Using Single Sign On (SSO)
- This feature might not be available to all customers.
- The activity-based SLO feature is not supported. Therefore, use the saml_landingpage property in the gax.properties file to configure the logout URL.
- Once SSO is enabled and after logging into GAX, the Change Password link may not work. You can manage the user passwords in the IdP-based user account directory.
- When implementing SSO for GAX where token-based authentication used, if the name of Configuration Server application object is different than confserv, add a new section with name confserv under Application Options of the Configuration Server object and then copy the database-guid option with its value and paste it under the newly created confserv section . After this change, please restart GAX.
- Token-based authentication must be enabled as described in Secure Communication with Configuration Server.
You can set up Genesys Administrator Extension to use Single Sign On (SSO), so that users can use existing credentials (for example, a corporate login and password) to access GAX. When these users log out of GAX, they are simultaneously logged out of other SSO-supported applications.
GAX uses SAML2 to enable SSO.
By default, SSO is not enabled in GAX. To enable this feature, refer to the following procedure.
- On the host machine, open the GAX_HOME folder (the folder in which you installed GAX) and create a sub-folder called saml.
- Open the saml folder and create a sub-folder called sp.
- Access the metadata file from the IdP (identity provider). Open the gax.properties file in the GAX_HOME/conf folder and set the saml_idp_metadata option to one of the following:
- http://location—The web location of the IdP metadata file.
- filename—The path and file name of the IdP metadata file of the local machine.
- Download the Service Provider metadata file from GAX by opening a browser and navigating to the following location: http://host:port/gax/saml/metadata, where host:port is the IP name and port number for the GAX installation.
You must use the host name or IP address to access the metadata file. You cannot specify localhost
- Copy the downloaded metadata file, sp.xml, to the following folder on the host machine: GAX_HOME\saml\sp.
- Upload the sp.xml metadata file to the IdP server. The following is an example of a typical location on the IdP server: /home/ubuntu/idp/metadata/my_sp.xml.
- Log in to the IdP server and edit the conf/relying-party.xml file by adding the following metadata provider:
<metadata:MetadataProvider id="uniqueID" xsi:type="metadata:FilesystemMetadataProvider"
You must use a unique ID for metadata:MetadataProvider id
- Restart the IdP server.
- On the host machine, edit the gax.properties file in the GAX_HOME folder and specify options for the following properties:
- saml_entityid—Your unique ID for IdP. This is the same ID specified in relying-party.xml.
- saml_landingpage—The SSO landing page.
The following options are not mandatory to enable SSO in GAX. However, if you prefer to use customized Java Keystore file instead of the default JKS, these options can be added to the gax.properties
- saml_jksfilelocation—The location/path of the custom Java KeyStore (.jks) file. If this is not configured, the JKS file in the classpath is used.
- saml_jkspassword—The custom KeyStore password. It is required when the saml_jksfilelocation option is set for a custom JKS file.
- saml_signingkeyname—The custom key file name. It is required when the saml_jksfilelocation option is set for a custom JKS file.
- saml_signingkeypassword—The custom key file password. It is recommended to set the same password as saml_jkspassword and it is an optional parameter.
- Restart GAX.
If SSO is enabled, but the metadata of the Service Provider (GAX) or IdP is incorrect, GAX logs the error and directs the user to the non-SAML login page