Add Microsoft ADFS as a single sign-on provider

  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s ADFS account
  • User email addresses are the same in both ADFS and Genesys Cloud
  • Any Microsoft ADFS version that supports SAML 2.0. There may be some differences in the configuration, depending on the version.

Add Genesys Cloud as an application that organization members can access with the credentials to their Microsoft ADFS account.

  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.

Configure Microsoft ADFS

Add a Relying Party Trust

  1. Go to Administrative Tools > AD FS
  2. In the console tree, go to AD FS > Trust Relationships > Relying Party Trusts.
  3. Click Add Relying Party Trust to launch the wizard.
  4. On the Choose Profile screen, click AD FS profile to select SAML.
  5. In the Configure URL screen, do the following steps:
    1. Click Enable support for SAML 2.0 WebSSO protocol.
    2. In the field below the check box, type the following URL, based on the AWS region where your Genesys Cloud organization was created.

      AWS Region


      US East (N. Virginia)

      US West (Oregon) 

      Canada (Canada Central)

      EU (Frankfurt)

      EU (Ireland) 

      EU (London)

      Asia Pacific (Seoul) 

      Asia Pacific (Sydney)

      Asia Pacific (Tokyo)

  6. In the Configure Identifiers screen, type a value for the Relying party trust identifier. The value can be any unique string that you want to use to identify the relying party trust. When a relying party is identified in a request to the Federation Service, AD FS uses prefix matching logic to determine if there is a matching party trust in the AD FS configuration database.
  7. Leave the Configure Encryption screen blank. Genesys Cloud automatically provides the necessary encryption from the Relying Party Identifier.
  8. Leave all other settings at their defaults and click Close.

Add the claim rules

You must add three claim rules: Email, Email to NameID, and Org Name.

  1. On the Relying Party Trusts page, right-click the trust that you created in the previous procedure and select Edit Claim Rules.
  2. Add the Email rule:
    1. Click Add Rule
    2. Configure the claim rule with the following settings:

      For this property… Do this…
      Claim rule template Select Send LDAP Attributes as Claims.
      Claim rule name Type Email.
      Attribute store Select Active Directory.
      LDAP Attribute Select E-Mail Addresses.
      Outgoing claim type Select E-Mail Address.
    3. Click Finish.
  3. Add the Email to NameID rule:
    1. Click Add Rule.
    2. Configure the claim rule with the following settings:

      For this property… Do this…
      Claim rule template Select Transform an Incoming Claim.
      Claim rule name Type Email to NameID.
      Incoming claim type Select E-Mail Address.
      Outgoing claim type Select Name ID.
      Outgoing name ID format Select Transient Identifier.
      Pass through all claims Select Pass through all claims.
    3. Click Finish.

  4. Add the Org Name rule:

    1. Click Add Rule.
    2. Configure the claim rule with the following settings:

      For this property… Do this…
      Claim rule template Select Send Claims Using a Custom Rule.
      Claim rule name Type Org Name.
      Custom rule

      Enter the following text, and replace OrgName with the shortname of your Genesys Cloud organization. The organization name is case-sensitive.  

      => issue(Type = "OrganizationName", Value = "OrgName");
    3. Click Finish.
  5. In the Issuance Transform Rules tab, make sure the rules are in the following order:
    1. Email
    2. Email to NameID
    3. Org Name

SAML attributes

Genesys Cloud will act on the following SAML attributes if they are present in the assertion. The attributes are case-sensitive. 

Attribute name Attribute value
  • For identity provider-initiated single sign-on: Use the organization short name.
  • For service provider-initiated single sign-on: The organization name must match the organization that the user selects. Applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider. 
email  Email address of the Genesys Cloud user to be authenticated.

  • Must be an existing Genesys Cloud user.
  • Required if the identity provider does not use an email address as the subject NameID.

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Get the certificate for Genesys Cloud configuration

    1. In the console tree, go to AD FS > ServiceCertificates.
    2. Right-click the certificate under Token-signing and select View Certificate.
    3. Click the Details tab and click Copy to file.
    4. For the export file format, select Base-64 encoded X.509 (.CER).
    5. For the file name, do the following steps:
      1. Click Browse.
      2. Type a file name.
      3. Click Save.
    6. Click Finish.
    7. Open the certificate file with a plain text editor and do the following steps:
      1. Delete the -----BEGIN CERTIFICATE------ and ------END CERTIFICATE----- lines.
      2. Save the certificate file.

Get the metadata for Genesys Cloud configuration

The metadata file contains the issuer (entityID) and the redirect URL for configuring Genesys Cloud.

    1. In the console tree, go to AD FS >  Service > Endpoints.
    2. Find and download the file called FederationMetadata.xml.

Select authentication methods

Select the authentication methods for logging into Genesys Cloud on the extranet and the intranet.

    1. In the console tree, go to AD FS > Authentication Policies.
    2. Under Primary Authentication > Global Settings, click Edit.
    3. Under Extranet, check Forms Authentication.
    4. Under Intranet, check Forms Authentication and Windows Authentication.
    5. Click OK.

Configure Genesys Cloud

    1. In Genesys Cloud, click Admin.
    2. Under Integrations, click Single Sign-on.
    3. Click the ADFS/Azure AD (Premium) tab.
    4. Enter the Identity Provider metadata gathered from Microsoft ADFS.

      In this field… Do this…

      1. Click Browse.
      2. Select the certificate you saved and click Open.

      Issuer URI Enter the entityID from the FederationMetadata.xml file.
      Target URI Enter the redirect URL from the FederationMetadata.xml file.
      Relying Party Identifier Add the unique identifier configured when adding the Relying Party Trust.
    5. Click Save.