Configure SAML authentication

Security Assertion Markup Language (SAML) authentication allows you to use common external identity providers (IdP) to authenticate user names and passwords for Calabrio ONE (the service provider, or SP). This method of user authentication and password management is commonly referred to as single sign-on (SSO).

If you are using SAML and you want to let your agents access their schedules outside of work through a third-party calendar such as Microsoft Outlook, Google Calendar, or Apple Calendar, select the “iCal Sync with SSO” check box on the Global Settings page for WFM (see Configure system-wide WFM settings). For more information about how to configure Calabrio ONE so that agents can access their schedules outside of work when SAML is enabled, see View your schedule in another calendar app.

NOTE Tenant administrators who have been added by a system administrator can always log in using their Calabrio ONE credentials. This is true even if Calabrio ONE authentication is disabled and another form of authentication (SAML or Active Directory) is enabled.

Configuring identity providers

Calabrio ONE integrates with all IdPs that support SAML 2.0 authentication. The following general parameters apply when configuring the SAML assertion in an IdP.

For more information about configuring specific IdPs, see Configuring Okta and Configuring ADFS

Assertion Component	Configuration
Attributes	The IdP must send an assertion containing your users’ email address as an attribute. This email address must match the address used for Calabrio ONE authentication. EXAMPLE The specific name of the email attribute depends on the IdP that you use. The following are examples: EmailAddress Email Mail User.email
Signatures	The SAML assertion must be signed. Assertions can be signed with the following algorithms: RSA-SHA1 RSA-SHA256
Key sizes	Encrypted assertions are supported only with a maximum key size of 128 bits.

Assertion Component

Configuration

Attributes

The IdP must send an assertion containing your users’ email address as an attribute. This email address must match the address used for Calabrio ONE authentication.

EXAMPLE

The specific name of the email attribute depends on the IdP that you use. The following are examples:

EmailAddress
Email
Mail
User.email

Signatures

The SAML assertion must be signed. Assertions can be signed with the following algorithms:

RSA-SHA1
RSA-SHA256

Key sizes

Encrypted assertions are supported only with a maximum key size of 128 bits.

Calabrio ONE can integrate with both SP-initiated and IdP-initiated SAML, depending on the IdP that you use.

IdP	Supports SP-Initiated SAML	Supports IdP-Initiated SAML
Okta	Yes	Yes
ADFS	Yes	Yes
Azure	No	Yes
Other IdPs	Varies	Varies

NOTE For IdP-Initiated SAML using Azure AD, the Sign on URL field in the app in Azure AD must be empty.

Configuring Okta

BEST PRACTICE

Before you configure Okta, gather the following information from the Service Provider section on the Authentication page in Calabrio ONE and store it in an easy-to-access location:

Single Sign On URL
Entity ID

The following is an overview of how to configure Okta as your IdP:

Create an Okta app.
Configure the Okta app.
Gather information about the Okta app.
Configure Okta as an IdP in Calabrio ONE.

Create an app in Okta

Log in to Okta.
NOTE You must be a Super Administrator in Okta to create and configure an app.
Navigate to Applications > Applications.
Click Add Application.
Click Create New App.

In the Create New Application Integration dialog box, configure the fields as follows.

Field	Configuration
Platform	Select Web.
Sign on method	Select SAML 2.0.

Configure the Okta app

In the General Settings tab, configure the fields as follows.

Field	Configuration
App name	Enter a unique name for Calabrio ONE.
App logo	(Optional) Upload an image to identify Calabrio ONE in Okta.
App visibility	(Optional) Limit who can see the image in Okta.

Click Next.

On the Configure SAML tab, configure the fields as follows.

NOTE If Advanced Settings is hidden, click Show Advanced Settings.

Field	Configuration
General
Single sign on URL	Copy and paste this URL from the Authentication page in Calabrio ONE. The URL is located in the Single Sign On URL field in the Service Provider section. Leave the Use this for Recipient URL and Destination URL check box selected (default).
Audience URI (SP Entity ID)	Copy and paste this ID from the Authentication page in Calabrio ONE. The URL is located in the Entity ID field in the Service Provider section.
Name ID format	Select EmailAddress.
Application username	Select Email.
Response	Select Signed.
Assertion Signature	Select Signed.
Signature Algorithm	Select either RSA-SHA1 or RSA-SHA256.
Digest Algorithm	Select either RSA-SHA1 or RSA-SHA256.
Assertion Encryption	Select Unencrypted.
Enable Single Logout	Leave the Allow application to initiate Single Logout check box cleared (default).
Authentication context class	Select PasswordProtectedTransport.
Honor Force Authentication	Select Yes.
SAML Issuer ID	Leave blank.
Attribute Statements
Name	Enter a unique name.
Name format	Select Unspecified.
Value	Select user.email.

NOTE You do not need to configure any attributes in the Group Attribute Statements section.

Click Next.
In the Feedback tab, select the Feedback option that is appropriate to your company’s use of Okta.

NOTE Your choice does not affect the ability of Calabrio ONE to use Okta as an IdP.
Click Finish.

Gather information for Calabrio ONE from the Okta app

Navigate to Applications > Applications, and then click the Okta app for Calabrio ONE.
Select the Sign On tab.
Click View Setup Instructions.

Gather information about the Okta app from the following fields:

Field	Instructions
Identity Provider Single Sign-On URL	Copy the URL and store it in an easy-to-access location.
Identity Provider Issuer	Copy the URL and store it in an easy-to-access location.
X.509 Certificate	Download the certificate and store it in an easy-to-access location.

Refer to Configuring an Authentication Method to configure an Okta identity provider with Calabrio ONE and enable SAML authentication.

Configuring ADFS

The following is an overview of how to configure single sign-on for Active Directory Federation Services (AD FS):

Configure Relying Party Trust for your identity provider.
Configure the LDAP email claim rule for the Calabrio ONE trust.
Configure the incoming claim transform rule for the Calabrio ONE trust.
Configure the secure hash algorithm and import your service provider certificate.
Export your identity provider certificate.
Configure an ADFS identity provider with Calabrio ONE and enable SAML authentication.

Configure Relying Party Trust for your identity provider

Configuring Relying Party Trust for your identity provider is a multistep procedure.

First, begin the Add Relying Party Trust Wizard.

Open the Windows Server AD FS Management Console.
Expand the Trust Relationships folder.
Right-click the Relying Party Trusts folder, and then click Add Relying Party Trust to begin the Add Relying Party Trust Wizard.
Click Start.

Next, configure Relying Party Trust with the Add Relying Party Trust Wizard.

Choose Enter data about the relying party manually, and then click Next.
Enter “Calabrio ONE” in the Display name field, and then click Next.
Choose AD FS profile, and then click Next.
Click Next on the Configure Certificate step. You do not need to specify an optional token encryption certificate.
Select the Enable support for the SAML 2.0 WebSSO protocol check box, enter the Single Sign On URL (found under Service Provider on the Authentication page), and then click Next.
Enter the Entity ID (found under Service Provider on the Authentication page) in the Relying party trust identifier field, click Add, and then click Next.
Choose Permit all users to access this relying party, and then click Next.
Click Next on the Ready to Add Trust step to complete configuration and add the relying party trust.
Select the Open the Edit Claim Rules dialog for this relying party trust when the wizard closes check box, and then click Close. The Edit Claim Rules window opens automatically.

Configure the LDAP email claim rule for the Calabrio ONE trust

Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
Select Send LDAP Attributes as Claims from the Claim rule template drop-down list, and then click Next.
Enter “LDAP Email Address” in the Claim rule name field.
Select Active Directory from the Attribute store drop-down list.
Select E-Mail Addresses from the LDAP Attribute drop-down list.
Select E-Mail Address from the Outgoing Claim Type drop-down list.
Click Finish to complete configuration of this claim rule and add the incoming claim transform rule.

Configure the incoming claim transform rule for the Calabrio ONE trust

Click Add Rule... under the Issuance Transform Rules tab in the Edit Claim Rules window.
Select Transform an Incoming Claim from the Claim rule template drop-down list, and then click Next.
Enter “Transform Email Address” in the Claim rule name field.
Select E-Mail Address from the Incoming claim type drop-down list.
Select Name ID from the Outgoing claim type drop-down list.
Select Transient Identifier from the Outgoing name ID format drop-down list.
Choose Pass through all claim values.
Click Finish to complete configuration of this claim rule.
Click OK to finish editing claim rules and close the Edit Claim Rules window.

Configure the secure hash algorithm and import your service provider certificate

Open the Windows Server AD FS Management Console.
Double-click the Calabrio ONE trust you created in the above step to open the Calabrio ONE Properties window.
Click the Advanced tab, and then select SHA-1 from the Secure hash algorithm drop-down list.
Click the Signature tab, and then click Add... and select your service provider certificate.

NOTE If you don’t see your service provider certificate, you might need to select All files (*.*) in the file-type filter in the lower left corner of the window.
Click OK to finish editing the trust properties and close the Calabrio ONE Properties window.

Export your identity provider certificate

Open the Windows Server AD FS Management Console.
Expand the Certificates folder.
Double-click the Token-signing certificate to open the Certificate window.
Click the Details tab, and then click Copy to File... to begin the Certificate Export Wizard.
Click Next to continue.
Choose Base-64 encoded X.509 (.CER), and then click Next.
Specify a unique file name and location to save the file, and then click Finish. A dialog box reporting that the export was successful should appear. Use the contents of the exported file to configure your IdP with Calabrio ONE.
Refer to Configuring an Authentication Method to configure an ADFS identity provider with Calabrio ONE and enable SAML authentication.

Field descriptions

The following fields appear when you select Enable SAML Authentication.

Service Provider

Field	Description
Authentication URL	(Read-only) The URL for Calabrio ONE that directs you to the single sign-on URL.
Entity ID	(Read-only) The entity ID provided by Calabrio ONE. Use this information to configure your IdP.
Use Tenant Name in Entity ID	Select this check box to prepend the name of the tenant to the tenant’s public host name in the Entity ID.
Single Sign On URL	(Read-only) The URL to send SAML responses to from the IdP. Use this information to configure the Assertion Consumer Service URL on your IdP. This URL supplied by Calabrio ONE is not the same as the Single Sign On URL provided by your IdP, which must be entered in the field under Enable SAML Authentication.
SAML Signature Algorithm	The Default algorithm is configured by your organization. Other supported algorithms are SHA1, SHA256, and SHA512.
SAML Digest Algorithm	The Default algorithm is configured by your organization. Other supported algorithms are SHA1, SHA256, and SHA512.
Sign SAML Response	This box is selected by default. Clear this if you do not want to sign the SAML response.
Service Provider Certificate	(Read only) The certificate to configure your IdP with Calabrio ONE. You can use the default global certificate provided by Calabrio ONE (cloud deployments only) or upload a self-managed certificate and private key. See Managing service provider certificates for Calabrio ONE. Import—Imports a self-managed service provider certificate into Calabrio ONE. Export—Exports your current service provider certificate. View Details—Shows the details of the current service provider certificate: issuer, subject, and start and end date. Export Metadata—Exports the metadata for the current service provider certificate.
Private Key	The private key for a self-managed service provider certificate. See Managing service provider certificates for Calabrio ONE. Import—Imports a new private key for a self-managed service provider certificate. The syntax of this private key must be PKCS 8. Delete—Deletes the existing private key.

Managing service provider certificates for Calabrio ONE

Not all IdPs or IdP configurations require service provider certificates.

IdP	Certificate Required
ADFS	Yes
Okta	No
Other IdPs	Varies by configuration.

If your IdP or IdP configuration requires a service provider certificate to integrate with Calabrio ONE, you have several options, depending on whether your Calabrio ONE deployment is in the cloud or on premises.

Deployment	Option
Cloud, On Premises	Use the default global certificate provided by Calabrio ONE.
Cloud, On Premises	Import a self-managed certificate and private key. The certificate can be self-signed or it can come from a third party (for example, Verisign or DigiCert). The syntax of the private key must be PKCS 8.
On Premises	On the server where you installed Calabrio ONE, save a self-managed certificate and private key in the shared configuration directory. This directory is the UNC path that was entered during Calabrio ONE installation. See the “Installing Calabrio ONE” section of the Calabrio ONE Installation Guide for On Premises Deployments. The certificate and private key must have the following names: Certificate—serviceProvider.crt Private Key—serviceProvider.key The certificate can be self-signed or it can come from a third party (for example, Verisign or DigiCert). The syntax of the private key must be PKCS 8.

Deployment

Option

Cloud, On Premises

Use the default global certificate provided by Calabrio ONE.

Cloud, On Premises

Import a self-managed certificate and private key.

The certificate can be self-signed or it can come from a third party (for example, Verisign or DigiCert). The syntax of the private key must be PKCS 8.

On Premises

On the server where you installed Calabrio ONE, save a self-managed certificate and private key in the shared configuration directory. This directory is the UNC path that was entered during Calabrio ONE installation. See the “Installing Calabrio ONE” section of the Calabrio ONE Installation Guide for On Premises Deployments.

The certificate and private key must have the following names:

Certificate—serviceProvider.crt
Private Key—serviceProvider.key

The certificate can be self-signed or it can come from a third party (for example, Verisign or DigiCert). The syntax of the private key must be PKCS 8.