Embed Webex WFO in Webex Contact Center Desktop

Create an app in Okta

1. Sign in to Okta.

   NOTE   You must be a Super Administrator in Okta to create and configure an app.

2. Navigate to Applications > Applications.
3. Click Create App Integration.

4. In the Create a new app integration dialog box, configure the field as follows.

   Field	Configuration
   Sign-in method	Select SAML 2.0.

5. Click Next.

6. On the Create SAML Integration page General Settings tab, configure the fields as follows.

   Field	Configuration
   App name	Enter a unique name.
   App logo	(Optional) Upload an image to identify the app in Okta.
   App visibility	(Optional) Limit who can see the image in Okta.

7. Click Next.

8. On the Configure SAML tab, configure the fields as follows.

   Field	Configuration
   General
   Single sign-on URL	Refer to the IAM Domain Names table below. Enter your IAM domain. Leave the Use this for Recipient URL and Destination URL check box selected (default). IAM Domain Names Australia https://id-aus.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp Canada https://id-ca.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp European Union https://id-eu.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp United Kingdom https://id-uk.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp United States https://id.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp Singapore https://id-sgp.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp
   Audience URI (SP Entity ID)	Enter calabriosp.
   Default Relay State	Leave blank.
   Name ID format	Select EmailAddress from the drop-down list.
   Application username	Select Email from the drop-down list.
   Update application username on	Do not change. This field is set to Create and update by default.
   NOTE   If Advanced Settings is hidden, click Show Advanced Settings.
   Response	Select Signed from the drop-down list.
   Assertion Signature	Select Signed from the drop-down list.
   Signature Algorithm	Select either RSA-SHA1 or RSA-SHA256.
   Digest Algorithm	Select either SHA1 or SHA256.
   Assertion Encryption	Select Unencrypted.
   Signature Certificate	Leave blank.
   Enable Single Logout	Grayed out by default. Leave the Allow application to initiate Single Logout check box cleared (default).
   Signed Requests	Grayed out by default. Leave the Validate SAML requests with signature certificates check box cleared (default).
   Other Requestable SSO URLs	Leave blank.
   Assertion Inline Hook	Do not change. This field is set to None (disabled) by default.
   Authentication context class	Select PasswordProtectedTransport.
   Honor Force Authentication	Select Yes.
   SAML Issuer ID	Leave blank.
   Maximum app session lifetime	Leave blank.
   Attribute Statements (optional)
   Name	Enter mail. IMPORTANT   Do not enter email. NOTE   This setting allows a user’s email address to be properly mapped for SAML assertion. If you do not do this attribute mapping for your external IdP, then a Cisco representative must map the attribute to the user’s email address on your behalf. Contact Cisco Professional Services for assistance.
   Name format	Select Unspecified from the drop-down list.
   Value	Select user.email.

   NOTE   You do not need to configure any attributes in the Group Attribute Statements (optional) section.

9. Click Next.

10. In the Feedback tab, select the feedback option that is appropriate to your company’s use of Okta.

    NOTE   Your choice does not affect the ability of Webex WFO to use Okta as an IdP.

11. Click Finish. You have successfully created the first of two apps in Okta for Webex WFO.

Download Okta SAML Metadata

After you configure SAML authentication, you need to download your metadata.

1. Navigate to Applications > Sign On tab.

2. Copy the metadata URL, then open the URL in a new window.

   

3. The XML file contains your entityID, X.509Certificate, NameIDFormat, and SingleSignOnService. Save this information in an easy-to-access location. You will use these values during the Enable IAM authentication for your Okta app procedure in Webex WFO later.

   

   • entityID is Entity ID on the IAM Authentication page in Webex WFO.

     X.509Certificate is IDP X.509 Certificate on the IAM Authentication page in Webex WFO.

     NameIDFormat is Name ID Format on the IAM Authentication page in Webex WFO.

     SingleSignOnService is Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect) on the IAM Authentication page in Webex WFO.

Enable IAM authentication for your Okta app

• You need the Administer Tenant permission to access this page. See Manage roles and permissions for QM, Analytics, Insights, and Performance Management for more information.

For more information about the IAM Authentication page, see Set up IAM authentication.

1. Navigate to Webex WFO > Application Management > Administration > IAM Authentication.

2. Under Enable Authentication, select the Enable IAM External Authentication Entity (Company Login) check box to allow authentication using an external identity provider.
3. Enter the required information in the fields detailed below.

4. Field	Description
   Enable Authentication	Enable IAM External Authentication Entity (Company Login) — Enables authentication using an external IdP.
   IAM External Authentication Settings
   Entity ID	Locate your entity ID in your XML metadata file from Okta.
   IDP X.509 Certificate	Import, your XML metadata file from Okta. Acceptable file formats are CER, CRT, and CERT. IMPORTANT   The certificate must be Base64 encoded.
   Authorization Requests Signed - Require signed SAML request	Select check box.
   Name ID Format	Enter the following format. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
   Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect)	Locate your Single Sign-On Service Endpoint in your XML metadata file from Okta. EXAMPLE   https://dev-111111.oktapreview.com/app/dev-111111_exampletest20220608_1/mpkznqqbkzvTHE3Nc0h7/sso/saml
   Require SAML Binding to be HTTP-POST	Select check box.

5. Click Save.

Assign users to the Okta app

1. Open Okta and navigate to Applications > Applications.

2. Select the Okta app you created during the Create an app in Okta procedure.

3. Under the Assignments tab, click Assign > Assign to People or Assign to Groups.

4. Search for the people or groups you want, then click Assign.

5. Click Done.

Test your connection

Ensure that users assigned to the Okta app are able to login.

NOTE   The users you assign in your Okta app must also exist in Webex WFO.

1. Open an incognito window.

2. Navigate to https://login.calabriocloud.com/.

3. Enter the email address of a user assigned to the Okta app.

4. Click Company Login.

5. You are routed to Okta. Enter your Okta credentials and login.

This is the second application you need to create in Okta.

Turn on SSO in Webex Control Hub and download metadata

1. Sign in to Webex Control Hub.

2. Navigate to Security > Authentication.

3. Select your IdP.

4. Select Self-signed by Cisco or Signed by a public certificate authority.

   BEST PRACTICE   Cisco recommends selecting Self-signed by Cisco.

5. Download the metadata file. The default Webex Control Hub metadata filename is idb-meta-<org-ID>-SP.xml.

NOTE   For more information see the Download the Webex metadata to your local system chapter in the Configure single sign-on in Control Hub with Okta help article.

Configure Okta for Webex services

1. Open Okta and navigate to Applications > Applications.

2. Click Browse App Catalog.

3. Search for and select Cisco Webex (SCIM, SAML, SWA).

4. Click Add Integration.

   

5. On the Add Cisco Webex page General Settings tab, configure the fields as follows.

   Field	Configuration
   Application label	Enter a unique name. BEST PRACTICE   Enter your organization's name in Webex WFO.
   Application Visibility	(Optional)
   Browser plugin auto-submit	Select Automatically log in when user lands on login page.

6. Click Next.

7. In the General Settings tab, click SAML 2.0.

8. Go to the Credentials Details section, towards the end of the page.

9. Select Email from the Application username format drop-down list.

10. In your browser, open the metadata file that you downloaded from Webex Control Hub.

    • Copy the URL for the entityID (towards the top of the file).

      

    • Copy the URL for the assertionConsumerService location (towards the bottom of the file).

      

11. Navigate back to the General Settings tab > SAML 2.0.

12. In the Advanced Sign-on Settings section, enter the Entity ID and Assertion Consumer Service location that you copied from the metadata file you downloaded.

13. In the Credentials Details section, select Email from the Application username format drop-down list.

14. Select Create and update from the Update application username on drop-down list.

15. Click Done.

NOTE   For more information see the Configure Okta for Webex services chapter in the Configure single sign-on in Control Hub with Okta help article.

Import the IdP metadata and enable SSO

1. Sign in to Webex Control Hub.

2. Navigate to Applications > Sign On tab.

3. Copy the metadata URL, then open the URL in a new window.

   

4. In Webex Control Hub, navigate to Management > Security > Authentication > Identity provider tab.

5. Click Activate SSO.

6. Select SAML on the Step 1: Select an identity provider page. Click Next and proceed through the remaining steps.

7. On Step 3: Configure IdP metadata, upload your IdP's metadata file.

8. Then select Less secure: Not signed, self-signed or private CA signed IdP metadata file. Selecting this option means your certificate only needs to be renewed once every five years.

   

9. Click Next until you complete all the steps.

10. Select Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

11. Return to the Webex Control Hub browser tab.

    • If the test was successful, select Successful test. Turn on SSO and click Next.

    • If the test was unsuccessful, select Unsuccessful test. Turn on SSO and click Next.

NOTE   For more information see the Import the IdP metadata and enable single sign-on after a test chapter in the Configure single sign-on in Control Hub with Okta help article.

Assign users to the Webex app

IMPORTANT   The users you assign in your Okta app must also exist in Webex WFO. Ensure that the email addresses entered here are tied to user accounts in Webex WFO.

1. Open Okta and navigate to Applications > Applications.

2. Select the Okta app you created during the Create an app in Okta procedure.

3. Under the Assignments tab, click Assign > Assign to People or Assign to Groups.

4. Search for the people or groups you want, then click Assign.

5. Click Done.

Test your connection

Ensure that users assigned to the Okta app are able to login.

1. Open an incognito window.

2. Navigate to https://admin.webex.com/.

3. Enter the login credentials of a user assigned to the Okta app.

4. You are then routed to Okta. Enter your Okta credentials and sign in.

In this procedure you will enable iFrame embedding, copy Okta's embedded link, and copy the MyTime embed link (MyTime is also referred to as MySchedule).

1. Open Okta and within the Admin Console navigate to Customizations > Other. Go to the iFrame Embedding section.

2. Select the Allow iFrame embedding check box.

3. Click Save.

4. Navigate to Applications > Applications > select your WFO application from the list > General tab.

5. Copy the Embed Link in the App Embed Link section of the General tab.

6. To get the MyTime embed link, navigate to Webex WFO > WFM > MyTime. MyTime opens in a new browser window or tab.

7. Copy the MyTime URL from the address bar.

   EXAMPLE   https://mtdemousce01.teleopticloud.com/web/MyTime#Schedule

Next, complete the Paste app embed links in custom layouts procedures.

Add Calabrio ONE app in OneLogin

1. Sign in to OneLogin.

2. Navigate to Applications > Applications.

3. Click Add App.

4. Search for Calabrio.

5. Select the Calabrio ONE (OneLogin) app.

   

   IMPORTANT   Ensure that you select the Calabrio ONE (OneLogin) app depicted in the image above. Do not select Calabrio (OneLogin, Inc.).

6. Click Save to add the Calabrio ONE (OneLogin) app. No custom configuration is required for the Calabrio ONE (OneLogin) app.

Download SAML Metadata in OneLogin

After you add the Calabrio ONE app, you need to download your metadata.

1. Navigate to Applications > Applications.
2. Click Download JSON and save the file.

3. The XML file contains your entityID, X.509Certificate, NameIDFormat, and SingleSignOnService. Save this information in an easy-to-access location. You will use these values during a later procedure.

   

   • entityID is Entity ID on the IAM Authentication page in Webex WFO.

     X.509Certificate is IDP X.509 Certificate on the IAM Authentication page in Webex WFO.

     NameIDFormat is Name ID Format on the IAM Authentication page in Webex WFO.

     SingleSignOnService is Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect) on the IAM Authentication page in Webex WFO.

Enable IAM authentication for your OneLogin app

You need the Administer Tenant permission to access this page. See Manage roles and permissions for QM, Analytics, Insights, and Performance Management for more information. For more information about the IAM Authentication page, see Set up IAM authentication.

1. Navigate to Webex WFO > Application Management > Administration > IAM Authentication.

2. Under Enable Authentication, select the Enable IAM External Authentication Entity (Company Login) check box to allow authentication using an external identity provider.

3. Enter the required information in the fields detailed below.

   Field	Description
   Enable Authentication	Enable IAM External Authentication Entity (Company Login) — This enables authentication using an external IdP.
   IAM External Authentication Settings
   Entity ID	Locate your entity ID in your XML metadata file from OneLogin.
   IDP X.509 Certificate	Import, your metadata file from OneLogin. Acceptable file formats are CER, CRT, and CERT. IMPORTANT   The certificate must be Base64 encoded.
   Authorization Requests Signed - Require signed SAML request	Select check box.
   Name ID Format	Enter the following format. urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
   Single Sign-On Service Endpoint (HTTP-POST/HTTP-Redirect)	Locate your Single Sign-On Service Endpoint in your metadata file from OneLogin. EXAMPLE   https://wxcc2.onelogin.com/trust/saml2/http-post/sso/11111111-bbbb-3333-cccc-555555555555
   Require SAML Binding to be HTTP-POST	Select check box.

4. Click Save.

Add your OneLogin app to Webex Control Hub (Part One)

1. Open Webex Control Hub.

2. Navigate to Security > Authentication.

3. Click Add an IdP.

4. Click SAML and then click Next on the Step 1: Select an identity provider page.

5. Select Self-signed by Cisco or Signed by a public certificate authority on the Step 2: Select and export a certificate page.

   BEST PRACTICE   Cisco recommends selecting Self-signed by Cisco.

6. Download the metadata file. The default Webex metadata filename is idb-meta-<unique identifier>-SP.xml. This file will be used for a later procedure.

Create a second OneLogin app

1. Open OneLogin.

2. Navigate to Applications > Applications.

3. Click Add App.

4. Search SAML Custom Connector and select SAML Custom Connector (Advanced) from the list.

   

   IMPORTANT   Ensure that you select the SAML Custom Connector (Advanced) application depicted in the image above.

5. Open the Configuration page from the left navigation bar.

6. Open the Webex metadata file from the previous procedure (Add your OneLogin app to Webex Control Hub (Part One)). Enter the information from the metadata file to the following fields.

   • Enter the EntityID from the file in the Audience (EntityID) field.

   • Enter the AssertionconsumerService Location from the file in the Recipient field.

   • Enter the AssertionconsumerService Location from the file in the ACS (Consumer) URL Validator field.

   • Enter the AssertionconsumerService Location from the file the ACS (Consumer) URL field.

7. Click Save to add the SAML Custom Connector (Advanced) app.

8. Click More Actions > SAML Metadata and save the file. You will use this file in the next procedure.

Add your OneLogin app to Webex Control Hub (Part Two)

1. Go back to Webex Control Hub.

2. On Step 3: Configure IdP metadata, upload your IdP's metadata file.

3. Then you must select Less secure: Not signed, self-signed or private CA signed IdP metadata file.

   

4. Click Next until you arrive at the Step 5: Test your SSO setup page.

5. Select Test SSO setup, and when a new browser tab opens, authenticate with the IdP by signing in.

6. Return to the Control Hub browser tab.

   • If the test was successful, select Successful test. Turn on SSO and click Next.

   • If the test was unsuccessful, select Unsuccessful test. Turn on SSO and click Next.

NOTE   For more information see the Download the Webex metadata to your local system chapter and the Import the IdP metadata and enable single sign-on after a test chapter in the Configure single sign-on in Control Hub with Okta help article.

Add users in OneLogin

IMPORTANT   The users you create in OneLogin must also exist in Webex WFO. Ensure that the email addresses entered here are tied to user accounts in Webex WFO.

1. Open OneLogin.

2. Navigate to Users > Users.

3. Click New User.

4. On the New User configuration page, enter all required information.

5. Click Save User. The user's configuration page opens.

6. Click Applications.

7. Click the Applications + icon. The Assign new login to [user's name] dialog box opens.

8. Select SAML Custom connector (Advanced) from the Select application drop-down list.

9. Click Save User. The Edit SAML Custom connector for [user's name] dialog box opens.

10. Ensure that the Allow the user to sign in check box is selected.

11. Click Save.

Test your connection

Ensure that users assigned to the OneLogin application are able to login.

1. Open the Step 5: Test your SSO setup page in Webex Control Hub

2. Click Copy URL to clipboard.

3. Open an incognito window.

4. Paste the URL you just copied in the incognito window.

5. Enter your login credentials.

In this procedure you will locate and copy your subdomain and your app ID.

1. Navigate to Applications > Applications.

2. Open your Calabrio ONE (OneLogin) app.

3. Copy the subdomain and app ID directly from your browser's address bar.

   

   EXAMPLE   The subdomain is the text that appears before the domain. In this example the subdomain is wxcc2.
   The app ID is the string of numbers that appear after /apps/. In this example it is 40----7.

4. Create your custom embed URL link using this format. This is your Workforce Optimization embed URL link. You will use this embed link URL in a later procedure.

   https://[subdomain].onelogin.com/launch/[appID]

   • Your subdomain and app ID are unique to your organization.

     EXAMPLE   

5. In OneLogin, navigate to Settings > Account Settings > Basic.

6. In the Framing Protection section, select the Allow framing from the following origins.

7. In a separate window, open Webex Contact Center Desktop, and then copy the URL.

8. Go back to your OneLogin window Basic page.

9. In the Content Security Policy - Origin URLs text box, paste your Webex Contact Center Desktop URL.

10. Select the Fall back to allowing ALL framing in those browsers (less secure) check box.

11. Click Save.

12. To get the MySchedule (also known as MyTime) embed link navigate to Webex WFO > WFM > MyTime. MyTime opens in a new browser window or tab.

13. Copy the MyTime URL from the address bar.

    EXAMPLE   https://mtdemousce01.teleopticloud.com/web/MyTime#Schedule

Create custom layouts

In this procedure you will create the following four custom layouts.

• Workforce Optimization (WFO) layout for the agent persona
• MySchedule layout for the agent persona
• Workforce Optimization layout for the Supervisor persona and the Supervisor and Agent persona
• MySchedule layout for the Supervisor persona and the Supervisor and Agent persona

JSON-formatted code snippets are provided to you below.

NOTE   See Create custom desktop layout for more information.

Create the Workforce Optimization layout for the Agent persona

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
  "nav": {
    "label": "WorkForce Optimization",
    "icon": "primary-participant-bold",
    "iconActive": "primary-participant-filled",
    "iconType": "momentumdesign",
    "navigateTo": "WFO-Profile",
    "align": "top", 
    "isDefaultLandingPage": true
  },
  "page": {
    "id": "iframe",
    "widgets": {
      "left": {
        "comp": "agentx-wc-iframe",
        "attributes": {
          "src": "https://integrator-4748321.okta.com/home/integrator-4748321_webexwfo_1/0oat7pzdl9YJapVGe697/alnt7qhm618dFX46u697"
        }
      }
    },
    "layout": {
      "areas": [
        [
          "left"
        ]
      ],
      "size": {
        "cols": [
          1
        ],
        "rows": [
          1
        ]
      }
    }
  }
},

1. Copy the code snippet above.
2. Replace the "src": url in line 17 with your Workforce Optimization (Webex WFO) embed URL link.
3. Save the file.

Create the MySchedule layout for the Agent persona

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{
  "nav": {
    "label": "My Schedule",
    "icon": "webex-meetings-bold",
    "iconActive": "webex-meetings-filled",
    "iconType": "momentumdesign",
    "navigateTo": "WFO-Schedule",
    "align": "top"
      },
  "page": {
    "id": "iframe",
    "widgets": {
      "left": {
        "comp": "agentx-wc-iframe",
        "attributes": {
          "src": "https://mtdemousce01.teleopticloud.com/web/mytime#Schedule"
        }
      }
    },
    "layout": {
      "areas": [
        [
          "left"
        ]
      ],
      "size": {
        "cols": [
          1
        ],
        "rows": [
          1
        ]
      }
    }
  }
},

1. Copy the code snippet above.
2. Replace the "src": url in line 16 with your MySchedule embed URL link.
3. Save the file.

Create the Workforce Optimization layout for the Supervisor persona and the Supervisor and Agent persona

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
{
  "nav": {
    "label": "WorkForce Optimization",
    "icon": "webex-teams-bold",
    "iconType": "momentumdesign",
    "iconActive": "webex-teams-filled",
    "navigateTo": "WFO",
    "align": "top", 
    "isDefaultLandingPage": true
  },
  "page": {
    "id": "iframe",
    "widgets": {
      "left": {
        "comp": "agentx-wc-iframe",
        "attributes": {
          "src": "https://integrator-4748321.okta.com/home/integrator-4748321_webexwfo_1/0oat7pzdl9YJapVGe697/alnt7qhm618dFX46u697"
        }
      }
    },
    "layout": {
      "areas": [
        [
          "left"
        ]
      ],
      "size": {
        "cols": [
          1
        ],
        "rows": [
          1
        ]
      }
    }
  }
},

1. Copy the code snippet above.
2. Replace the "src": url in line 17 with your Workforce Optimization embed URL link.
3. Save the file.

Create the MySchedule layout for the Supervisor persona and the Supervisor and Agent persona

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
{
  "nav": {
    "label": "Schedule",
    "icon": "webex-meetings-bold",
    "iconActive": "webex-meetings-filled",
    "iconType": "momentumdesign",
    "navigateTo": "WFO-Schedule",
    "align": "top"
      },
  "page": {
    "id": "iframe",
    "widgets": {
      "left": {
        "comp": "agentx-wc-iframe",
        "attributes": {
          "src": "https://mtdemousce01.teleopticloud.com/web/mytime#Schedule"
        }
      }
    },
    "layout": {
      "areas": [
        [
          "left"
        ]
      ],
      "size": {
        "cols": [
          1
        ],
        "rows": [
          1
        ]
      }
    }
  }
}

1. Copy the code snippet above.
2. Replace the "src": url in line 16 with your MySchedule embed URL link.
3. Save the file.

EXAMPLE   The following image is an example code snippet for the Workforce Optimization custom layout.

The following image is an example code snippet for the MySchedule custom layout.

Administer the layout

Administer the layouts for Agent, Supervisor, and Supervisor and Agent personas in Webex Control Hub - https://admin.webex.com/wxcc/desktop-experience/desktop-profiles.

1. Open Webex Contact Center Control Hub.

2. Navigate to Contact Center > Desktop Layouts.

3. Click Create Desktop Layout.

4. Upload one of the custom desktop layouts files from the previous procedure.

5. Enable the Active toggle in the top-right corner of the page.

6. Navigate to Teams.

7. Select a team from the list.

8. In the Team settings section, select your custom desktop layout from the Desktop layout drop-down list.

9. Repeat for all custom layout files.

Test layout

1. Sign in as all the personas. Always keep the left navigation pane collapsed.

2. Select the Webex WFO icon from the left-navigation pane. Confirm you see the Webex WFO icon.

   

3. Select the MySchedule icon from the left-navigation pane. confirm you see the MySchedule icon.

   

BEST PRACTICE   Speed up the embed page by changing the Webex WFO landing page. Follow the Assign landing pages to users procedure.

NOTE   This setting can be applied as a browser policy by the IT organization, meaning agents and supervisors do not need to apply it individually.

1. Navigate to Settings > Privacy & Security > Cookies and Site Data > Manage Exceptions.

2. Add the following URLS.

   • https://login.calabriocloud.com

   • Your Okta Embed link: (example) https://integrator-4748321.okta.com

   • Your OneLogin Embed link: (example) https://wxcc.onelogin.com/launch/3980125

   • http://mtdemousce01.teleopticloud.com

   • https://id.calabriocloud.com

3. Click Save.