Difference between revisions of "PEC-Admin/Current/Admin/SSO"
(Published) |
|||
(20 intermediate revisions by 8 users not shown) | |||
Line 3: | Line 3: | ||
|DisplayName=Single sign-on | |DisplayName=Single sign-on | ||
|TocName=Single sign-on | |TocName=Single sign-on | ||
− | |Context=Learn how single sign-on is supported in Genesys | + | |Context=Learn how single sign-on is supported in Genesys Multicloud CX. |
|ComingSoon=No | |ComingSoon=No | ||
|Section={{Section | |Section={{Section | ||
|alignment=Vertical | |alignment=Vertical | ||
− | |structuredtext=Most Genesys | + | |structuredtext=Most Genesys Multicloud CX applications use single sign-on (SSO) to allow a logged-in user to navigate across supported applications without prompting for credentials again. Genesys Multicloud CX can also be configured to use {{#Widget:ExtLink|link=https://en.wikipedia.org/wiki/SAML_2.0|displaytext=SAML 2.0}} for integrations with third-party identity providers (IdP) such as Okta or Google. There are many advantages to enabling SSO in Genesys Multicloud CX—for example: |
*Users need to remember only one password. | *Users need to remember only one password. | ||
*User credentials are managed by a third-party identity provider. | *User credentials are managed by a third-party identity provider. | ||
*Users must have multi-factor authentication by a third-party identity provider for additional security. | *Users must have multi-factor authentication by a third-party identity provider for additional security. | ||
− | *Users only need to log in once to gain access to Genesys | + | *Users only need to log in once to gain access to Genesys Multicloud CX applications that have SSO enabled and non-Genesys applications that use the same identity provider. |
+ | |||
+ | For details about how a user logs in with SSO, see {{Link-Standalone|topic=PEC-Agent/Login|anchor=sso}}.{{AnchorDiv|idplogin}} | ||
+ | ===IdP-initiated login=== | ||
+ | Genesys Multicloud CX supports IdP-initiated login using the SAML Single Sign-on integration. With this type of login, you can set up your own portal with links to Genesys Multicloud CX applications. When a user is logged in to your IdP, they can click a link in the portal and directly log in to the Genesys application. | ||
+ | |||
+ | Set up this functionality in your IdP by providing the URL of the target application as part of the redirect URL. For example, the redirect URL for Agent Workspace would be in this format: <code>redirectUrl=https://<domain>/ui/wwe/index.html</code> | ||
+ | |||
+ | To get the URL for an application, go to your Genesys Portal page and click the application's widget. Immediately after, press "escape" on your keyboard to prevent the Authentication login page from loading so you can see the application URL in the browser. | ||
|Status=No | |Status=No | ||
}}{{Section | }}{{Section | ||
|sectionHeading=SSO support by application | |sectionHeading=SSO support by application | ||
+ | |anchor=support | ||
|alignment=Vertical | |alignment=Vertical | ||
− | |structuredtext=View which Genesys | + | |structuredtext=View which Genesys Multicloud CX applications support SSO. |
{{{!}} border="1" | {{{!}} border="1" | ||
{{!}}- | {{!}}- | ||
Line 24: | Line 33: | ||
!Notes | !Notes | ||
{{!}}- | {{!}}- | ||
− | {{!}}Agent | + | {{!}}Agent Workspace |
{{!}}Yes | {{!}}Yes | ||
{{!}} | {{!}} | ||
Line 45: | Line 54: | ||
{{!}}- | {{!}}- | ||
{{!}}Designer | {{!}}Designer | ||
− | |||
− | |||
− | |||
− | |||
{{!}}Yes | {{!}}Yes | ||
{{!}} | {{!}} | ||
Line 62: | Line 67: | ||
{{!}}Screen Recording | {{!}}Screen Recording | ||
{{!}}Yes | {{!}}Yes | ||
− | {{!}}Supported in Agent | + | {{!}}Supported in Agent Workspace version 9, but not with custom desktops. |
{{!}}- | {{!}}- | ||
{{!}}Real-Time Reporting (Pulse) | {{!}}Real-Time Reporting (Pulse) | ||
{{!}}Yes | {{!}}Yes | ||
− | {{!}}Supported in Real-Time Reporting version 9. | + | {{!}}Supported in Real-Time Reporting version 9 on selective deployments. Contact your Genesys representative for details. |
{{!}}- | {{!}}- | ||
{{!}}Gplus Adapter Salesforce | {{!}}Gplus Adapter Salesforce | ||
Line 73: | Line 78: | ||
{{!}}- | {{!}}- | ||
{{!}}Recording, Quality Management and Speech Analytics | {{!}}Recording, Quality Management and Speech Analytics | ||
− | {{!}} | + | {{!}}Yes |
{{!}} | {{!}} | ||
{{!}}- | {{!}}- | ||
{{!}}Workforce Management | {{!}}Workforce Management | ||
{{!}}Yes | {{!}}Yes | ||
− | {{!}} | + | {{!}} |
{{!}}- | {{!}}- | ||
{{!}}Agent Scripting Administration | {{!}}Agent Scripting Administration | ||
Line 103: | Line 108: | ||
|Status=No | |Status=No | ||
}}{{Section | }}{{Section | ||
− | |sectionHeading=Configuring SSO in Genesys | + | |sectionHeading=Configuring SSO in Genesys Multicloud CX |
+ | |anchor=engageconfig | ||
|alignment=Vertical | |alignment=Vertical | ||
− | |structuredtext=To enable | + | |structuredtext=To enable single sign-on for your environments, see {{Link-AnywhereElse|product=PEC-AS|version=Current|manual=ManageCC|topic=Single_Sign-On}} in Agent Setup. |
{{NoteFormat|SSO can be configured for different groups and you can have multiple identity providers, as long as there is only one per region.}} | {{NoteFormat|SSO can be configured for different groups and you can have multiple identity providers, as long as there is only one per region.}} | ||
Line 112: | Line 118: | ||
*The domain declared in the identity provider metadata should be part of the user name stored within Genesys, to create the most seamless experience. (Example: <tt>john@mycompany.com</tt>) Otherwise, users would need to enter a Tenant or enter the domain before their username. (Example: <tt>mycompany\john</tt>) | *The domain declared in the identity provider metadata should be part of the user name stored within Genesys, to create the most seamless experience. (Example: <tt>john@mycompany.com</tt>) Otherwise, users would need to enter a Tenant or enter the domain before their username. (Example: <tt>mycompany\john</tt>) | ||
− | *The username provisioned within Genesys | + | *The username provisioned within Genesys Multicloud CX should match the username in the external identity provider. |
|Status=No | |Status=No | ||
}}{{Section | }}{{Section | ||
|sectionHeading=Configuring SSO in the identity provider | |sectionHeading=Configuring SSO in the identity provider | ||
+ | |anchor=idpconfig | ||
|alignment=Vertical | |alignment=Vertical | ||
− | |structuredtext=Genesys | + | |structuredtext=Genesys Multicloud CX must be defined as an application within the identity provider to support the SSO integration. |
− | Genesys | + | Genesys Multicloud CX supports the SAML 2.0 protocol as a standard interface to identity providers, and has successfully validated with popular IdPs, including Okta and Ping. Other identity providers can be supported provided they comply with SAML 2.0 and you validate the integration before using in production. |
|Status=No | |Status=No | ||
}}{{Section | }}{{Section | ||
− | |sectionHeading= | + | |sectionHeading=SAML settings |
− | | | + | |anchor=saml |
− | | | + | |alignment=Vertical |
− | + | |structuredtext=Genesys Multicloud CX supports some SAML configuration that must be set up by your Genesys representative: | |
− | |structuredtext= | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | + | <!--*Configure a maximum age for SAML assertion. The default value is 2 hours.--> | |
+ | *Configure "enforceAuthN" in SAML authentication requests. When enabled, Genesys Multicloud CX's Authentication Service sends an attribute to the IdP that tells it to re-authenticate the user, regardless of their previous state. | ||
|Status=No | |Status=No | ||
}} | }} |
Latest revision as of 17:46, September 26, 2022
Contents
Learn how single sign-on is supported in Genesys Multicloud CX.
Most Genesys Multicloud CX applications use single sign-on (SSO) to allow a logged-in user to navigate across supported applications without prompting for credentials again. Genesys Multicloud CX can also be configured to use SAML 2.0 for integrations with third-party identity providers (IdP) such as Okta or Google. There are many advantages to enabling SSO in Genesys Multicloud CX—for example:
- Users need to remember only one password.
- User credentials are managed by a third-party identity provider.
- Users must have multi-factor authentication by a third-party identity provider for additional security.
- Users only need to log in once to gain access to Genesys Multicloud CX applications that have SSO enabled and non-Genesys applications that use the same identity provider.
IdP-initiated login
Genesys Multicloud CX supports IdP-initiated login using the SAML Single Sign-on integration. With this type of login, you can set up your own portal with links to Genesys Multicloud CX applications. When a user is logged in to your IdP, they can click a link in the portal and directly log in to the Genesys application.
Set up this functionality in your IdP by providing the URL of the target application as part of the redirect URL. For example, the redirect URL for Agent Workspace would be in this format: redirectUrl=https://<domain>/ui/wwe/index.html
To get the URL for an application, go to your Genesys Portal page and click the application's widget. Immediately after, press "escape" on your keyboard to prevent the Authentication login page from loading so you can see the application URL in the browser.
SSO support by application
View which Genesys Multicloud CX applications support SSO.
Applications | Single Sign On Support | Notes |
---|---|---|
Agent Workspace | Yes | |
Agent Setup | Yes | |
Callback | Yes | |
Cloud Data Download Service | Yes | |
CX Contact | Yes | |
Designer | Yes | |
Genesys CX Insights | Yes | Supported in version 9.0.013.0+. Contact your Genesys representative to enable. |
Genesys Softphone | Yes | |
Screen Recording | Yes | Supported in Agent Workspace version 9, but not with custom desktops. |
Real-Time Reporting (Pulse) | Yes | Supported in Real-Time Reporting version 9 on selective deployments. Contact your Genesys representative for details. |
Gplus Adapter Salesforce | Yes | |
Recording, Quality Management and Speech Analytics | Yes | |
Workforce Management | Yes | |
Agent Scripting Administration | No | |
Interactive Insights | No | |
Outbound | No | |
Platform Administration (GAX)
Includes plug-ins like eServices Manager and IVR Administration |
No | |
WebRTC | Yes |
Configuring SSO in Genesys Multicloud CX
To enable single sign-on for your environments, see Single Sign-On in Agent Setup.
If you're planning to enable SSO, consider the following conventions for creating users:
- The domain declared in the identity provider metadata should be part of the user name stored within Genesys, to create the most seamless experience. (Example: john@mycompany.com) Otherwise, users would need to enter a Tenant or enter the domain before their username. (Example: mycompany\john)
- The username provisioned within Genesys Multicloud CX should match the username in the external identity provider.
Configuring SSO in the identity provider
Genesys Multicloud CX must be defined as an application within the identity provider to support the SSO integration.
Genesys Multicloud CX supports the SAML 2.0 protocol as a standard interface to identity providers, and has successfully validated with popular IdPs, including Okta and Ping. Other identity providers can be supported provided they comply with SAML 2.0 and you validate the integration before using in production.
SAML settings
Genesys Multicloud CX supports some SAML configuration that must be set up by your Genesys representative:
- Configure "enforceAuthN" in SAML authentication requests. When enabled, Genesys Multicloud CX's Authentication Service sends an attribute to the IdP that tells it to re-authenticate the user, regardless of their previous state.