Add OneLogin as a single sign-on provider

Prerequisites
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s OneLogin account
  • OneLogin Desktop Single Sign-on (SSO) unavailable
  • User email addresses are the same in both OneLogin and Genesys Cloud

Add Genesys Cloud as an application that organization members can access with the credentials to their OneLogin account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.
  • Administrators can choose to store four additional certificates to ensure business continuity. If one certificate becomes invalid or expires, the integration is preserved if one of the additional certificates is valid. 

  • There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.

  • The Genesys Cloud desktop app does not support the installation of browser extensions. If you have configured an Azure Conditional Access policy that requires a browser extension, you will need to use a Genesys Cloud supported browser that has the Microsoft Entra ID extension installed. Single sign-on will not work using the desktop app in this configuration.

Configure OneLogin

Create a SAML application

  1. Add the OneLogin app called SAML Custom Connector (Advanced).
  2. In the app page, click the Configuration tab. 

  3. Complete the following fields and leave the remaining fields blank.

    Field Description
    Audience (Entity ID)

    Type a value used for identifying your organization to the Identity Provider, that is “genesys.cloud.my-org.”
    ACS (Consumer) URL Validator

    Type the URL of your Genesys Cloud organization for the AWS region:

    US East (N. Virginia): ^https:\/\/login\.mypurecloud\.com\/saml
    US East 2 (Ohio): ^https:\/\/login\.use2.us-gov-pure\.cloud\/saml
    US West (Oregon): ^https:\/\/login\.usw2\.pure\.cloud\/saml
    Canada (Canada Central): ^https:\/\/login\.cac1\.pure\.cloud\/saml
    South America (São Paulo): ^https:\/\/login\.sae1\.pure\.cloud\/saml
    EU (Frankfurt): ^https:\/\/login\.mypurecloud\.de\/saml
    EU (Ireland): ^https:\/\/login\.mypurecloud\.ie\/saml
    EU (London): ^https:\/\/login\.euw2\.pure\.cloud\/saml
    Asia Pacific (Mumbai): ^https:\/\/login\.aps1\.pure\.cloud\/saml
    Asia Pacific (Seoul): ^https:\/\/login\.apne2\.pure\.cloud\/saml
    Asia Pacific (Sydney): ^https:\/\/login\.mypurecloud\.com\.au\/saml
    Asia Pacific (Tokyo): ^https:\/\/login\.mypurecloud\.jp\/saml
    ACS (Consumer) URL

    Type the URL of your Genesys Cloud organization for the AWS region:
    US East (N. Virginia): https://login.mypurecloud.com/saml
    US East 2 (Ohio): https://login.use2.us-gov-pure.cloud/saml
    US West (Oregon): https://login.usw2.pure.cloud/saml
    Canada (Canada Central): https://login.cac1.pure.cloud/saml
    South America (São Paulo): https://login.sae1.pure.cloud/saml
    EU (Frankfurt): https://login.mypurecloud.de/saml
    EU (Ireland): https://login.mypurecloud.ie/saml
    EU (London): https://login.euw2.pure.cloud/saml
    Asia Pacific (Mumbai): https://login.aps1.pure.cloud/saml
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml
    Asia Pacific (Sydney):     https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml
    Single Logout URL

    Type the URL of your Genesys Cloud organization for the AWS region:

    US East (N. Virginia): https://login.mypurecloud.com/saml/logout
    US East 2 (Ohio): https://login.use2.us-gov-pure.cloud/saml/logout
    US West (Oregon):     https://login.usw2.pure.cloud/saml/logout
    Canada (Canada Central): https://login.cac1.pure.cloud/saml/logout
    South America (São Paulo): https://login.sae1.pure.cloud/saml/logout
    EU (Frankfurt): https://login.mypurecloud.de/saml/logout
    EU (Ireland): https://login.mypurecloud.ie/saml/logout
    EU (London): https://login.euw2.pure.cloud/saml/logout
    Asia Pacific (Mumbai): https://login.aps1.pure.cloud/saml/logout
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml/logout
    Asia Pacific (Sydney):     https://login.mypurecloud.com.au/saml/logout
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml/logout
    Sign SLO Request

    Check the box.
    Sign SLO Response

    Check the box.
  4. Click the Parameters tab.
  5. Click Add parameter.
  6. Complete the following fields. 
    Field Description
    Name Type OrganizationName.
    Flags Check Include in SAML assertion.
  7. Click Save.
  8. Click the newly created OrganizationName parameter.
  9. In the Value field:
    1. From the list, select Macro.
    2. Type the short name of your Genesys Cloud organization. If you do not know the short name of your organization, click Admin > Account Settings > Organization Settings in Genesys Cloud. 
  10. Click Save.

SAML attributes

If the following extra SAML attributes are present in the assertion, Genesys Cloud acts on the attributes. The attributes are case-sensitive. 

Attribute name Attribute value
email  Email address of the Genesys Cloud user must be authenticated.
  • You must be an existing Genesys Cloud user.
  • If the identity provider does not use an email address as the subject NameID, you need a valid email address.
ServiceName 

(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Get the certificate for the Genesys Cloud configuration

  1. Click the SSO tab.
  2. Under Certificate, click View Details.
  3. Under the X.509 Certificate, select “X.509 PEM” and click Download.
  4. Save the certificate for later use.

Get the metadata for the Genesys Cloud configuration

Note: Genesys Cloud supports the http-redirect SAML URL only. The OneLogin SSO tab no longer shows this URL by default in the SAML 2.0 Endpoint (HTTP) field. (It now shows the http-post URL instead.) However, the http-redirect URL is still available in the SAML Metadata file.
  1. Click the SSO tab.
  2. Copy the following metadata that you need for the Genesys Cloud configuration to a text file. 
    Field Description
    Issuer URL Copy the URL from the Issuer URL field.
    SAML 2.0 Endpoint (HTTP)
    1. Under More Actions, click SAML Metadata.
    2. Download and open the SAML Metadata file.
    3. Find the SingleSignOnService tag with Binding equal to “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect,” for example:  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://your-organization/onelogin.com/trust/saml2/http-redirect/sso/123456>
    4. Copy the URL following “Location =,” for example:
      https://your-organization/onelogin.com/trust/saml2/http-redirect/sso/123456
    SLO Endpoint (HTTP) Copy the URL from the SLO Endpoint (HTTP) field.

Configure Genesys Cloud

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the OneLogin tab.
  4. Enter the information gathered in the previous procedure:
    Field Description
    Certificate

    To upload X.509 certificates for SAML signature validation, do one of the following.

    1. To upload a certificate, click Select Certificates to upload.
    2. Select the X.509 certificate.
    3. Click Open.
    4. Optionally, to load a backup certificate, repeat steps 1–3.

    Or you can:

    1. Drag and drop your certificate file.
    2. Optionally, to load a backup certificate, repeat the first step.

    Uploaded certificates appear with their expiration date. To remove a certificate, click X.

    Note: To renew or update an expiring certificate, follow these instructions to upload X.509 certificates, repeating steps 1--3. You can upload up to five certificates to Genesys Cloud per SSO configuration, and Genesys Cloud chooses the correct certificate during single sign-on and logout.

    OneLogin Issuer URI Type the URL from the Issuer URL field in OneLogin.
    Target URL

    Type the URL from the SAML 2.0 Endpoint (HTTP) field. 
    Single Logout URI

    Type the URL from the SLO Endpoint (HTTP) field in OneLogin.
    Single Logout Binding Select HTTP Redirect.
    Audience (Entity ID)  Type the OneLogin Audience (EntityID) value. Make sure that this value is the same in both Genesys Cloud and OneLogin. 
  5. Click Save.