Add a generic single sign-on provider - Genesys Cloud Resource Center

Prerequisites:

Single Sign-on > Provider > Add, Delete, Edit, View permissions
Admin role in your organization’s identity provider account
User email addresses are the same in your organization’s identity provider account and in Genesys Cloud

The generic identity provider configuration enables Genesys Cloud customers to integrate with most identity providers that support SAML 2.0.

Notes:

Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.
Administrators can choose to store four additional certificates to ensure business continuity. If one certificate becomes invalid or expires, the integration is preserved if one of the additional certificates is valid.
There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.
The Genesys Cloud desktop app does not support the installation of browser extensions. If you have configured an Azure Conditional Access policy that requires a browser extension, you will need to use a Genesys Cloud supported browser that has the Azure AD extension installed. Single sign-on will not work using the desktop app in this configuration.

Configure your organization’s identity provider

Get the certificate for Genesys Cloud configuration

Find and download your identity provider’s encoded public certificate for SAML signature validation.

Note: Genesys Cloud accepts PEM and DER encoded certificates, and Base64 encoded certificates.

Get the metadata for Genesys Cloud configuration

Find and download your identity provider’s metadata file containing the issuer (entityID), single sign-on URL, and Single Logout URL for configuring Genesys Cloud in your organization’s identity provider account.

Provide the Assertion Consumer Service (ACS) URL

When prompted to enter the Assertion Consumer Service (ACS) URL, select the appropriate URL based on your AWS deployment region.

AWS Region	URL
US East (N. Virginia)	`https://login.mypurecloud.com/saml`
US East 2 (Ohio)	`https://login.use2.us-gov-pure.cloud/saml`
US West (Oregon)	`https://login.usw2.pure.cloud/saml`
Canada (Canada Central)	`https://login.cac1.pure.cloud/saml`
South America (São Paulo)	`https://login.sae1.pure.cloud/saml`
EU (Frankfurt)	`https://login.mypurecloud.de/saml`
EU (Ireland)	`https://login.mypurecloud.ie/saml`
EU (London)	`https://login.euw2.pure.cloud/saml`
Asia Pacific (Mumbai)	`https://login.aps1.pure.cloud/saml`
Asia Pacific (Seoul)	`https://login.apne2.pure.cloud/saml`
Asia Pacific (Sydney)	`https://login.mypurecloud.com.au/saml`
Asia Pacific (Tokyo)	`https://login.mypurecloud.jp/saml`

Provide the Single Logout URL

When prompted to enter the Single Logout URL, select the appropriate URL based on your AWS deployment region.

AWS Region	URL
US East (N. Virginia)	`https://login.mypurecloud.com/saml/logout`
US East 2 (Ohio)	`https://login.use2.us-gov-pure.cloud/saml/logout`
US West (Oregon)	`https://login.usw2.pure.cloud/saml/logout`
Canada (Canada Central)	`https://login.cac1.pure.cloud/saml/logout`
South America (São Paulo)	`https://login.sae1.pure.cloud/saml/logout`
EU (Frankfurt)	`https://login.mypurecloud.de/saml/logout`
EU (Ireland)	`https://login.mypurecloud.ie/saml/logout`
EU (London)	`https://login.euw2.pure.cloud/saml/logout`
Asia Pacific (Mumbai)	`https://login.aps1.pure.cloud/saml/logout`
Asia Pacific (Seoul)	`https://login.apne2.pure.cloud/saml/logout`
Asia Pacific (Sydney)	`https://login.mypurecloud.com.au/saml/logout`
Asia Pacific (Tokyo)	`https://login.mypurecloud.jp/saml/logout`

Provide the Service Provider Entity ID

When prompted to enter the Service Provider Entity ID, the value can be any unique string that you want to use to identify your Genesys Cloud organization. The field is also sometimes called Issuer or Audience URI.

Provide the Genesys Cloud Signing Certificate

When prompted to enter a signing certificate, upload the file obtained from Genesys cloud.

In Genesys Cloud, click Admin.
Under Integrations, click Single Sign-on.
Click the Okta tab.
Under Genesys Cloud Signing Certificate, click Download Certificate.
Save the file.

Configure user attributes and claims

Configure these Genesys Cloud user attributes for your identity provider. The attributes are case-sensitive.

Attribute name	Attribute value
OrganizationName	For identity provider-initiated single sign-on: Use the organization short name. For service provider-initiated single sign-on: Make sure that the organization name matches the organization name that you select. It is applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider.
email	Email address of the Genesys Cloud user to be authenticated. You must be an existing Genesys Cloud user. If the identity provider does not use an email address as the subject NameID, you require a valid email address.
ServiceName	(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords: directory (redirects to the Genesys Cloud Collaborate client) directory-admin (redirects to the Genesys Cloud Admin UI)

Note: To add a custom claim, consult your identity provider’s documentation.

Configure Genesys Cloud

In Genesys Cloud, click Admin.
Under Integrations, click Single Sign-on.
Click the Generic SSO Provider tab.

Enter the metadata gathered from your organization’s identity provider.

Field	Description
Provider Logo	Insert an SVG image, no larger than 25 KB.
Provider Name	Type the identity provider name.
The Provider’s Certificate	To upload X.509 certificates for SAML signature validation, do one of the following. To upload a certificate, click Select Certificates to upload. Select the X.509 certificate. Click Open. Optionally, to load a backup certificate, repeat steps 1–3. Or you can: Drag and drop your certificate file. Optionally, to load a backup certificate, repeat the first step. Uploaded certificates appear with their expiration date. To remove a certificate, click X. Note: To renew or update an expiring certificate, follow these instructions to upload X.509 certificates, repeating steps 1--3. You can upload up to five certificates to Genesys Cloud per SSO configuration, and Genesys Cloud chooses the correct certificate during single sign-on and logout.
The Provider’s Issuer URI	Enter the entityID provided in the identity provider’s metadata file.
Target URL	Enter the Single Sign On URL provided in the identity provider’s metadata file.
Single Logout URI	Enter the Single Logout URL provided in the identity provider’s metadata file.
Single Logout Binding	Choose the same binding as the one selected in the identity provider. If no binding is specified, choose HTTP Redirect.
Relying Party Identifier	Enter the string to identify Genesys Cloud to the identity provider. Note: If the identity providers expect the service provider to specify the relying party identifier, enter a string to input both Genesys Cloud and the identity provider. If the identity providers generate a relying party identifier in their metadata file, enter that string.
Name Identifier Format	Choose the Name Identifier Format that your identity provider supports. If your provider supports Email Address, that is the preferred format. If no Name Identifier Format is known, choose Unspecified.

(Optional) Select Endpoint Compression to compress the Genesys Cloud authentication request. Make sure to select and uncheck this field only if the identity provider does not support compression for the HTTP Redirect binding.
Click Save.