Genesys Cloud single sign-on and identity provider solution
Genesys Cloud uses a client integration strategy for Security Assertion Markup Language (SAML) identity providers. Instead of an open-ended approach that supports custom SAML integrations, Genesys Cloud provides quick, client-side integrations to automate the authentication process with identity providers. This strategy limits the support burden on our developers and enables them to focus on new features for Genesys Cloud customers.
Genesys Cloud provides single sign-on integrations for these third-party SAML-based identity providers:
- Google Workplace
- Microsoft Active Directory Federation Services (ADFS)
- Microsoft Azure Active Directory (AD) Premium Edition
- Ping Identity
Genesys Cloud also provides a generic identity provider configuration that enables Genesys Cloud customers to integrate with most identity providers that support SAML 2.0.
Genesys Cloud’s single sign-on integration strategy:
- Uses the National Institute of Standards and Technology (NIST)’s recommended password hashing PBKDF2 standard. PBKDF2 encrypts user passwords for safe storage in Genesys Cloud.
- Requires user passwords to contain eight letters plus numbers plus punctuation.
- Requires TLS 1.1 or later for communications with Genesys Cloud.
- Uses the OAuth 2.0 framework to authorize users and applications to access Genesys Cloud resources and applications.
- Delegates authentication through third-party SAML-based IdP’s.
There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.
The Genesys Cloud single sign-on strategy provides customers with these authentication options:
- Service provider-initiated authentication: At the Genesys Cloud authorization server, users select the SAML identity provider they want to authenticate with. Genesys Cloud redirects them for authentication.
- Identity provider-initiated authentication: After authentication, the SAML identity provider presents users with a list of registered applications. When users select Genesys Cloud, the system asserts their identities to the Genesys Cloud authorization server.