Add Okta as a single sign-on provider


Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Okta account
  • User email addresses are the same in both Okta and Genesys Cloud

Add Genesys Cloud as an application that organization members can access with the credentials to their Okta account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.

Configure Okta

Create a SAML application

  1. Create a SAML application for Genesys Cloud. Follow the instructions for setting up a SAML application in Okta in the Okta developer documentation.
  2. In the General > Single sign on URL and General > Audience URI fields, type the URL based on the AWS region where your Genesys Cloud organization was created.

    AWS Region URL
    US East (N. Virginia) https://login.mypurecloud.com/saml
    US West (Oregon) https://login.usw2.pure.cloud/saml 
    Canada (Canada Central) https://login.cac1.pure.cloud/saml 
    EU (Frankfurt) https://login.mypurecloud.de/saml
    EU (Ireland) https://login.mypurecloud.ie/saml 
    EU (London) https://login.euw2.pure.cloud/saml
    Asia Pacific (Seoul) https://login.apne2.pure.cloud/saml 
    Asia Pacific (Sydney) https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo) https://login.mypurecloud.jp/saml

    Otherwise, use the default values.

  3. Specify the organization so that Genesys Cloud users do not need to enter it when they log in. Create a new entry in Attributes Statements (Optional) with the following values: 
    In this field… Do this…
    Name Type OrganizationName.
    Name Format Leave set to Unspecified.
    Value Type the short name of your Genesys Cloud organization. If you do not know the short name of your organization, click Admin > Account Settings > Organization Settings in Genesys Cloud.

SAML attributes

Genesys Cloud will act on the following additional SAML attributes if they are present in the assertion. The attributes are case-sensitive. 

Attribute name Attribute value
email  Email address of the Genesys Cloud user to be authenticated.

  • Must be an existing Genesys Cloud user.
  • Required if the identity provider does not use an email address as the subject NameID.
ServiceName 

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Get the metadata for Genesys Cloud configuration

  1. In Sign on > Settings, click View Setup Instructions to display setup information.
  2. Note the following Identity Provider metadata that you need for the Genesys Cloud configuration. 
    Metadata Description
    Identity Provider Single Sign-on URL Use for the Target URI setting in Genesys Cloud.
    Identity Provider Issuer Use for the Okta Issuer URI setting in Genesys Cloud.
    X.509 Certificate Use for the Okta Certificate setting in Genesys Cloud.

Get the certificate for Genesys Cloud configuration

  1. On the Identity Provider metadata page, click Download certificate.
  2. Open the certificate file with a plain text editor and do the following:
    1. Delete the -----BEGIN CERTIFICATE------ and ------END CERTIFICATE----- lines.

    2. Save the certificate file.

Configure Genesys Cloud

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Okta tab.
  4. Provide the Identity Provider metadata gathered from Okta.
    In this field… Do this…
    Certificate
    1. Click Browse.
    2. Select the X.509 certificate that you saved and click Open.
    Issuer URI Type the Identity Provider Issuer.
    Target URI Type the Identity Provider Single Sign-on URL.
  5. Click Save.