Add a generic single sign-on provider

Automatic Logout of SSO provider: Feature coming soon

Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s identity provider account
  • User email addresses are the same in your organization’s identity provider account and in Genesys Cloud

The generic identity provider configuration enables Genesys Cloud customers to integrate with most identity providers that support SAML 2.0. 

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.
  • Administrators can choose to store one additional certificate to ensure business continuity. If one certificate becomes invalid or expires, the backup certificate will preserve the integration.

Configure your organization’s identity provider

Get the certificate for Genesys Cloud configuration

Find and download your identity provider’s encoded public certificate for SAML signature validation.

Note: Genesys Cloud accepts PEM and DER encoded certificates, as well as Base64 encoded certificates.

Get the metadata for Genesys Cloud configuration

Find and download your identity provider’s metadata file containing the issuer (entityID), Single Sign-On URL, and Single Logout URL for configuring Genesys Cloud in your organization’s identity provider account.

Provide the Assertion Consumer Service (ACS) URL

When prompted to enter the Assertion Consumer Service (ACS) URL, select the appropriate URL based on your AWS deployment region.

AWS Region

URL

US East (N. Virginia)

https://login.mypurecloud.com/saml

US West (Oregon)

https://login.usw2.pure.cloud/saml 

Canada (Canada Central)

https://login.cac1.pure.cloud/saml 

EU (Frankfurt)

https://login.mypurecloud.de/saml

EU (Ireland)

https://login.mypurecloud.ie/saml 

EU (London)

https://login.euw2.pure.cloud/saml

Asia Pacific (Mumbai)

https://login.aps1.pure.cloud/saml

Asia Pacific (Seoul)

https://login.apne2.pure.cloud/saml

Asia Pacific (Sydney)

https://login.mypurecloud.com.au/saml

Asia Pacific (Tokyo)

https://login.mypurecloud.jp/saml

Provide the Single Logout URL

When prompted to enter the Single Logout URL, select the appropriate URL based on your AWS deployment region.

AWS Region

URL

US East (N. Virginia)

https://login.mypurecloud.com/saml/logout

US West (Oregon)

https://login.usw2.pure.cloud/saml/logout 

Canada (Canada Central)

https://login.cac1.pure.cloud/saml/logout 

EU (Frankfurt)

https://login.mypurecloud.de/saml/logout

EU (Ireland)

https://login.mypurecloud.ie/saml/logout 

EU (London)

https://login.euw2.pure.cloud/saml/logout

Asia Pacific (Mumbai)

https://login.aps1.pure.cloud/saml/logout

Asia Pacific (Seoul)

https://login.apne2.pure.cloud/saml/logout

Asia Pacific (Sydney)

https://login.mypurecloud.com.au/saml/logout

Asia Pacific (Tokyo)

https://login.mypurecloud.jp/saml/logout

Provide the Service Provider Entity ID

When prompted to enter the Service Provider Entity ID, the value can be any unique string that you want to use to identify your Genesys Cloud organization. The field is also sometimes called Issuer or Audience URI.

Provide the Genesys Cloud Signing Certificate

When prompted to enter a signing certificate, upload the file obtained from Genesys cloud.

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Okta tab.
  4. Under Genesys Cloud Signing Certificate, click Download Certificate.
  5. Save the file.

Configure user attributes and claims

Configure these Genesys Cloud user attributes for your identity provider. The attributes are case-sensitive. 

Attribute name Attribute value
OrganizationName 
  • For identity provider-initiated single sign-on: Use the organization short name.
  • For service provider-initiated single sign-on: The organization name must match the organization that the user selects. Applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider. 
email  Email address of the Genesys Cloud user to be authenticated.
  • Must be an existing Genesys Cloud user.
  • Required if the identity provider does not use an email address as the subject NameID.
ServiceName 

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)
Note: To add a custom claim, consult the your identity provider’s documentation.

Configure Genesys Cloud

    1. In Genesys Cloud, click Admin.
    2. Under Integrations, click Single Sign-on.
    3. Click the Generic SSO Provider tab.
    4. Enter the metadata gathered from your organization’s identity provider.

      In this field… Do this…
      Provider Logo Insert an SVG image, no larger than 25 KB.
      Provider Name Type the identity provider name.
      The Provider’s Certificate

      1. Click Browse.
      2. Select the certificate you saved to a text file and click Open.
      3. Click Add .
      4. Optionally, to load a backup certificate, repeat steps 1-3. 

      The Provider’s Issuer URI Enter the entityID provided in the identity provider’s metadata file.
      Target URL Enter the Single Sign On URL provided in the identity provider’s metadata file.
      Single Logout URI Enter the Single Logout URL provided in the identity provider’s metadata file.
      Single Logout Binding Choose the same binding as the one selected in the identity provider. If a binding was not specified, choose HTTP Redirect.
      Relying Party Identifier Enter the string to use to identify Genesys Cloud to the identity provider. 
      Note: Some identity providers expect the service provider to specify the relying party identifier. For this situation, provide a string to input to both Genesys cloud and the identity provider. Other identity providers generate a relying party identifier in their metadata file. For this situation, enter that string.
    5. (Optional) Select Endpoint Compression to compress the Genesys Cloud authentication request. This should be selected and only unchecked if the identity provider does not support compression for the HTTP Redirect binding.
    6. Click Save.