Add Microsoft Azure AD Premium as a single sign-on provider


Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Azure AD Premium account
  • User email addresses are the same in both Azure AD Premium and Genesys Cloud
  • Any Microsoft Azure AD Premium version that supports SAML 2.0. There may be some differences in the configuration, depending on the version.

Add Genesys Cloud as an application that organization members can access with the credentials to their Microsoft Azure AD Premium account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.

Configure Microsoft Azure AD Premium

Create a custom Genesys Cloud application

  1. Click Azure Active Directory > Enterprise Applications.
  2. Click New Application.
  3. In Add an application, click Non-gallery application.
  4. In the Name field, type “Genesys Cloud”.
  5. Click Single sign-on.
  6. Click SAML.
  7. In Basic SAML Configuration, click Edit and type the appropriate Genesys Cloud SAML login URL in both the Identifier (EntityID) and Reply URL fields. The Identifier (EntityID) can be any value unique to the Azure instance. The Reply URL is based on the AWS region where your Genesys Cloud organization was created.

    AWS Region

    URL

    US East (N. Virginia)

    https://login.mypurecloud.com/saml

    US West (Oregon)

    https://login.usw2.pure.cloud/saml 

    Canada (Canada Central)

    https://login.cac1.pure.cloud 

    EU (Frankfurt)

    https://login.mypurecloud.de/saml

    EU (Ireland)

    https://login.mypurecloud.ie/saml 

    EU (London)

    https://login.euw2.pure.cloud

    Asia Pacific (Seoul)

    https://login.apne2.pure.cloud 

    Asia Pacific (Sydney)

    https://login.mypurecloud.com.au/saml

    Asia Pacific (Tokyo) https://login.mypurecloud.jp/saml
  8. In User Attributes & Claims, click Edit and type these attribute names. Note: Both attributes are case-sensitive. Type them as they appear in the table. To add a custom claim, type the custom attribute name in the Source attribute field above the drop-down list. 
    Attribute name Attribute value
    email 

    user.userprincipalname

    Notes:

    • Refers to the email address for the user in Genesys Cloud. In most cases, this is user.userprincipalname, but if the Azure administrator has a different User Principal Name (UPN) and email, use user.email

    • The case must match the case of the email address set up for that user in Genesys Cloud.

    OrganizationName  Your Genesys Cloud organization short name
    ServiceName

    (Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

    • directory (redirects to the Genesys Cloud Collaborate client)
    • directory-admin (redirects to the Genesys Cloud Admin UI)
  9. In SAML Signing Certificate, click Certificate (Base 64) to download it.
  10. Following the download, open the certificate file to do the following:
    1. If the -----BEGIN CERTIFICATE------ and ------END CERTIFICATE----- lines exist in the certificate file, delete them.
    2. Save the certificate file.
  11. In the Single sign-on detail view, click View step-by-step instructions.
  12. Note the SAML Single Sign-on Service URL and SAML Entity ID in the instructions. You will use them to configure the Target URI and Issuer URI in Genesys Cloud.
  13. In the Application properties view, click Properties.
  14. Note the Relying Party Identifier Application ID. You will use it to configure the Relying Party Identifier in Genesys Cloud.

Assign users and groups to the Genesys Cloud application

Assign the users and groups that will log in to Genesys Cloud using Azure AD Premium as the identity provider.

  1. In the Genesys Cloud custom application, click Users and groups.
  2. Click Add user.
  3. Click the appropriate users and groups.
  4. Click Assign.

Configure Genesys Cloud

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the ADFS/Azure AD (Premium) tab.
  4. Type the identity provider metadata gathered from Azure AD.

    In this field… Do this…
    Certificate

    1. Click Browse.
    2. Select the certificate you saved and click Open.

    Issuer URI Type the SAML Entity ID from the Azure AD Genesys Cloud custom application.
    Target URI Type the SAML Single Sign-on Service URL from the Azure AD Genesys Cloud custom application.
    Relying Party Identifier Type the Relying Party Identifier Application ID from the Azure AD Genesys Cloud custom application. (Same value as SAML Entity ID.)
  5. Click Save.

Test the Azure AD Genesys Cloud custom application

In the Single sign-on detail view in Microsoft Azure AD, click Test this application.