Add Salesforce as a single sign-on provider

Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Salesforce account
  • Salesforce enabled as an identity provider
  • Salesforce domain deployed to all users
  • User email addresses are the same in both Salesforce and Genesys Cloud

Add Genesys Cloud as an application that organization members can access with the credentials to their Salesforce account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.
  • Administrators can choose to store four additional certificates to ensure business continuity. If one certificate becomes invalid or expires, the integration is preserved if one of the additional certificates is valid. 
  • There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.

  • The Genesys Cloud desktop app does not support the installation of browser extensions. If you have configured an Azure Conditional Access policy that requires a browser extension, you will need to use a Genesys Cloud supported browser that has the Microsoft Entra ID extension installed. Single sign-on will not work using the desktop app in this configuration.

Configure Salesforce

Troubleshoot errors using the Identity Provider Event Log.

  1. To create a connected app for Genesys Cloud, in the App Manager select New Connected App.

  2. On the New Connected App page, enter the following settings in the connected app for Genesys Cloud.

    Note: Under Web App Settings, make sure you select Enable SAML.


    Field Description
    Entity ID

    The value can be any unique string that you want to use to identify your Genesys Cloud organization.

    ACS URL The AWS region of your Genesys Cloud organization:
    US East (N. Virginia): https://login.mypurecloud.com/saml
    US East 2 (Ohio): https://login.use2.us-gov-pure.cloud/saml
    US West (Oregon):
    https://login.usw2.pure.cloud/saml
    Canada (Canada Central): https://login.cac1.pure.cloud/saml
    South America (São Paulo): https://login.sae1.pure.cloud/saml
    EU (Frankfurt): https://login.mypurecloud.de/saml
    EU (Ireland): https://login.mypurecloud.ie/saml  
    EU (London): https://login.euw2.pure.cloud/saml
    Asia Pacific (Mumbai): https://login.aps1.pure.cloud/saml
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml 
    Asia Pacific (Sydney): 
    https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml
    Enable Single Logout Check the box.
    Single Logout URL The AWS region of your Genesys Cloud organization:
    US East (N. Virginia): https://login.mypurecloud.com/saml/logout
    US East 2 (Ohio): https://login.use2.us-gov-pure.cloud/saml/logout
    US West (Oregon):
    https://login.usw2.pure.cloud/saml/logout
    Canada (Canada Central): https://login.cac1.pure.cloud/saml/logout
    South America (São Paulo): https://login.sae1.pure.cloud/saml/logout
    EU (Frankfurt): https://login.mypurecloud.de/saml/logout
    EU (Ireland): https://login.mypurecloud.ie/saml/logout  
    EU (London): https://login.euw2.pure.cloud/saml/logout
    Asia Pacific (Mumbai): https://login.aps1.pure.cloud/saml/logout
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml/logout 
    Asia Pacific (Sydney): 
    https://login.mypurecloud.com.au/saml/logout
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml/logout
    Single Logout Binding Select HTTP Redirect.
    Subject Type User name
    Issuer Your Salesforce domain name (https://yourID.my.salesforce.com)
    Name ID Format urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  3. Gather the following data from the app page:

    Field Description
    Certificate
    1. Click the certificate name next to IdP Certificate.
    2. On the Certificate and Key Detail page, click Download Certificate.
    3. Save the certificate as a .cer file.
    Issuer URI Copy the Issuer value.
    Target URI Copy the value labeled SP-Initiated Redirect Endpoint.
    Single Logout URI Copy the value labeled Single Logout Endpoint.
  4. Provide Salesforce users with access to the connected app for Genesys Cloud. 
    1. In Manage Users > Users, click Edit on a user.
    2. Click the required profile type, for example, Sales, Services, or Administrator to open the profile page.
    3. Under connected app Access, click the connected app for Genesys Cloud. 

SAML attributes

If the following SAML attributes are present in the assertion, Genesys Cloud acts on those attributes. The attributes are case-sensitive. 

Attribute name Attribute value
OrganizationName 
  • For identity provider-initiated single sign-on: Use the organization short name.
  • For service provider-initiated single sign-on: Make sure that the organization name matches the organization name that you select. It is applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider. 
email  Email address of the Genesys Cloud user to be authenticated.
  • You must be an existing Genesys Cloud user.
  • If the identity provider does not use an email address as the subject NameID, you require a valid email address.
ServiceName 

(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Configure Genesys Cloud

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Salesforce tab.
  4. Enter the information gathered from Salesforce.

    Field Description
    Certificate

    To upload X.509 certificates for SAML signature validation, do one of the following.

    1. To upload a certificate, click Select Certificates to upload.
    2. Select the X.509 certificate.
    3. Click Open.
    4. Optionally, to load a backup certificate, repeat steps 1–3.

    Or you can:

    1. Drag and drop your certificate file.
    2. Optionally, to load a backup certificate, repeat the first step.

    Uploaded certificates appear with their expiration date. To remove a certificate, click X.

    Note: To renew or update an expiring certificate, follow these instructions to upload X.509 certificates, repeating steps 1--3. You can upload up to five certificates to Genesys Cloud per SSO configuration, and Genesys Cloud chooses the correct certificate during single sign-on and logout.

    Issuer URI Enter your Salesforce domain name (https://yourID.my.salesforce.com)
    Target URI Enter the URL labeled SP-Initiated Redirect Endpoint in the Salesforce app page.
    Single Logout URI Enter the URL labeled Single Logout Endpoint in the Salesforce app page.
    Single Logout Binding Select HTTP Redirect.
    Relying Party Identifier Add the unique identifier that you provided as the Entity ID in the Salesforce app page. 
  5. Click Save.