Difference between revisions of "PEC-Admin/Current/Admin/SSO"

From Genesys Documentation
Jump to: navigation, search
m (Reverted edits by Julie.munn@genesys.com (talk) to last revision by Jeffrey.erickson@genesys.com)
(Tag: Rollback)
 
(15 intermediate revisions by 6 users not shown)
Line 3: Line 3:
 
|DisplayName=Single sign-on
 
|DisplayName=Single sign-on
 
|TocName=Single sign-on
 
|TocName=Single sign-on
|Context=Learn how single sign-on is supported in Genesys Engage cloud.
+
|Context=Learn how single sign-on is supported in Genesys Multicloud CX.
 
|ComingSoon=No
 
|ComingSoon=No
 
|Section={{Section
 
|Section={{Section
 
|alignment=Vertical
 
|alignment=Vertical
|structuredtext=Most Genesys Engage cloud applications use single sign-on (SSO) to allow a logged-in user to navigate across supported applications without prompting for credentials again. Genesys Engage cloud can also be configured to use {{#Widget:ExtLink|link=https://en.wikipedia.org/wiki/SAML_2.0|displaytext=SAML 2.0}} for integrations with third-party identity providers (IdP) such as Okta or Google. There are many advantages to enabling SSO in Genesys Engage cloud—for example:
+
|structuredtext=Most Genesys Multicloud CX applications use single sign-on (SSO) to allow a logged-in user to navigate across supported applications without prompting for credentials again. Genesys Multicloud CX can also be configured to use {{#Widget:ExtLink|link=https://en.wikipedia.org/wiki/SAML_2.0|displaytext=SAML 2.0}} for integrations with third-party identity providers (IdP) such as Okta or Google. There are many advantages to enabling SSO in Genesys Multicloud CX—for example:
  
 
*Users need to remember only one password.
 
*Users need to remember only one password.
 
*User credentials are managed by a third-party identity provider.
 
*User credentials are managed by a third-party identity provider.
 
*Users must have multi-factor authentication by a third-party identity provider for additional security.
 
*Users must have multi-factor authentication by a third-party identity provider for additional security.
*Users only need to log in once to gain access to Genesys Engage cloud applications that have SSO enabled and non-Genesys applications that use the same identity provider.
+
*Users only need to log in once to gain access to Genesys Multicloud CX applications that have SSO enabled and non-Genesys applications that use the same identity provider.
  
 +
For details about how a user logs in with SSO, see {{Link-Standalone|topic=PEC-Agent/Login|anchor=sso}}.{{AnchorDiv|idplogin}}
 
===IdP-initiated login===
 
===IdP-initiated login===
Genesys Engage cloud supports IdP-initiated login using the SAML Single Sign-on integration. With this type of login, you can set up your own portal with links to Genesys Engage cloud applications. When a user is logged in to your IdP, they can click a link in the portal and directly log in to the Genesys application.
+
Genesys Multicloud CX supports IdP-initiated login using the SAML Single Sign-on integration. With this type of login, you can set up your own portal with links to Genesys Multicloud CX applications. When a user is logged in to your IdP, they can click a link in the portal and directly log in to the Genesys application.
  
Set up this functionality in your IdP by providing the URL of the target application as part of the redirect URL. For example, the redirect URL for Agent Desktop would be in this format: <code>redirectUrl=https://<domain>/ui/wwe/index.html</code>
+
Set up this functionality in your IdP by providing the URL of the target application as part of the redirect URL. For example, the redirect URL for Agent Workspace would be in this format: <code>redirectUrl=https://<domain>/ui/wwe/index.html</code>
  
See {{Link-SomewhereInThisVersion|manual=Admin|topic=SSO|anchor=support|display text=SSO support by application}} for the Genesys Engage cloud application URLs.
+
To get the URL for an application, go to your Genesys Portal page and click the application's widget. Immediately after, press "escape" on your keyboard to prevent the Authentication login page from loading so you can see the application URL in the browser.
 
|Status=No
 
|Status=No
 
}}{{Section
 
}}{{Section
Line 25: Line 26:
 
|anchor=support
 
|anchor=support
 
|alignment=Vertical
 
|alignment=Vertical
|structuredtext=View which Genesys Engage cloud applications support SSO.
+
|structuredtext=View which Genesys Multicloud CX applications support SSO.
 
{{{!}} border="1"
 
{{{!}} border="1"
 
{{!}}-
 
{{!}}-
Line 31: Line 32:
 
!Single Sign On Support
 
!Single Sign On Support
 
!Notes
 
!Notes
!URL for IdP-initiated login
 
 
{{!}}-
 
{{!}}-
{{!}}Agent Desktop
+
{{!}}Agent Workspace
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Agent Setup
 
{{!}}Agent Setup
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Callback
 
{{!}}Callback
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Cloud Data Download Service
 
{{!}}Cloud Data Download Service
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}CX Contact
 
{{!}}CX Contact
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Designer
 
{{!}}Designer
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}Developer Console
 
{{!}}Yes
 
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
Line 71: Line 60:
 
{{!}}Yes
 
{{!}}Yes
 
{{!}}Supported in version 9.0.013.0+. Contact your Genesys representative to enable.
 
{{!}}Supported in version 9.0.013.0+. Contact your Genesys representative to enable.
{{!}}
 
 
{{!}}-
 
{{!}}-
 
{{!}}Genesys Softphone
 
{{!}}Genesys Softphone
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Screen Recording
 
{{!}}Screen Recording
 
{{!}}Yes
 
{{!}}Yes
{{!}}Supported in Agent Desktop version 9, but not with custom desktops.
+
{{!}}Supported in Agent Workspace version 9, but not with custom desktops.
{{!}}
 
 
{{!}}-
 
{{!}}-
 
{{!}}Real-Time Reporting (Pulse)
 
{{!}}Real-Time Reporting (Pulse)
 
{{!}}Yes
 
{{!}}Yes
 
{{!}}Supported in Real-Time Reporting version 9 on selective deployments. Contact your Genesys representative for details.
 
{{!}}Supported in Real-Time Reporting version 9 on selective deployments. Contact your Genesys representative for details.
{{!}}
 
 
{{!}}-
 
{{!}}-
 
{{!}}Gplus Adapter Salesforce
 
{{!}}Gplus Adapter Salesforce
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Recording, Quality Management and Speech Analytics
 
{{!}}Recording, Quality Management and Speech Analytics
{{!}}Future Roadmap
+
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Workforce Management
 
{{!}}Workforce Management
 
{{!}}Yes
 
{{!}}Yes
{{!}}Not supported for supervisor accounts for administrative activities.
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Agent Scripting Administration
 
{{!}}Agent Scripting Administration
 
{{!}}No
 
{{!}}No
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Interactive Insights
 
{{!}}Interactive Insights
 
{{!}}No
 
{{!}}No
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}Outbound
 
{{!}}Outbound
 
{{!}}No
 
{{!}}No
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
Line 121: Line 100:
 
''Includes plug-ins like eServices Manager and IVR Administration''
 
''Includes plug-ins like eServices Manager and IVR Administration''
 
{{!}}No
 
{{!}}No
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}-
 
{{!}}-
 
{{!}}WebRTC
 
{{!}}WebRTC
 
{{!}}Yes
 
{{!}}Yes
{{!}}
 
 
{{!}}
 
{{!}}
 
{{!}}}
 
{{!}}}
 
|Status=No
 
|Status=No
 
}}{{Section
 
}}{{Section
|sectionHeading=Configuring SSO in Genesys Engage
+
|sectionHeading=Configuring SSO in Genesys Multicloud CX
 
|anchor=engageconfig
 
|anchor=engageconfig
 
|alignment=Vertical
 
|alignment=Vertical
Line 141: Line 118:
  
 
*The domain declared in the identity provider metadata should be part of the user name stored within Genesys, to create the most seamless experience. (Example: <tt>john@mycompany.com</tt>) Otherwise, users would need to enter a Tenant or enter the domain before their username. (Example: <tt>mycompany\john</tt>)
 
*The domain declared in the identity provider metadata should be part of the user name stored within Genesys, to create the most seamless experience. (Example: <tt>john@mycompany.com</tt>) Otherwise, users would need to enter a Tenant or enter the domain before their username. (Example: <tt>mycompany\john</tt>)
*The username provisioned within Genesys Engage cloud should match the username in the external identity provider.
+
*The username provisioned within Genesys Multicloud CX should match the username in the external identity provider.
 
|Status=No
 
|Status=No
 
}}{{Section
 
}}{{Section
Line 147: Line 124:
 
|anchor=idpconfig
 
|anchor=idpconfig
 
|alignment=Vertical
 
|alignment=Vertical
|structuredtext=Genesys Engage cloud must be defined as an application within the identity provider to support the SSO integration.   
+
|structuredtext=Genesys Multicloud CX must be defined as an application within the identity provider to support the SSO integration.   
 
 
Genesys Engage cloud supports the SAML 2.0 protocol as a standard interface to identity providers, and has successfully validated with popular IdPs, including Okta and Ping. Other identity providers can be supported provided they comply with SAML 2.0 and you validate the integration before using in production.
 
|Status=No
 
}}{{Section
 
|sectionHeading=How does SSO work for users?
 
|anchor=ssowork
 
|alignment=Horizontal
 
|Media=Image
 
|image=PEC_SSO_login.png
 
|structuredtext=Let's look at the login process for Agent Desktop with SSO enabled and Okta configured as the third-party identity provider. '''Note:''' The login flow is the same for all supported identity providers.
 
 
 
First, click the Agent Desktop icon in Genesys Portal and enter your username. You must log in to the application even though you're already logged in to your workstation.
 
 
 
Click '''Next'''. Genesys redirects you to Okta where you're prompted to enter your username and password. Once you log in with Okta, you're redirected back to Agent Desktop and automatically logged in. Alternatively, if you are already logged in with Okta when you click '''Next''', Genesys skips the Okta login and automatically logs you in to Agent Desktop.
 
 
 
Now that you're authenticated with the identity provider, you can choose any SSO-enabled application from Genesys Portal and you'll be automatically logged in without entering your credentials.
 
  
If you happen to close all browser tabs without logging out of the applications, you will remain logged in for five minutes. If a second window or browser is opened after five minutes, to either the same application or any other SSO-enabled application, you will once again be prompted for your credentials.
+
Genesys Multicloud CX supports the SAML 2.0 protocol as a standard interface to identity providers, and has successfully validated with popular IdPs, including Okta and Ping. Other identity providers can be supported provided they comply with SAML 2.0 and you validate the integration before using in production.
 
|Status=No
 
|Status=No
 
}}{{Section
 
}}{{Section
Line 171: Line 132:
 
|anchor=saml
 
|anchor=saml
 
|alignment=Vertical
 
|alignment=Vertical
|structuredtext=Genesys Engage cloud supports some SAML configuration that must be set up by your Genesys representative:
+
|structuredtext=Genesys Multicloud CX supports some SAML configuration that must be set up by your Genesys representative:
  
* Configure a maximum age for SAML assertion.
+
<!--*Configure a maximum age for SAML assertion. The default value is 2 hours.-->
* Configure "enforceAuthN" in SAML authentication requests. When enabled, Genesys Engage cloud's Authentication Service sends an attribute to the IdP that tells it to re-authenticate the user, regardless of their previous state.
+
*Configure "enforceAuthN" in SAML authentication requests. When enabled, Genesys Multicloud CX's Authentication Service sends an attribute to the IdP that tells it to re-authenticate the user, regardless of their previous state.
 
|Status=No
 
|Status=No
 
}}
 
}}

Latest revision as of 17:46, September 26, 2022

This topic is part of the manual Cloud Basics for Administrators for version Current of Administrator.

Learn how single sign-on is supported in Genesys Multicloud CX.

Most Genesys Multicloud CX applications use single sign-on (SSO) to allow a logged-in user to navigate across supported applications without prompting for credentials again. Genesys Multicloud CX can also be configured to use SAML 2.0 for integrations with third-party identity providers (IdP) such as Okta or Google. There are many advantages to enabling SSO in Genesys Multicloud CX—for example:

  • Users need to remember only one password.
  • User credentials are managed by a third-party identity provider.
  • Users must have multi-factor authentication by a third-party identity provider for additional security.
  • Users only need to log in once to gain access to Genesys Multicloud CX applications that have SSO enabled and non-Genesys applications that use the same identity provider.
For details about how a user logs in with SSO, see Log in to Genesys Multicloud CX.

IdP-initiated login

Genesys Multicloud CX supports IdP-initiated login using the SAML Single Sign-on integration. With this type of login, you can set up your own portal with links to Genesys Multicloud CX applications. When a user is logged in to your IdP, they can click a link in the portal and directly log in to the Genesys application.

Set up this functionality in your IdP by providing the URL of the target application as part of the redirect URL. For example, the redirect URL for Agent Workspace would be in this format: redirectUrl=https://<domain>/ui/wwe/index.html

To get the URL for an application, go to your Genesys Portal page and click the application's widget. Immediately after, press "escape" on your keyboard to prevent the Authentication login page from loading so you can see the application URL in the browser.

SSO support by application

View which Genesys Multicloud CX applications support SSO.

Applications Single Sign On Support Notes
Agent Workspace Yes
Agent Setup Yes
Callback Yes
Cloud Data Download Service Yes
CX Contact Yes
Designer Yes
Genesys CX Insights Yes Supported in version 9.0.013.0+. Contact your Genesys representative to enable.
Genesys Softphone Yes
Screen Recording Yes Supported in Agent Workspace version 9, but not with custom desktops.
Real-Time Reporting (Pulse) Yes Supported in Real-Time Reporting version 9 on selective deployments. Contact your Genesys representative for details.
Gplus Adapter Salesforce Yes
Recording, Quality Management and Speech Analytics Yes
Workforce Management Yes
Agent Scripting Administration No
Interactive Insights No
Outbound No
Platform Administration (GAX)

Includes plug-ins like eServices Manager and IVR Administration

No
WebRTC Yes

Configuring SSO in Genesys Multicloud CX

To enable single sign-on for your environments, see Single Sign-On in Agent Setup.

Important
SSO can be configured for different groups and you can have multiple identity providers, as long as there is only one per region.

If you're planning to enable SSO, consider the following conventions for creating users:

  • The domain declared in the identity provider metadata should be part of the user name stored within Genesys, to create the most seamless experience. (Example: john@mycompany.com) Otherwise, users would need to enter a Tenant or enter the domain before their username. (Example: mycompany\john)
  • The username provisioned within Genesys Multicloud CX should match the username in the external identity provider.

Configuring SSO in the identity provider

Genesys Multicloud CX must be defined as an application within the identity provider to support the SSO integration.

Genesys Multicloud CX supports the SAML 2.0 protocol as a standard interface to identity providers, and has successfully validated with popular IdPs, including Okta and Ping. Other identity providers can be supported provided they comply with SAML 2.0 and you validate the integration before using in production.

SAML settings

Genesys Multicloud CX supports some SAML configuration that must be set up by your Genesys representative:

  • Configure "enforceAuthN" in SAML authentication requests. When enabled, Genesys Multicloud CX's Authentication Service sends an attribute to the IdP that tells it to re-authenticate the user, regardless of their previous state.
Retrieved from "https://all.docs.genesys.com/PEC-Admin/Current/Admin/SSO (2025-06-19 23:31:07)"
Comments or questions about this documentation? Contact us for support!