How can I prevent SSO login redirecting to production from my upgrade or test site?

• Oracle B2C Service, all versions
• Single Sign-On login flow
• Customer Portal or agent login

• Open Agent Desktop from internal launch link — profile permission "SSO Login (SAML 2.0)" is unchecked
• View/modify configuration settings
• Edit/deploy Customer Portal files
• Manage Certificates
• Access Single Sign-On Configurations

• IdP must use correct assertion consumer service (ACS) URL
• Signing certificate used by the IdP must be uploaded in Agent Desktop’s File Manager and its fingerprint included in SAML_20_SIGN_CERTS
• SAML subject is email? Remove ".invalid" from contact emails
• If users are redirected automatically, and sent to production after login:
  • Check configuration settings
    • If PTA_ENABLED is true, and PTA_EXTERNAL_LOGIN_URL has a value, redirect is automatic from CP framework
    • Update PTA_EXTERNAL_LOGIN_URL to the correct one for this environment and save
    • Recommended: revert PTA_EXTERNAL_LOGIN_URL to original value before update cutover
  • Check CP customizations
    • Redirect may be in the template and require you to change a hard-coded URL
    • Stage and deploy any code changes
    • Some implementations may use a custom configuration setting, which should not require deployment of Customer Portal after update
    • Consult your internal documentation, or your implementer, to investigate how the code makes the redirect and resolve the issue

• General considerations
  • SAML subject is email? Remove ".invalid" from agent emails
  • An example custom report is attached to this answer. It shows how to identify what agent accounts have invalid email addresses, and whether their profile uses SSO or local login.
• SP-initiated SSO (login page for Oracle B2C Service is replaced with your company’s login)
  • Go to Single Sign-On Configurations.
    • Uncheck Web SSO for the production IdP configuration and disable it
    • Add (or enable) the IdP settings for this environment, turning on Web SSO for the new IdP
    • Save your changes
  • Check that SSO_ENTITY_ID matches what is configured in the IdP
    • At cloning, this value is set to the default unique value for this environment (config setting is blank). This is the same unique value every time for each environment (that for tst1 being different than tst2, and so on)
    • You may have previously changed it to meet the naming standard of your IdP, especially if using Azure/AD FS. Set it again to that same value.
    • Modifications to this configuration setting will not be carried over at update cutover.
  • If you choose to disable agent SSO
    • Uncheck Web SSO from IdP in Single Sign-On Configurations
    • Uncheck "SSO Login (SAML 2.0)" profile permission for all testers
    • Remove ".invalid" from the end of agent emails
    • Enable service mailbox so agents can reset their passwords
  • Changes here will not be carried over at update cutover
• For IdP-initiated SSO (agents use a bookmark to the IdP)
  • IdP must use the correct ACS URL
  • Certificate(s) must be uploaded in File Manager
  • Endpoint certificate must be in the configuration setting SAML_20_SIGN_CERTS

• In CP customizations, you could use a switch() statement to choose a redirect URL programmatically. \RightNow\Utils\Config::getConfig(DB_NAME) or getConfig(1) should be the site name: mysite, mysite__upgrade, mysite__tst1, etc.
• For SP-initiated agent login, you can set up all test IdP configurations in production and leave them disabled. Now when the site is cloned, all that is needed in Single Sign-on Configurations is to uncheck Web SSO from the production IdP and turn it on for the appropriate test configuration.
• For CP and IdP-initiated agent flows, you can keep the certificate and/or fingerprint in place. Then you would only have to re-add one of them at most.