureCloud Services and for different rate limiting per client. This does not mean that if you have n number of components on premises that are associated with one another, they cannot share a given client id. Genesys recommends that you consult architecture before performing this step.
1. Create a SAML2 Bearer OAuth Client for the client, such as PureEngage Workspace Desktop Edition, that needs to send a SAMLResponse to exchange for a PureCloud Access Token:
  1. In PureCloud Admin, select Integrations>OAuth, then click Add Client.
  2. Name the Client and select SAML2 Bearer as the Grant Type.
  3. Enter the Authorized redirect URI, for example: https://apps.mypurecloud.com
2. As necessary, for each on-premises service, like the "Agent Pacing Service" (ewt), create OAuth Client Credentials grants:
  - Using the UI, follow these steps,
  - Or using the API, reference these endpoints.
  For more information about Permissions for Altocloud, see the Altocloud permissions overview.
Create your SAML Certificate (public key) and private key:
```
openssl req -new -x509 -days 3652 -nodes -out cert.pem -keyout key.pem
```
Once you have created the two PEM files perform the following steps:
- Encode cert.pem into a base64 string (cert.pem.b64) using this command:
```
openssl base64 -in cert.pem -out cert.pem.b64
```
- Encrypt the key.pem using a password that you specify
```
openssl rsa -in key.pem -out key.pem.enc -aes256
```
- Encode the resulting content into a base64 string (=>’key.pem.enc.b64’) using this command:
```
openssl base64 -in key.pem.enc -out key.pem.enc.b64
```
Create a PureEngage Identity Provider (IDP). You can use the Identity Provider API via the PureCloud Developer Tools, SDKs, or Platform API.
Sample Request:
```
PUT https://api.{{environment}}/api/v2/identityproviders/pureengage
 
{
   "name": "PureEngage",
   "autoProvisionUsers": true,
   "certificate": "Content of the cert.pem file without the ---BEGIN CERTIFICATE— and ---END CERTIFICATE--- text blocks",
   "issuerURI": "http://www.genesys.com/pureengage",
   "ssoTargetURI": "http://example.com/target",
   "disabled": false
}
```
- Developer Tools
- SDKs
  - Java
  - .NET
  - Python
- Platform APIs
Troubleshooting:
- Ensure that the IDP is set with "autoProvisionUsers" = "true"
- Ensure that the issuer URI in your SAML assertion is the same as the issuer URI for the IDP.
- Ensure that you don't have multiple issuers with the same URI.
By default, Altocloud permissions are included in the Admin and AI Agent roles. As auto-provisioned users are created with the employee role, which does not include Altocloud permissions. You must grant the [Altocloud permissions to the employee role. You may grant Altocloud permissions to additional roles as needed.
(Optional as needed) Create additional Admin accounts by adding people to your organization and assigning them to the Admin role.