Home»Support»Frequently Asked Questions»Client Console SSO (beta)
  • Printer Friendly Version
  • Decrease Text SizeIncrease Text Size

Client Console SSO (beta)

Client Console SSO (beta)

If an error occurs, for any reason, while changing this property you must make sure that the property value and Console/web.config match their previous setting. A copy of the Console/Web.config file is made in Backups directory when before the web.config is updated. You should change the property setting back, save the properties, and restore the web.config file from it's backup manually.

Changing Admin > Properties > Client Console SSO from Enabled to Disabled or Disabled to Enabled and clicking Save will log you out of the client console. You must ensure that when this occurs you will be able to log in again. If you are enabling SSO you must make sure that the account you log into the front end of the web site has console access. If you are disabling SSO you must make sure that you have a Centralpoint account to use to log back into the client console.

You should have no problem enabling SSO if you will be logging into web site with the same Centralpoint user that you use to log into the console. If you will be logging into the web site with a user configured via Global Login you may have to take additional steps to ensure that you maintain access. You have 3 options to make sure you maintain access: Ancestor Admin Login, Global Login Field Map, or Global Login Protect Users. You may also set up a combination of settings from these options.

Ancestor Admin Login Configuration

This requires you to have an Ancestor Admin account (Master > Admin > Users) and set up a standard Centralpoint login (back door) somewhere on the web site. The Centralpoint login must be excluded from Global Login SSO if configured. Logging in using an ancestor admin and using the standard Centralpoint login will ensure that you gain access to the client console as an admin.

Global Login Field Map

This requires you to use a Global Login source with a Field Map attribute like SAML 2.0 (Symantec, Okta, Ping Identity) > SAML Attribute Field Map. You must then configure the Audiences, Roles, and ConsoleNavigation elements in the field map to ensure the appropriate external users gain client console access to the appropriate audiences, roles, and console navigation. The following elements will make all external users client console admins. Note the second ":1" in the Audiences attribute which grants client console access to that audience. 

<attribute systemName="Roles"><![CDATA[Admin]]></attribute>
<attribute systemName="Audiences"><![CDATA[bf7bb52f-eae7-4d5a-bd20-6849d0260c80:1:1]]></attribute>
<attribute systemName="ConsoleNavigation">ALL</attribute>

 

Global Login Protect Users

This requires that you know the Global Login Users > Integration Id of the external users to which you wish to grant console access. If they have never logged into the front end of the site they won't exist in the module. In this case, you can either have them log in to generate the record, or you can create the record in advance. Once you've found the appropriate records you can assigned their Roles, Console Navigation, and Accessible Audiences values like any other user. Then go to their related Global Login record and set Protect Users to Yes to ensure that these attributes are not ovewritten during their next authentication. These 3 attributes are protected by default when Protect Users is enabled, but you can configure the protected fields and properties as you see fit.

Debugging & Troubleshooting

You may need to close all browsers and reopen them after enabling/disabling this feature. If you're having trouble getting it to work, try in Incognito mode to ensure your problem isn't related to your browser. You may also have to clear your web site cookies and restart the site to ensure your previous session and cache are clear. If you are logged into the web site via a global login user then you must make sure the user has accessible audiences, roles, and console navigation selected. The following queries may be useful if you need to debug console access for a particular user. 

DECLARE @UserId UNIQUEIDENTIFIER;
SET @UserID = 'e28b16df-7cc1-4e87-bcdd-16a71ebd99ad';
SELECT * FROM cpsys_Users WHERE UserId = @UserId;
SELECT * FROM cpsys_Roles WHERE RoleId IN (SELECT RoleId FROM cpsys_UsersInRoles WHERE UserID = @UserId);
SELECT * FROM cpsys_Audiences WHERE AudienceId IN (SELECT AudienceId FROM cpsys_UsersInAudiences WHERE UserID = @UserId AND IsConsole = 1);
SELECT * FROM cpsys_NavigationItems WHERE NavigationItemId IN (SELECT NavigationItemId FROM cpsys_UsersInNavigationItems WHERE UserID = @UserId);