Add a generic single sign-on provider

  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s identity provider account
  • User email addresses are the same in your organization’s identity provider account and in PureCloud

The generic identity provider configuration enables PureCloud customers to integrate with most identity providers that support SAML 2.0. 

  • PureCloud does not support assertion encryption for single sign-on third-party identity providers. The PureCloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default PureCloud login and enforce authentication using an SSO provider only. For more information, see Configure PureCloud to authenticate with SSO only.

Configure your organization’s identity provider

Get the certificate for PureCloud configuration

Find and download your identity provider’s encoded public certificate for SAML signature validation.

Note: PureCloud accepts PEM and DER encoded certificates, as well as Base64 encoded certificates.

Get the metadata for PureCloud configuration

Find and download your identity provider’s metadata file containing the issuer (entityID) and redirect URL for configuring PureCloud in your organization’s identity provider account.

Provide the Assertion Consumer Service (ACS) URL

When prompted to enter the Assertion Consumer Service (ACS) URL, select the appropriate URL based on your AWS deployment region.

AWS Region


US East (N. Virginia)

US West (Oregon) 

Canada (Canada Central) 

EU (Frankfurt)

EU (Ireland) 

EU (London)

Asia Pacific (Seoul)

Asia Pacific (Sydney)

Asia Pacific (Tokyo)

Configure user attributes and claims

Configure these PureCloud user attributes for your identity provider. The attributes are case-sensitive. 

Attribute name Attribute value
  • For identity provider-initiated single sign-on: Use the organization short name.
  • For service provider-initiated single sign-on: The organization name must match the organization that the user selects. Applicable when an organization maintains multiple PureCloud organizations using a single identity provider. 
email  Email address of the PureCloud user to be authenticated.

  • Must be an existing PureCloud user.
  • Required if the identity provider does not use an email address as the subject NameID.

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the PureCloud Collaborate client)
  • directory-admin (redirects to the PureCloud Admin UI)
Note: To add a custom claim, consult the your identity provider’s documentation.

Configure PureCloud

    1. In PureCloud, click Admin.
    2. Under Integrations, click Single Sign-on.
    3. Click the Generic SSO Provider tab.
    4. Enter the metadata gathered from your organization’s identity provider.

      In this field… Do this…
      Provider Logo Insert an SVG image, no larger than 25 KB.
      Provider Name Type the identity provider name.
      The Provider’s Certificate

      1. Click Browse.
      2. Select the certificate you saved to a text file and click Open.

      The Provider’s Issuer URI Enter the entityID provided in the identity provider’s metadata file.
      Target URL Enter the redirect URL provided in the identity provider’s metadata file.
      Relying Party Identifier Enter the string to use to identify PureCloud to the identity provider. 
      Note: Some identity providers expect the service provider to specify the relying party identifier. For this situation, provide a string to input to both Purecloud and the identity provider. Other identity providers generate a relying party identifier in their metadata file. For this situation, enter that string.
    5. (Optional) Select Endpoint Compression to compress the PureCloud authentication request.
    6. Click Save.