Creating an SSO Configuration
Talkative supports SAML based login for users. This can be configured from the General settings page in your account:
The Talkative SSO configuration has a list of pre-set claims, but you can change this to suit your needs depending upon your SSO provider.
To setup a SSO provider, complete the form on this page. Information about each of the fields can be found here:
Custom Login URL
For ease of use, we provide a custom login URL. When used, this will automatically redirect your users to your identity provider for authentication.
Enable Cross Company Configuration
Users login via their email address and password. Email addresses must be unique, and cannot currently be used across companies. If you are a sole tenant with a single SSO provider, you can click on “Sign in using Single Sign On” on the login page:
This will allow the user to enter their email address, which will look up the correct identify provider. It does this by inspecting the users email address, and using the domain associated with the email to find the correct identify provider. If you need to use the same user pool with multiple talkative tenants in the same region, you will not be able to use this method, as an email domain may not be unique to a tenant.
Enabling the cross company usage disables this method of login. Users will instead be required to login by visiting the unique domain generated during the SSO setup.
If using cross company with an external distributor, it is recommended that you also enable the “force SSO login flow” in the company configs. This will automatically redirect users using an external client to the identity provider based on the company the interaction being routed belongs too.
Just-in-Time User Provisioning
For ease of use, JIT can be used to provision accounts for users when they first login to the system. The provisioned user will either be granted the role of agent, or, if mapped using the groups, the permission assigned in the permission mapping which can be done after the SSO configuration is setup. If this is not enabled users will have to be created either manually using the User Management page, or by using the SCIM API to provision users directly from your identity provider.
Federated Metadata File
The federated metadata file is provided by your identity provider. Some providers require some basic configuration in place to allow this file to be generated. You may need to enter some placeholder data to your IP first to allow this file to be generated.
NB: This workflow is currently being reviewed following changes to several IP who require the assertion data before allowing the creation of a metadata file. At the time of writing, this option is on the setup page, but it may be moved to the management page instead.
Talkative relies on information provided in claims to provision new users, map permissions and update user details. We have several pre-set configurations which you can use, these are based on integrating with Azure Active Directory using Role, or Group based permission mapping, Salesforce using group based permission mapping, or GSuite with no permission mappings. The Gsuite user mappings can also be used for IP like Okta.
Default User Group
In Talkative Agents are mapped to Groups, and Groups are mapped to Queues. To simply the JIT workflow, you can set a default group new SSO users are assigned too when they login for the first time. This is optional, and users can be left unmapped on first login. If you choose not to assign a default group, users will need to be assigned to a group by a supervisor or account holder.
Managing an SSO Configuration
Once your initial SSO is configured, there are some additional steps required to link your SSO config to your identity provider. If you have just finished the initial setup, you will be automatically redirected to this page, otherwise, you can access the same page following the same route you used to create an SSO configuration.
SSO Configuration Detail
From this pane, you can find your Identifier, Reply URL and your Sign on URL. The Identifier and Reply URL will need to be copied and added to the relevant configuration in your identity provider.
Permission mapping allows you to map permission groups in your identity provider to a role in Talkative. The role mappings might look like a UUID if you are mapping groups in Azure, or, if you are mapping roles it would be a role like “Agent”. You can map multiple rules be separating them with a pipe operator (|).
Only domains which are authorised here will be able to access the application. If your user is firstname.lastname@example.org, you would enter example.com. This domain must be unique across the entire system, unless when the other company using this has also enabled cross company access.
Deleting an SSO Configuration
If you no longer wish to use your SSO configuration, or if you need to change to a new identify provider, you can delete the config by clicking this button. If you remove an SSO configuration, your SSO users will no longer be able to login via the identity provider. If you want to return to integrated login, the users will need to reset their password using the normal talkative password reset flow.