Add Salesforce as a single sign-on provider


Prerequisites:
  • Single Sign-on > Provider > Add, Delete, Edit, View permissions
  • Admin role in your organization’s Salesforce account
  • Salesforce enabled as an identity provider
  • Salesforce domain deployed to all users
  • User email addresses are the same in both Salesforce and Genesys Cloud

Add Genesys Cloud as an application that organization members can access with the credentials to their Salesforce account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see Configure Genesys Cloud to authenticate with SSO only.

Configure Salesforce

Troubleshoot errors using the Identity Provider Event Log.

  1. In the Apps menu, create a Connected App for Genesys Cloud.

  2. In the Connected Apps menu, enter the following settings in the Connected App for Genesys Cloud:

    In this field… Enter this…
    Entity Id Your Salesforce domain name (https://yourID.my.salesforce.com)
    ACS URL The AWS region where your Genesys Cloud organization is located:
    US East (N. Virginia): https://login.mypurecloud.com/saml
    US West (Oregon): https://login.usw2.pure.cloud/saml
    Canada (Canada Central): https://login.cac1.pure.cloud/saml
    EU (Frankfurt): https://login.mypurecloud.de/saml
    EU (Ireland): https://login.mypurecloud.ie/saml  
    EU (London): https://login.euw2.pure.cloud/saml
    Asia Pacific (Seoul): https://login.apne2.pure.cloud/saml 
    Asia Pacific (Sydney): 
    https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo): https://login.mypurecloud.jp/saml
    Subject Type Username
    Issuer Your Salesforce domain name (https://yourID.my.salesforce.com)
    Name ID Format urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  3. Gather the following data from the app page:

    To get this… Do this…
    Certificate
    1. Click Download Metadata.
    2. Copy the text inside the ds:X509Certificate element and save it in a text file. The certificate must contain only the Base64-encoded certificate bytes (without the PEM encoding).
    Issuer URI Copy the Issuer value.
    Target URI Copy the value labeled SP-Initiated Redirect Endpoint.
  4. Provide Salesforce users with access to the Connected App for Genesys Cloud. 
    1. In Manage Users > Users, click Edit on a user.
    2. Click the user’s profile type, for example, Sales, Services, or Administrator to open the profile page.
    3. Under Connected App Access, click the Connected App for Genesys Cloud. 

SAML attributes

Genesys Cloud will act on the following SAML attributes if they are present in the assertion. The attributes are case-sensitive. 

Attribute name Attribute value
OrganizationName 
  • For identity provider-initiated single sign-on: Use the organization short name.
  • For service provider-initiated single sign-on: The organization name must match the organization that the user selects. Applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider. 
email  Email address of the Genesys Cloud user to be authenticated.

  • Must be an existing Genesys Cloud user.
  • Required if the identity provider does not use an email address as the subject NameID.
ServiceName 

(Optional). A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Configure Genesys Cloud

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Salesforce tab.
  4. Enter the information gathered from Salesforce.

    In this field… Do this…
    Certificate
    1. Click Browse.
    2. Select the text file that contains the certificate data from the metadata file and click Open.
    Issuer URI Enter your Salesforce domain name (https://yourID.my.salesforce.com)
    Target URI Enter the URL labeled SP-Initiated Redirect Endpoint in the Salesforce app page.
  5. Click Save.