Set up Single Sign-On for 8x8 Admin Console

Single Sign-On(SSO) is a session and user authentication service that permits a user to use one set of login credentials, such as name and password, to access multiple applications. The service authenticates the end user for all the applications the user has been given rights to and eliminates further prompts when the user switches applications during the same session. Customers with identity management systems such as Google SSO, Microsoft Azure AD, Okta, or any SAML provider require their employees to authenticate to 8x8 apps using their company ID instead of an 8x8 username and password.

With support for Federated SSO, users can log in to 8x8 applications through their company's identity and security system.

Features

  • Easy set up by going to user's profile in 8x8 Admin Console.
  • No need to remember or enter 8x8 Contact Center user credentials.
  • Reduce 8x8 Contact Center sign-in time.
  • Improve security: user credentials do not need to be stored in 8x8 Contact Center.
  • Enhance user experience: users can seamlessly sign in to 8x8 Contact Center from other applications.

Identity Mapping

Ideally, the system maps each company user to an 8x8 user via the 8x8 username. If your company's 8x8 usernames are not unique email addresses, you have to populate either of these new 8x8 user attributes via 8x8 Admin Console.

  • For SAML SSO: Federated ID
  • For Google SSO: Google ID

Configure Federated SSO

Configuring access to 8x8 applications via Federated SSO involves:

Security Assertion Markup Language (SAML) allows identity providers to pass authorization credentials to service providers. SAML simplifies federated authentication and authorization processes for users, identity providers, and service providers such as 8x8, Inc..

We do not cover this step here since the process varies among the identity and security service providers. Check with your company administrator to find out the service provider adopted by your company. The process is typically managed by your administrator.

  • For Okta: Search for 8x8 Inc in the Okta Application catalog and add it. Follow the SAML 2.0 setup instructions provided for 8x8 users with matching Okta usernames. For 8x8 users without matching Okta usernames, the Federated ID is populated in 8x8 Admin Console.
  • For OneLogin: Search for 8x8 in the OneLogin Application catalog. Under Configuration > Connectors, select Connector Version: SAML 2.0.
  • For Azure AD: Search for 8x8 in the Azure AD Enterprise App Gallery.

The 8x8 Work administrator must set up Single Sign-On and specify the identity provider used by the company. To set up SSO, go to Home > Identity and Security and select an identity provider such as Google SSO, Microsoft Azure AD, and, Okta, or other SAML SSO provider:

Allows users to use a Google ID to log in to 8x8 applications.

To configure Single Sign-On for Google users:

  1. Go to Home > Identity and Security.
  2. Select Single Sign on (SSO) as your authentication method. 8x8 Username and Password is also selected by default. You can choose to log in with 8x8 username, Single Sign-On, or both.
  3. Enable Google as your SSO provider.

  4. Save your changes.

Allows users to log in to any 8x8 application using their corporate Azure AD credentials.

To configure Single Sign-On for Microsoft Azure AD users:

  1. Go to Home > Identity and Security.
  2. Select Single Sign on (SSO) as your authentication method.
  3. Select Microsoft Azure AD as your SSO provider.
  4. Enter a user authentication URL provided by Identity Provider (IDP) in the Sign-in page URL box.
  5. Enter a user sign out URL provided by IDP to end the IDP session in the Sign-out page URL box. The 8x8 app calls this URL after you log out of the 8x8 app. If your IDP can redirect to another URL after it ends the IDP session, you should append the variable string <{8x8Logout}>, which inserts the 8x8 login URL so the user can log back in later.
  6. Enter a provider URL/URN in the IDP Issuer URL/URN box. This is also known as an IDP identifier URL/URN.
  7. Download the SAML signing certificate from Azure AD (Base64 format) then click to attach it in the Certificate in use box.
  8. Save your changes.
    The configuration of Microsoft Azure Ad Federated SSO is now complete.

  9. Click Save.

Allows users to use the Okta Federation ID to log in to 8x8 applications.

To configure Single Sign-On for Okta users:

  1. Go to Home > Identity and Security.
  2. Select Single Sign on (SSO) as your authentication method.
  3. Select Okta as your SSO provider.
  4. Enter a user authentication URL provided by Identity Provider (IDP) in the Sign-in page URL field.
  5. Enter a user sign out URL provided by IDP to end the IDP session in the Sign-out page URL field. The 8x8 app calls this URL after you log out of the 8x8 app. If your IDP can redirect to another URL after it ends the IDP session, you should append the variable string <{8x8Logout}>, which inserts the 8x8 login URL so the user can log back in later.
  6. For Okta, the sign out URL may be https://YOUR_COMPANY.okta.com/login/signout?fromURI={8x8Logout} .
  7. Look for a Certificate in use. To locate the certificate file (*.cert, *.cer or *.crt), click Click to attach. Your identity and security system uploads the certificate file. The certificate file is validated and notifies you of any errors.
  8. Save your changes.
    The configuration of Okta Federated SSO is now complete.

Allows users to log in to 8x8 applications by signing in via any SAML provider of their choice.

Note: If your SAML provider requests for an 8x8 URL, use https://sso.8x8.com/saml2

To configure Single Sign-On for other SAML SSO Provider:

  1. Go to Home > Identity and Security.
  2. Select Single Sign on (SSO) as your authentication method. 8x8 Username and Password is also selected by default. You can choose to log in with 8x8 username, Single Sign-On, or both.
  3. Select Other SAML SSO Provider as your SSO provider.
  4. Enter a user authentication URL provided by Identity Provider (IDP) in the Sign-in page URL field to redirect users when signing in the system.
  5. Enter a user sign out URL provided by IDP to end the IDP session in the Sign-out page URL field. To redirect users when signing out the system. The 8x8 app calls this URL after you log out of the 8x8 app. If your IDP can redirect to another URL after it ends the IDP session, you should append the variable string <{8x8Logout}>, which inserts the 8x8 login URL so the user can log back in later.
  6. Enter an IDP Issuer URL/URN in the IDP Issuer URL/URN field. This is also known as an IDP identifier URL/URN.
  7. Download the SAML signing certificate and click to attach it in the Certificate in use field.
  8. Save your changes.
    The configuration of SAML SSO Provider Federated SSO is now complete.

This step is optional. If your company does not use unique email addresses for 8x8 usernames, then you must map 8x8 Work users to their Federation ID (for SAML) or Google ID (for Google) in the user records.

You have three options for adding/updating the Google ID/Federation ID in user records:

  • Provide the Google ID/Federation ID in the CSV file during bulk user creation only.
  • Provide the Google ID/Federation ID when a single user is created manually.
  • Provide the Google ID/Federation ID when editing a single user manually.

To define Federation ID or Google ID in a user record:

  1. Go to Home > Users.
  2. Select a user record to edit. Based on the choice of the identity provider, the corresponding mapping field shows under Single Sign-On (SSO):
    • For Okta and SAML, the Federated ID field is available. Populate the Federated ID.
    • For Google, the Google ID field is available. Populate the Google ID.
  3. Save your changes.

You can also define Federated ID or Google ID while creating users in bulk.

To define Federation ID or Google ID while creating user records in bulk:

  1. Go to Home > Users.
  2. Click Bulk Upload.
  3. Download the advanced user template in the CSV format. The template opens in Excel.
  4. Look for columns User.FederationID and User.GoogleID, add the user data, and save the CSV file.
  5. Go to the Users page in 8x8 Admin Console. Click Bulk Upload.
  6. Drag and drop the CSV file and click Save.

Sign in Using Federated SSO

The sign-in process for 8x8 applications is similar whether it is authenticated via SAML or Google. The initial sign-in process takes users through the 8x8 Work login page. Go to the 8x8 SSO login page, or launch the 8x8 Work for Desktop.

  1. In the login screen, click Use Single Sign On.

    The SSO login prompt opens.
  2. Enter your 8x8 username or company email for validation.
  3. Click Continue to view your SSO options.
  4. Click Log in using SAML to open your identity provider's login page.
    OR
    Click Log in using Google to open the Google login page.

    Note: Clicking Clear SSO Setting takes you back to the first login page.

  5. When prompted, click Allow to enable Adobe Flash Player settings to access your camera and/or microphone.
    1. If you selected Log in using SAML, your company's identity provider login page opens.

      Note: If you log in using Okta or Centrify, the login page opens in a new browser tab instead of in the application window. Until you log in, the application window reads Login from browser....

    2. Enter the credentials to log in to the identity provider.
      The 8x8 application launches.
  1. If you selected Log in using Google, the Google login page opens.
  2. Enter your company Gmail address and password.
  3. Click Allow to grant 8x8 SSO access to your Gmail profile.

    You are now authenticated to your 8x8 app. The application launches.