Add OneLogin as a single sign-on provider

  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s OneLogin account
  • OneLogin Desktop SSO disabled
  • User email addresses are the same in both OneLogin and PureCloud

Add PureCloud as an application that organization members can access with the credentials to their OneLogin account.

  • PureCloud does not support assertion encryption for single sign-on third-party identity providers. The PureCloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default PureCloud login and enforce authentication using an SSO provider only. For more information, see Configure PureCloud to authenticate with SSO only.

Configure OneLogin

Create a SAML application

  1. Add the OneLogin app called SAML Test Connector (ldP).
  2. In the app page, click the Configuration tab. 
  3. Complete the following fields. Leave the remaining fields blank.

    In this field… Do this…
    ACS URL Validator Type ^https:\/\/login\.mypurecloud\.com\/saml

    Type the URL for the AWS region where your PureCloud organization is located:
    US East (N. Virginia):
    US West (Oregon):
    Canada (Canada Central):
    EU (Frankfurt):
    EU (Ireland):
    EU (London):
    Asia Pacific (Seoul):
    Asia Pacific (Sydney):
    Asia Pacific (Tokyo):

  4. Click the Parameters tab.
  5. Click Add parameter.
  6. Complete the following fields. 
    In this field… Do this…
    Name Type OrganizationName.
    Flags Check Include in SAML assertion.
  7. Click Save.
  8. Click the newly-created OrganizationName parameter.
  9. In the Value field:
    1. From the list, select Macro.
    2. Type the short name of your PureCloud organization. If you do not know the short name of your organization, click Admin > Account Settings > Organization Settings in PureCloud. Complete the following fields. 
  10. Click Save.

SAML attributes

PureCloud will act on the following additional SAML attributes if they are present in the assertion. The attributes are case-sensitive. 

Attribute name Attribute value
email  Email address of the PureCloud user to be authenticated.

  • Must be an existing PureCloud user.
  • Required if the identity provider does not use an email address as the subject NameID.

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the PureCloud Collaborate client)
  • directory-admin (redirects to the PureCloud Admin UI)

Get the certificate for the PureCloud configuration

  1. Click the SSO tab.
  2. Under Certificate, click View Details.
  3. Copy the text between the “begin certificate” and “end certificate” tags and paste it into a text file. Save this file for PureCloud configuration. The certificate must contain only the Base64-encoded certificate bytes (without the PEM encoding).

Get the metadata for the PureCloud configuration

Note: PureCloud supports the http-redirect SAML URL only. The OneLogin SSO tab no longer shows this URL by default in the SAML 2.0 Endpoint (HTTP) field. (It now shows the http-post URL instead.) However, the http-redirect URL is still available in the SAML Metadata file.
  1. Click the SSO tab.
  2. Copy the following metadata that you need for the PureCloud configuration to a text file. 
    Metadata Do this…
    Issuer URL Copy the URL from the Issuer URL field.
    SAML 2.0 Endpoint (HTTP)
    1. Under More Actions, click SAML Metadata.
    2. Download and open the SAML Metadata file.
    3. Find the SingleSignOnService tag with Binding equal to “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”, for example:  <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="your-organization/>
    4. Copy the URL following “Location =”, for example:

Configure PureCloud

  1. In PureCloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the OneLogin tab.
  4. Enter the information gathered in the previous procedure:

    In this field… Do this…
    1. Click Browse.
    2. Select the certificate you saved to a text file and click Open.
    Issuer URI Type the URL from the Issuer URL field in OneLogin.
    Target URI Type the http-redirect URL from the SAML Metadata file.
  5. Click Save.