Add Okta as a single sign-on provider

Automatic Logout of SSO provider: Feature coming soon

Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Okta account
  • User email addresses are the same in both Okta and Genesys Cloud

Add Genesys Cloud as an application that organization members can access with the credentials to their Okta account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.
  • Administrators can choose to store one additional certificate to ensure business continuity. If one certificate becomes invalid or expires, the backup certificate will preserve the integration.

Configure Okta

Get the certificate for Okta configuration

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Okta tab.
  4. Under Genesys Cloud Signing Certificate, click Download Certificate.
  5. Save the file.

Create a SAML application

  1. Create a SAML application for Genesys Cloud. Follow the instructions for setting up a SAML application in Okta in the Okta developer documentation.
  2. In the General > Single sign on URL field, type the URL based on the AWS region where your Genesys Cloud organization was created.

    AWS Region URL
    US East (N. Virginia) https://login.mypurecloud.com/saml
    US West (Oregon) https://login.usw2.pure.cloud/saml 
    Canada (Canada Central) https://login.cac1.pure.cloud/saml 
    EU (Frankfurt) https://login.mypurecloud.de/saml
    EU (Ireland) https://login.mypurecloud.ie/saml 
    EU (London) https://login.euw2.pure.cloud/saml
    Asia Pacific (Mumbai) https://login.aps1.pure.cloud/saml
    Asia Pacific (Seoul) https://login.apne2.pure.cloud/saml 
    Asia Pacific (Sydney) https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo) https://login.mypurecloud.jp/saml
  3. In General > Audience URI, the value can be any unique string that you want to use to identify your Genesys Cloud organization.

  4. For General > Name ID Format, choose EmailAddress.

  5. Click Show Advanced Settings.

  6. Click the General > Enable Single Logout check box.

  7. In General > Single Logout URL, type the URL based on the AWS region where your Genesys Cloud organization was created.

    AWS Region URL
    US East (N. Virginia) https://login.mypurecloud.com/saml/logout
    US West (Oregon) https://login.usw2.pure.cloud/saml/logout 
    Canada (Canada Central) https://login.cac1.pure.cloud/saml/logout 
    EU (Frankfurt) https://login.mypurecloud.de/saml/logout
    EU (Ireland) https://login.mypurecloud.ie/saml/logout 
    EU (London) https://login.euw2.pure.cloud/saml/logout
    Asia Pacific (Mumbai) https://login.aps1.pure.cloud/saml/logout
    Asia Pacific (Seoul) https://login.apne2.pure.cloud/saml/logout 
    Asia Pacific (Sydney) https://login.mypurecloud.com.au/saml/logout
    Asia Pacific (Tokyo) https://login.mypurecloud.jp/saml/logout
  8. For the General > Signature Certificate field, click Browse and choose the certificate file that was saved in step 5 of “Get the Certificate for Okta Configuration” and click Upload Certificate.

  9. Otherwise, use the default values.

  10. Specify the organization so that Genesys Cloud users do not need to enter it when they log in. Create a new entry in Attributes Statements (Optional) with the following values: 
    In this field… Do this…
    Name Type OrganizationName.
    Name Format Leave set to Unspecified.
    Value Type the short name of your Genesys Cloud organization. If you do not know the short name of your organization, click Admin > Account Settings > Organization Settings in Genesys Cloud.

SAML attributes

Genesys Cloud acts on the following additional SAML attributes if they are present in the assertion. The attributes are case-sensitive. 

Attribute name Attribute value
email  Email address of the Genesys Cloud user to be authenticated.
  • Must be an existing Genesys Cloud user.
  • Required if the identity provider does not use an email address as the subject NameID.
ServiceName 

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Get the metadata for Genesys Cloud configuration

  1. In Sign on > Settings, click View Setup Instructions to display setup information.
  2. Note the following Identity Provider metadata that you need for the Genesys Cloud configuration. 
    Metadata Description
    Identity Provider Single Sign-on URL Use for the Target URI setting in Genesys Cloud.
    Identity Provider Single Logout URL Use for the Single Logout URI setting in Genesys Cloud.
    Identity Provider Issuer Use for the Okta Issuer URI setting in Genesys Cloud.
    X.509 Certificate Use for the Okta Certificate setting in Genesys Cloud.

Get the certificate for Genesys Cloud configuration

  1. On the Identity Provider metadata page, click Download certificate.
  2. Save the file as a .crt or .pem file.

Configure Genesys Cloud

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Okta tab.
  4. Provide the Identity Provider metadata gathered from Okta.
    In this field… Do this…
    Certificate
    1. Click Browse.
    2. Select the X.509 certificate that you saved and click Open.
    3. Click Add .
    4. Optionally, to load a backup certificate, repeat steps 1-3. 
    Issuer URI Type the Identity Provider Issuer.
    Target URL Type the Identity Provider Single Sign-on URL.
    Single Logout URI Type the Identity Provider Single Logout URL.
    Single Logout Binding Choose HTTP Redirect.
    Audience (Entity ID)  Type the value used in step 3 of “Create a SAML application.”
  5. Click Save.