Ping to Okta - Identity Provider Change

Executive Summary

What is changing?

Cisco is changing Identity Providers (IDP) from PingFederate to Okta. Smart Bonding connections need to be adjusted to switch IDP providers for authentication.

What do Smart Bonding users need to do?

Smart Bonding connections need to update a few parameters for authentication and APIs. New credentials will be provided during the change phase by a Smart Bonding engineer.

Parameters that need to be adjusted:

  • URL for Authentication
  • Credentials (Client ID / Client Secret) for authentication
  • Header information for authentication
  • URLs for Smart Bonding APIs

When does this change happen?

The change will be completed by March 31, 2024. Smart Bonding project managers are scheduling times with each user.

How can this change be tested?

Smart Bonding offers a postman collection that can be used for self testing with two options of sending the client ID and client secret to Cisco to obtain a token.

Postman Collection

Technical Details

Authentication Header:

The authentication request header needs to be formatted as such: 

Content-Type : application/x-www-form-urlencoded

Okta Header

Authentication URL:

Name Old URL New URL
Staging https://cloudsso.cisco.com/as/token.oauth2?grant_type=client_credentials https://int-id.cisco.com/oauth2/default/v1/token?grant_type=client_credentials
Production https://cloudsso.cisco.com/as/token.oauth2?grant_type=client_credentials https://id.cisco.com/oauth2/default/v1/token?grant_type=client_credentials

Authentication Option 1 - credentials in request body

Use your new client_id and client_secret in the message body

Body: {"grant_type":"client_credentials", "client_id":"", "client_secret":""}

Okta Authentication Option1

Authentication Option 2 - credentials as parameters

Use the client_id and client_secret as parameters in the message header / URL

Okta Authentication Option1

URL Changes:

The table below shows URLs need to be changed, based on what URL is currently implemented for connections.

Name Old URL New URL
V1 Push Staging https://stage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/push/call https://ciscostage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/push/call
V1 Push Production https://sb.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/push/call https://ciscoprod.sb.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/push/call
V1 Pull Staging https://stage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/pull/call https://ciscostage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/pull/call
V1 Pull Production https://sb.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/pull/call https://ciscoprod.sb.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/pull/call
V2 Staging https://stage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/tickets https://ciscostage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/tickets
V2 Production https://sb.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/tickets https://ciscoprod.sb.xylem.cisco.com/sb-partner-oauth-proxy-api/rest/v1/tickets
HTTP Staging https://stage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/http/v1/push/call https://ciscostage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/http/v1/push/call
HTTP Production https://sb.xylem.cisco.com/sb-partner-oauth-proxy-api/http/v1/push/call https://ciscoprod.sb.xylem.cisco.com/sb-partner-oauth-proxy-api/http/v1/push/call
SOAP Standard Staging https://stage.sbnprd.xylem.cisco.com/sb-soap-standard-exp-api/ws/soap/core/CallService https://ciscostage.sbnprd.xylem.cisco.com/sb-soap-standard-exp-api/ws/soap/core/CallService
SOAP Standard Production https://sb.xylem.cisco.com/sb-soap-standard-exp-api/ws/soap/core/CallService https://ciscoprod.sb.xylem.cisco.com/sb-soap-standard-exp-api/ws/soap/core/CallService
SOAP Custom Staging https://stage.sbnprd.xylem.cisco.com/sb-soap-custom-exp-api/ws/soap/custom/CallService https://ciscostage.sbnprd.xylem.cisco.com/sb-soap-custom-exp-api/ws/soap/custom/CallService
SOAP Custom Production https://sb.xylem.cisco.com/sb-soap-custom-exp-api/ws/soap/custom/CallService https://ciscoprod.sb.xylem.cisco.com/sb-soap-custom-exp-api/ws/soap/custom/CallService
TSP Pull Staging https://stage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/tsp/api/v1/xylem/tspcodes https://ciscostage.sbnprd.xylem.cisco.com/sb-partner-oauth-proxy-api/tsp/api/v1/xylem/tspcodes
TSP Pull Production https://sb.xylem.cisco.com/sb-partner-oauth-proxy-api/tsp/api/v1/xylem/tspcodes https://ciscoprod.sb.xylem.cisco.com/sb-partner-oauth-proxy-api/tsp/api/v1/xylem/tspcodes

CURL Test

If a curl test is required, then the following command is correct to request a token:

curl -d "grant_type=client_credentials" -X POST "https://id.cisco.com/oauth2/default/v1/token?grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>"

ServiceNow App Users

Companies using the ServiceNow App for Smart Bonding will only need to change one system property and then update the authentication credentials provided by the Smart Bonding engineer.

System Parameter

On the Cisco Task Properties page in your ServiceNow system, change the first property (Cisco Identity Provider) from "Ping" to "Okta".

Update the Cisco-provided username and password under the Stage and Production Integration Properties sections with the credentials provided by the Smart Bonding engineer.

Testing with Cisco

In conjunction with the changes detailed above, Smart Bonding must also make a change on the Smart Bonding platform for the changes to take effect. Testing the connection from your ticketing system will not be successful until both parties have made the required changes. The Smart Bonding team will coordinate live testing sessions for each connection to verify the changes.