Add Ping Identity as a single sign-on provider

Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Ping Identity account
  • User email addresses are the same in both Ping Identity and Genesys Cloud

Add Genesys Cloud as an application that organization members can access with the credentials to their Ping Identity account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.
  • Administrators can choose to store one additional certificate to ensure business continuity. If one certificate becomes invalid or expires, the backup certificate will preserve the integration.

Configure Ping Identity

Create a custom Genesys Cloud application

  1. In PingIdentity, click Connections > Applications.
  2. Click the plus sign next to Applications.
  3. Click Web App and click Configure for the SAML option.
  4. In the Create App Profile page, complete the following fields and leave the remaining fields blank or at the default settings.
    Field Description
    Application Name Type your Genesys Cloud application name.
    Application Description Type a short description of the application.
  5. In the Configure SAML Connection page, complete the following fields and leave the remaining fields blank or at the default settings.
    Field Description
    ACS URLS Type the URL of your Genesys Cloud organization for the AWS region:
    US East (N. Virginia): https://login.mypurecloud.com/saml
    US West (Oregon): https://login.usw2.pure.cloud/saml
    Canada (Canada Central): https://login.cac1.pure.cloud/saml
    EU (Frankfurt): https://login.mypurecloud.de/saml
    EU (Ireland): https://login.mypurecloud.ie/saml
    EU (London): https://login.euw2.pure.cloud/saml
    Asia Pacific (Mumbai): https://login.aps1.pure.cloud/saml
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml 
    Asia Pacific (Sydney): 
    https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml
    Signing Key
    1. Click Download Signing Certificate.
    2. Choose X509 PEM (.crt).
    3. Save the file.
    Signing Algorithm Select RSA_SHA256.
    Entity ID Type a unique string that you want to use to identify your Genesys Cloud organization, for example: genesys.cloud.my-org.
    SLO Endpoint Type the URL of your Genesys Cloud organization for the AWS region:
    US East (N. Virginia): https://login.mypurecloud.com/saml/logout
    US West (Oregon): https://login.usw2.pure.cloud/saml/logout
    Canada (Canada Central): https://login.cac1.pure.cloud/saml/logout
    EU (Frankfurt): https://login.mypurecloud.de/saml/logout
    EU (Ireland): https://login.mypurecloud.ie/saml/logout
    EU (London): https://login.euw2.pure.cloud/saml/logout
    Asia Pacific (Mumbai): https://login.aps1.pure.cloud/saml/logout
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml/logout 
    Asia Pacific (Sydney): 
    https://login.mypurecloud.com.au/saml/logout
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml/logout
    SLO Binding Select HTTP Redirect.
    Subject NameID Format Select “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.”
    Assertion Validity Duration (In Seconds) Type a value that determines how long the assertions in the SAML authentication response are valid. 60 seconds are sufficient.
  6. In the Attribute Mapping page, add these attributes.

    Attribute Description
    saml_subject

    Select Email Address.

    OrganizationName
    1. Click Add Attribute.
    2. Click Advanced Expression.
    3. In the Expression field, type your Genesys Cloud organization short name in quotes. Example:  “my-org-name.”
    4. Click Save.
    ServiceName

    (Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

    • directory (redirects to the Genesys Cloud Collaborate client)
    • directory-admin (redirects to the Genesys Cloud Admin UI)

    1. Click Add Attribute.
    2. Click Advanced Expression.
    3. In the Expression field, type your Genesys Cloud organization short name in quotes. Example:  “directory.”
    4. Click Save.
  7. Click Save and Publish.

    Get the metadata for Genesys Cloud configuration

    1. In PingIdentity, click Connections > Applications.
    2. Expand the application created for Genesys cloud, click the Configuration tab. Note the following Identity Provider metadata that you need for the Genesys Cloud configuration.
      Metadata Description
      Issuer ID Use for the Ping Issuer URI setting in Genesys Cloud.
      Single Logout Service Use for the Single Logout URI setting in Genesys Cloud.
      Single Signon Service Use for the Target URL setting in Genesys Cloud.

    Configure Genesys Cloud

    1. In Genesys Cloud, click Admin.
    2. Under Integrations, click Single Sign-on.
    3. Click the Ping Identity tab.
    4. Enter the Identity Provider metadata gathered from PingIdentity.
      Field Description
      Certificate

      1. Click Browse.
      2. Select the certificate you saved and click Open.
      3. Click Add .
      4. Optionally, to load a backup certificate, repeat steps 1–3. 

      Issuer URI

      Type the Issuer ID.

      Target URL

      Type the Single Signon Service. 

      Single Logout URI

      Type the Single Logout Service.

      Single Logout Binding

      Select HTTP Redirect.

      Relying Party Identifier

      Type the unique string that you specified as the Entity ID in PingIdentity.

    5. Click Save.