Genesys Cloud uses a client integration strategy for Security Assertion Markup Language (SAML) identity providers. Instead of an open-ended approach that supports custom SAML integrations, Genesys Cloud provides quick, client-side integrations to automate the authentication process with identity providers. This strategy limits the support burden on our developers and enables them to focus on new features for Genesys Cloud customers.

Genesys Cloud provides single sign-on integrations for these third-party SAML-based identity providers:

  • Google Workspace
  • Microsoft Active Directory Federation Services (ADFS)
  • Microsoft Azure Active Directory (AD) Premium Edition
  • Okta
  • OneLogin
  • Ping Identity
  • PureConnect
  • Salesforce

Genesys Cloud also provides a generic identity provider configuration that enables Genesys Cloud customers to integrate with most identity providers that support SAML 2.0. 

Note: If Genesys Cloud does not currently support your identity provider, let us know so that we can gauge market need and potentially add the integration.


Genesys Cloud’s single sign-on integration strategy:

  • Uses the National Institute of Standards and Technology (NIST)’s recommended password hashing PBKDF2 standard. PBKDF2 encrypts user passwords for safe storage in Genesys Cloud.
  • Requires TLS 1.2 or later for communications with Genesys Cloud.
  • Uses the OAuth 2.0 framework to authorize users and applications to access Genesys Cloud resources and applications.
  • Delegates authentication through third-party SAML-based IdP’s.

There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.

Authentication options

The Genesys Cloud single sign-on strategy provides customers with these authentication options:

  • Service provider-initiated authentication: At the Genesys Cloud authorization server, users select the SAML identity provider they want to authenticate with. Genesys Cloud redirects them for authentication.
  • Identity provider-initiated authentication: After authentication, the SAML identity provider presents users with a list of registered applications. When users select Genesys Cloud, the system asserts their identities to the Genesys Cloud authorization server.

Note: The user’s single sign-on email address must match the configured email address for that user in Genesys Cloud.