Identity and Access Management
Overview
Expertflow CX IAM (Identity and Access Management) backed by KeyCloak, enables users to access all Expertflow CX resources securely, you can control Authentication (who can sign into CX) and Authorization (who is permitted to use a CX resource).
User Management
User management in Keycloak can be done through the Keycloak Admin Console, which is a web-based interface that allows administrators to manage users, roles, and permissions.
You can access your Keycloak Admin Console by https://[server-fqdn]/auth
See how user management can be done on the Keycloak interface here
Authentication
Standalone
Expertflow CX can be deployed on-prem or on the cloud as a standalone web application, after the successful deployment, you will need to set up your client (resource server) in the Keycloak instance to make authentication work, please refer Keycloak Client Resource Management Setup guide to setup your client.
Cisco
Apart from Standalone deployment, you can set up your Expertflow CX solution within the Cisco Finesse environment (i.e UCCX or UCCE). We have the following two methods available and are part of Expertflow CX IAM:
- Login with Finesse (SSO)
- Login with Finesse (Without SSO)
Need to review this:
Extension Mobility Login: With this option, agents can log in to Cisco Finesse using their Cisco Unified Communications Manager (CUCM) user ID and password. This allows agents to use their physical phones to handle calls and other interactions through the Finesse desktop.
Non-Extension Mobility Login: Agents can also log in to Cisco Finesse without using Extension Mobility. This login method is helpful for remote agents who do not have a physical phone or for agents not associated with a particular device.
Single Sign-On (SSO) Login: Cisco Finesse can also be configured to use SSO for agent authentication. This allows agents to log in to Finesse using their corporate network credentials, without the need for a separate username and password.
Using either one of the above authentication methods you can set up your Finnse environment with Expertflow CX.
Authorization
Expertflow CX has permission and access management (using Keycloak IAM) to access different application resources. We have role-based permissions on a top access level (i.e admin, agent, supervisor) and for more granular access levels we have a group-based implementation available too. See Security and User Permissions for more information.
Re-Authorization
Keycloak provides single sign-on, multi-factor authentication, and authorization services. Re-authorization in Keycloak refers to the process of renewing or extending the access token or refresh token granted to a user after it has expired.
The process of re-authorization in Keycloak involves the following steps:
Obtain a new access token: When the access token granted to a user expires, the user can obtain a new access token by sending a request to the Keycloak server. This request must include the refresh token that was issued with the original access token.
Verify the refresh token: The Keycloak server verifies the refresh token and ensures that it is still valid. If the refresh token is valid, the server issues a new access token to the user.
Update the token expiration time: The new access token will have a new expiration time, based on the configuration settings in Keycloak.
Use the new access token: The user can then use the new access token to access protected resources or services.
The process of re-authorization in Keycloak may vary depending on the specific configuration settings and customer policies in place. However, we follow the above steps as a process in our solution.
Integration with external IDPs
Keycloak supports a wide range of external identity providers (IDPs), which you can use to authenticate and authorize your existing users with Expertflow CX. Below is the list of external IDPs supported by Keycloak:
LDAP: Keycloak can integrate with LDAP directories, such as Microsoft Active Directory and OpenLDAP, to authenticate and authorize users.
SAML: Keycloak supports the SAML 2.0 standard, which allows integration with a variety of SAML identity providers, including Okta, Azure AD, and PingFederate.
OAuth 2.0/OpenID Connect: Keycloak can act as an OAuth 2.0/OpenID Connect identity provider or client, which allows integration with a variety of external OAuth 2.0 and OpenID Connect providers, including Google, Facebook, and Microsoft.
Kerberos: Keycloak can integrate with Kerberos authentication systems, which allows users to authenticate with their Kerberos credentials.
Others: Keycloak also supports other identity providers, such as X.509 certificates, JWT tokens, and social identity providers like Twitter, GitHub, and LinkedIn.