Genesys Cloud single sign-on and identity provider solution

Genesys Cloud uses a client integration strategy for Security Assertion Markup Language (SAML) support and OpenID Connect Identity Providers (IdP’s). Instead of an open-ended approach that supports custom SAML integrations, Genesys Cloud provides quick, client-side integrations to automate the authentication process with identity providers. This strategy limits the support burden on our developers and enables them to focus on new features for Genesys Cloud customers.

Genesys Cloud provides single sign-on integrations for these third-party SAML-based identity providers:

  • Google G Suite
  • Microsoft Active Directory Federation Services (ADFS)
  • Microsoft Azure Active Directory (AD) Premium Edition
  • Okta
  • OneLogin
  • Ping Identity
  • PureConnect
  • Salesforce

Genesys Cloud also provides a generic identity provider configuration that enables Genesys Cloud customers to integrate with most identity providers that support SAML 2.0. 

Note: If Genesys Cloud does not currently support your identity provider, let us know so that we can gauge market need and potentially add the integration.


Genesys Cloud’s single sign-on integration strategy:

  • Uses the National Institute of Standards and Technology (NIST)’s recommended password hashing PBKDF2 standard. PBKDF2 encrypts user passwords for safe storage in Genesys Cloud.
  • Requires user passwords to contain eight letters plus numbers plus punctuation. 
  • Requires TLS 1.1 or later for communications with Genesys Cloud.
  • Uses the OAuth 2.0 framework to authorize users and applications to access Genesys Cloud resources and applications.
  • Delegates authentication through third-party SAML-based and OpenID Connect IdP’s.

Authentication options

The Genesys Cloud single sign-on strategy provides customers with these authentication options:

  • Service provider-initiated authentication: At the Genesys Cloud authorization server, users select the SAML identity provider they want to authenticate with. Genesys Cloud redirects them for authentication.
  • Identity provider-initiated authentication: After authentication, the SAML identity provider presents users with a list of registered applications. When users select Genesys Cloud, the system asserts their identities to the Genesys Cloud authorization server.

Note: The user’s single sign-on email address must match the configured email address for that user in Genesys Cloud.