I'm currently stuck in implementing SSO in RightNow using SAML 2.0.From what I have read in the RightNow documents, it supports SAML 2.0 but with little caveats like, sending the signing certificate with the SAML response and not supporting importing the metadata into RightNow. I'm integrating RightNow with Oracle Identity Federation (11.1.1.6) and am a little stuck with the way forward. Ideally while integrating an application for SSO, we have the metadata that helps in setting the Service Provider (this is ideally an application that requires the SSO service). But I am unable to figure out how to set RightNow application as a Service Provider in the absence of a Provider Metadata! Is there a way in RightNow to generate and download the metadata!? If not, how to go about configuring it? Are there any examples you can point me to that showcase how to do it?
Appreciate your time and effort guys. Thank you in advance.
@Andy - the metadata file
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://myorg--test.custhelp.com/fed/sp" validUntil="2023-05-07T16:44:40.193Z">
<ds:Signature></ds:Signature>
<md:SPSSODescriptor WantAssertionsSigned="false" AuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>X509_CERTIFICATE</ds:X509Certificate>
<ds:X509IssuerSerial>
<ds:X509IssuerName>
X509_ISSUER_NAME</ds:X509IssuerName>
<ds:X509SerialNumber>X509_SERIAL_NUMBER</ds:X509SerialNumber>
</ds:X509IssuerSerial>
<ds:X509SubjectName>X509_SUBJECT_NAME</ds:X509SubjectName>
</ds:X509Data>
</ds:KeyInfo>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes192-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<md:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://myorg--test.custhelp.com/cgi-bin/myorg.cfg/php/admin/sso_launch.php?p_subject=Account.Login" index="0" isDefault="true"/>
<md:AttributeConsumingService index="0" isDefault="true">
<md:ServiceName xml:lang="en">https://myorg--test.custhelp.com/cgi-bin/myorg.cfg/php/admin/sso_launch.php</md:ServiceName>
<md:RequestedAttribute Name="uid" isRequired="true"/>
</md:AttributeConsumingService>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">My Organization RightNow Customer Experience Site</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">My Organization RightNow Customer Experience</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://www.my-org.com</md:OrganizationURL>
</md:Organization>
</md:EntityDescriptor>
Upon hitting the SSO URL in Oracle RightNow, I do not get a response back. I verified this using the SAML tracer plug-in for FireFox and also there is no error code returned. I have also configured the SAML_ERROR_URL with %error_code% and %session% variable. The X509 certificate has been uploaded to RightNow and USE_KNOWN_ROOT_CAS has been set.
My hunch is that the end-point URL has something to do with it. Where to move forward from here? Again, thanks for your help Andy.
RightNow + SAML is a pain, impossible to debug, but possible to do. After much trial and error I've been able to get it to work with OIF in the past.
There should be a manual way to create a service provider in OIF. RightNow doesn't have any way to generate the OIF metadata automatically, but here is a stub that you can use as a start point. There are a few replacement's you'll need to make for your specific site:
Other notes from my previous attempts: