Set up SAML 2.0 single sign-on via an identity provider

BoldChat provides Single Sign-On support based on SAML 2.0 protocol. It accepts SAML Assertions using the SAMLResponse parameter where the NameID of the authenticated user is a mandatory claim.

On the Identity Provider (IdP) side you must set up the connection with the following parameters:

  • Protocol type: SAML 2.0
  • Service type: AssertionConsumerService
  • Binding type: HTTP-POST
  • WantAssertionsSigned: True

Alternatively, you can set up the connection using the BoldChat metadata XML below that contains the required parameters.

Note: Change both instances of xxxxxxxxxx to your account ID. You can find your BoldChat SSO URL on the settings form. Change both instances of yyyyyyyyyy to the web client URL extended with the server set for your data residency region.
  • USA data center: web.boldchat.com
  • EU data center: web-eu.boldchat.com

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
     <EntityDescriptor entityID="https://yyyyyyyyyy/aid/xxxxxxxxxx/" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
          <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
          <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
          <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://yyyyyyyyyy/aid/xxxxxxxxxx/"/>
     </SPSSODescriptor>
</EntityDescriptor>
  1. Go to Setup > General Account Settings > Single Sign-On and select the Main Setup tab. Remember: You must configure SSO on the Identity Provider side first.
  2. Click Test to check the authentication process. You are redirected to the Identity Provider’s URL in a popup. If you get back SAMLResponse from the ID Provider than its response will be presented on this setting form. If no SAMLResponse parameter returns or you simply misconfigured your URL, the popup window may stay open.
    Important: The Identity Provider URL must be a common link that authenticates and redirects the user to the BoldChat SSO URL with SAMLResponse token, if the user have the necessary rights.
    Result Description
    SAMLResponse is returned

    The response is presented in the form.

    Note: Copy the public key for later use.
    SAMLResponse is not returned

    The popup may stay open.

    It is likely that you have simply misconfigured your URL.

  3. Check that NameID is a mandatory claim in the SAMLResponse token. You must add this claim on the Identity Provider side to be a unique attribute of the authenticated user, for example their e-mail address. When you map an authenticated user later on, the NameID field must be the SSO Name ID on the operator field.
  4. Under the Public Key Setup tab, paste the public key of your signed SAMLResponse token that you received in Step 2.
  5. Save the public key.
  6. Set up the agent workspace. To access Agent Workspace by SSO, use the following URL format:
      • https://agent.boldchat.com/sso/account-id/ACCOUNTID (Replace ACCOUNTID with your account ID)
      • https://agent.boldchat.com/sso/username/USERNAME (Replace USERNAME with your username)
  7. To set up the desktop operator client, do one of the following steps. Note: You can use the desktop Operator Client in SSO mode with version 7.40 or newer. 
    • Go to Start Menu > All Programs > SSO Mode.
    • Use the following registry commands.
    • SSO Launch Enabled Registry Script
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BoldChat-SSOAID"="xxxxxxxxxx"
"BoldChat-SSOENA"="True"
    • SSO Launch Disabled Registry Script
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BoldChat-SSOENA"="False"

8. Set up the web client SSO and launch the lookup mode with either of the following URLs:

        9. Check that parsing was successful to ensure that BoldChat servers understand the response as a SAML 2.0 Assertion Token. 

Remember: First you must make sure that the SAMLResponse token is returned correctly.

After the parsing completes, check the following:

  • Issuer found: A required attribute in the SAML 2.0 protocol
  • IssueInstant: A required attribute that contains the issuer timestamp. It must be in UTC format by default. BoldChat accepts tokens within a valid time frame.
  • NameID: Required for mapping a BoldChat operator record with the authenticated user.
  • Public key: Required and must be stored in BoldChat settings as well for signature validation.