Add Okta as a single sign-on provider


Prerequisites:
  • Sso > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Okta account
  • User email addresses are the same in both Okta and PureCloud

Add PureCloud as an application that organization members can access with the credentials to their Okta account.

Notes:
  • PureCloud does not support assertion encryption for single sign-on third-party identity providers. The PureCloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default PureCloud login and enforce authentication using an SSO provider only. For more information, see Configure PureCloud to authenticate with SSO only.

Configure Okta

Create a SAML application

  1. Create a SAML application for PureCloud. Follow the instructions for setting up a SAML application in Okta in the Okta developer documentation.
  2. In the General > Single sign on URL and General > Audience URI fields, type the URL based on the AWS region where your PureCloud organization was created.

    AWS Region URL
    US East (N. Virginia) https://login.mypurecloud.com/saml
    US West (Oregon) https://login.usw2.pure.cloud/saml
    EU (Ireland) https://login.mypurecloud.ie/saml
    EU (Frankfurt) https://login.mypurecloud.de/saml
    Asia Pacific (Sydney) https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo) https://login.mypurecloud.jp/saml

    Otherwise, use the default values.

  3. Specify the organization so that PureCloud users do not need to enter it when they log in. Create a new entry in Attributes Statements (Optional) with the following values: 
    In this field… Do this…
    Name Type OrganizationName.
    Name Format Leave set to Unspecified.
    Value Type the short name of your PureCloud organization. If you do not know the short name of your organization, click Admin > Account Settings > Organization Settings in PureCloud.

Get the metadata for PureCloud configuration

  1. In Sign on > Settings, click View Setup Instructions to display setup information.
  2. Note the following Identity Provider metadata that you need for the PureCloud configuration. 
    Metadata Description
    Identity Provider Single Sign-on URL Use for the Target URI setting in PureCloud.
    Identity Provider Issuer Use for the Okta Issuer URI setting in PureCloud.
    X.509 Certificate Use for the Okta Certificate setting in PureCloud.

Get the certificate for PureCloud configuration

  1. On the Identity Provider metadata page, click Download certificate.
  2. Open the certificate file with a plain text editor and do the following:
    1. Delete the -----BEGIN CERTIFICATE------ and ------END CERTIFICATE----- lines.

    2. Save the certificate file.

Configure PureCloud

  1. In PureCloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Okta tab.
  4. Provide the Identity Provider metadata gathered from Okta.
    In this field… Do this…
    Certificate
    1. Click Browse.
    2. Select the X.509 certificate that you saved and click Open.
    Issuer URI Type the Identity Provider Issuer.
    Target URI Type the Identity Provider Single Sign-on URL.
  5. Click Save.