PureCloud single sign-on and identity provider solution


PureCloud uses a client integration strategy for Security Assertion Markup Language (SAML) support and OpenID Connect Identity Providers (IdP’s). Instead of an open-ended approach that supports custom SAML integrations, PureCloud provides quick, client-side integrations to automate the authentication process with identity providers. This strategy limits the support burden on our developers and enables them to focus on new features for PureCloud customers.

PureCloud provides single sign-on integrations for these third-party SAML-based identity providers:

  • Google G Suite
  • Microsoft Active Directory Federation Services (ADFS)
  • Microsoft Azure Active Directory (AD) Premium Edition
  • Okta
  • OneLogin
  • Ping Identity
  • Salesforce
Note: If PureCloud does not currently support your identity provider, let us know so that we can gauge market need and potentially add the integration.

Technology

PureCloud’s single sign-on integration strategy:

  • Uses the National Institute of Standards and Technology (NIST)’s recommended password hashing PBKDF2 standard. PBKDF2 encrypts user passwords for safe storage in PureCloud.
  • Requires user passwords to contain eight letters plus numbers plus punctuation. 
  • Requires TLS 1.1 or later for communications with PureCloud.
  • Uses the OAuth 2.0 framework to authorize users and applications to access PureCloud resources and applications.
  • Delegates authentication through third-party SAML-based and OpenID Connect IdP’s.

Authentication options

The PureCloud single sign-on strategy provides customers with these authentication options:

  • Service provider-initiated authentication: At the PureCloud authorization server, users select the SAML identity provider they want to authenticate with. PureCloud redirects them for authentication.
  • Identity provider-initiated authentication: After authentication, the SAML identity provider presents users with a list of registered applications. When users select PureCloud, the system asserts their identities to the PureCloud authorization server.

Note: The user’s single sign-on email address must match the configured email address for that user in PureCloud.