Add Google G Suite as a single sign-on provider


Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Google G Suite account
  • User email addresses are the same in both Google G Suite and Genesys Cloud

Add Genesys Cloud as an application that organization members can access with the credentials to their Google G Suite account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.
  • The Google G Suite SSO integration does not work with third-party applications, including Chromium-based apps.

Configure Google G Suite

Create a custom Genesys Cloud application

  1. In the Admin console, click Google > Apps > SAML.
  2. Click (+) in the bottom right corner.
  3. In Step 1 Enable SSO for SAML Application, click Setup my own custom app.
  4. In Step 2 Google IdP Information, complete the following fields. Leave the remaining field blank or at the default settings.
    In this field… Do this…
    SSO URL Copy and save this URL to use as the Target URI in the Genesys Cloud configuration.
    Entity ID Copy and save this URL to use as the Issuer URI in the Genesys Cloud configuration.
    Certificate Download the certificate.
  5. In Step 3 Basic Information for your Custom App, following field. Leave the remaining field blank or at the default settings.

    In this field… Do this…
    Application Name Type your Genesys Cloud application name.
  6. In Step 4 Service Provider Details, complete the following fields. Leave the remaining field blank or at the default settings.
    In this field… Do this…
    ACS URL

    Type the URL for the AWS region where your Genesys Cloud organization is located:
    US East (N. Virginia): https://login.mypurecloud.com/saml
    US West (Oregon): https://login.usw2.pure.cloud/saml
    Canada (Canada Central): https://login.cac1.pure.cloud/saml
    EU (Frankfurt): https://login.mypurecloud.de/saml
    EU (Ireland): https://login.mypurecloud.ie/saml
    EU (London): https://login.euw2.pure.cloud/saml
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml 
    Asia Pacific (Sydney): 
    https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml

    Entity ID Type a unique string that you want to use to identify the Entity ID, for example: mypurecloud.com/google
    Name ID Format From the list, select TRANSIENT.
  7. In Step 5 Attribute Mapping, leave the default settings.
  8. Click Finish.

SAML attributes

Genesys Cloud will act on the following SAML attributes if they are present in the assertion. The attributes are case-sensitive. 

Attribute name Attribute value
OrganizationName 
  • For identity provider-initiated single sign-on: Use the organization short name.
  • For service provider-initiated single sign-on: The organization name must match the organization that the user selects. Applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider. 
email  Email address of the Genesys Cloud user to be authenticated.

  • Must be an existing Genesys Cloud user.
  • Required if the identity provider does not use an email address as the subject NameID.
ServiceName 

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Get the certificate for Genesys Cloud configuration

  1. Open the certificate file you downloaded with a plain text editor and do the following steps:
    1. Delete the -----BEGIN CERTIFICATE------ and ------END CERTIFICATE----- lines.
    2. Save the certificate file.

Configure Genesys Cloud

    1. In Genesys Cloud, click Admin.
    2. Under Integrations, click Single Sign-on.
    3. Click the Google G Suite tab.
    4. Type the identity provider metadata gathered from Google G Suite.
      In this field… Do this…
      Certificate

      1. Click Browse.
      2. Select the certificate you saved and click Open.

      Issuer URI

      Type the Entity ID from Step 2 Google IDP Information in the Google G Suite Genesys Cloud custom application, for example:
      https://accounts.google.com/o/saml2?idpid=C0151g8I9

      Target URI

      Type the SSO URL from Step 2 Google IDP Information in the Google G Suite Genesys Cloud custom application, for example: https://accounts.google.com/o/saml2/idp?idpid=C0151g8I9

      Relying Party Identifier Type the Entity ID from Step 4 Service Provider Details in the Google G Suite Genesys Cloud custom application, for example: mypurecloud.com/google

      Note: The Entity ID in Google IDP Information and the Entity ID in the Service Provider Details for your Genesys Cloud application have different values and functionality.

    5. Click Save.