Manage Federation with Azure

Azure is just one of the supported external identity providers (IdPs) that you can use with CXone Mpower. This page guides you, step-by-step, in setting up authentication for your CXone Mpower system using Azure.

If you're doing the initial implementation of your CXone Mpower system, there are additional steps to consider. We recommend reading the following online help pages which include these considerations:

Before you begin, make sure you have access to the Microsoft Azure ID management console. You will need to create an application.

Manage Federation with Azure with SAML 2.0

Complete each of these tasks in the order given.

Create and Configure an Azure Application with SAML 2.0

  1. Log in to your Azure AD management account with your Azure AD administrator account.
  2. Create an application:
    1. Click Enterprise applications > New Application.
    2. Click Create your own application.
    3. Enter a Name (for example, CXone Mpower).
    4. Select Integrate any other application you don’t find in the gallery (Non-gallery).
    5. Click Create.
  3. Assign users and groups to the application as appropriate. Go to the Users and Groups tab and click Add user/group.
  4. In the application's management page, locate the Manage section. Under Set up single sign on, click Get Started and then select SAML.
  5.  On the Basic SAML Configuration panel, click Edit and configure SAML:
    1. Enter an App Name.
    2. Under Identifier (Entity ID), click Add Identifier and enter https://need_to_change. In a later step, you will replace the placeholder with the Entity ID from your CXone Mpower login authenticator.
    3. Under Reply URL, click Add reply URL and in the Audience URI field, enter https://need_to_change. You will get the actual Assertion Consumer Service (ACS) URI from your CXone Mpower login authenticator in a later step.
  6. Click Save and close the Basic SAML Configuration panel.
  7. In the Attributes & Claims section, select the correct Unique User Identifier. The value you choose will be the Federated Identity in CXone Mpower.
  8. Azure AD should automatically create a SAML signing certificate. Download the certificate named Certificate (Base64). You will upload this certificate to your login authenticator in CXone Mpower in a later step.
  9. On the SAML Signing Certificate panel, click Edit and then:
    1. Choose a Signing Option.
    2. Click Save and close the SAML Signing Certificate panel. Keep this file for your CXone Mpower configuration in a later step.
  10. In the Set up <application name> section, copy the Login URL value. Keep this for your CXone Mpower configuration.
  11. Keep your window open. You will make changes to your Azure application settings based on values you receive in the next task.

Set Up a Login Authenticator with SAML 2.0 in CXone Mpower

Required permissions: Login Authenticator Create

  1. Click the app selector icon of app selector and select Admin.
  2. Go to Security SettingsLogin Authenticator.
  3. Click Create New.
  4. Enter the Name and Description of the login authenticator. For the description, use plain text only. URLs or markup such as HTML will not be saved.
  5. Select SAML2 as the Authentication Type .

  6. In the Endpoint URL field, paste the Login URL value you copied from the Set up <application name> section in Azure in an earlier task.

    If you're using Entra ID (Azure), delete the string populated in the Requested Authentication Context field. Otherwise, users attempting to log in to CXone Mpower could receive Microsoft error AADSTS75011 and be prevented from logging in.

  7. Click Choose File and select the public signing certificate you downloaded from Azure in the previous task. This file must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some additional text.
  8. Click Create Login Authenticator.
  9. Open the login authenticator.

  10. You will notice two additional read-only fields displayed, the Entity ID and the Assertion URL. Make a note of these values. You will need them in the Add CXone Mpower Values to Azure task.

Configure CXone Mpower Users

Complete this task in CXone Mpower for all CXone Mpower users who require single sign-on with Azure. You can also complete this step using the bulk upload template.

  1. In CXone Mpower, click the app selector and select Admin.

  2. Click Employees.

  3. Select the employee profile to modify and click Edit.

  4. If you haven't already done so, go to the Security tab and select the login authenticator you created previously.

  5. Ensure that the External Identity is set to the correct value. The value must match exactly the Unique User Identifier in Azure. If an email ID has been configured as the external ID, make sure to format it correctly. In Azure, the email ID format is firstname.lastname@domain.com and it is case sensitive.

  6. Save your changes.

Assign Users to the Login Authenticator

  1. Click the app selector icon of app selector and select Admin.

  2. Click Users.

  3. Select the user that you want to assign to the login authenticator, or click Create New to create a new user.

  4. On the General tab, click Edit.

  5. In the Security section, select the login authenticator you made previously from the Login Authenticator drop-down.

  6. Click Done.

Add CXone Mpower Values to Azure

  1. Return to your Azure application and on the Basic SAML Configuration panel, click Edit.
  2. For Identifier (Entity ID), enter the Entity ID value from your CXone Mpower login authenticator.
  3. For Reply URL, enter the Assertion URL value from your CXone Mpower login authenticator.
  4. Click Save and close the Basic SAML Configuration panel.

Test the SAML Integration

Before assigning the SAML login authenticator to users in CXone Mpower, you should test the SAML integration. If the test fails, review your configurations and make changes to the settings.

  1. To test IdP-initiated login:
    1. Initiate a login from the Azure dashboard.
    2. Verify that the SAML authentication flow works as you expect it to.
  2. To test SP-initiated login:
    1. Log out of CXone Mpower and return to the login page. 
    2. Confirm that a button now appears there. The button's label matches the name of the login authenticator.
    3. Click the button to test that the SP-initiated login flow is correctly set up.

Verify User Access with Azure Single Sign-On

  1. Ensure that the External Identity for each user who uses the login authenticator is set to the correct value. The value must match exactly the Unique User Identifier in Azure and the Federated Identity in CXone Mpower.

  2. Have one or more test users log in using the latest CXone Mpower login URL. After entering their username, they will be directed to Azure if needed.

  3. When you're ready, roll out Azure single sign-on to all users.

Manage Federation with Azure with OpenID Connect

Complete each of these tasks in the order given.

Configure an Azure Application with OpenID Connect

  1. Log in to your Azure management account.

  2. Under App registrations, click New Registration.

  3. Go to Authentication > Web.

  4. You will need to provide Redirect URIs, which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.

  5. Click Certificates and secrets.

  6. Select client_secret_basic or client_secret_post as your authentication method. The authentication method, private_key_jwt, is not currently supported in CXone Mpower.

  7. In the Client secrets field, select New client secret.

  8. Add a description and select Expires.

  9. Copy the Client ID and Client Secret and paste them to a secure place on your device. You will need to use them when you configure a login authenticator in CXone Mpower.

  10. Go to Token Configuration > Optional Claims.

  11. Click Add Optional Claim.

  12. Select ID as your Token type.

  13. Select email and add your email address.

  14. Click Save.

Set Up a CXone Mpower Login Authenticator with OpenID Connect

  1. Click the app selector icon of app selector and select Admin.

  2. Click Login Authenticator.

  3. Click Create New or select the login authenticator you want to edit.
  4. Enter the Name and a Description of the login authenticator.
  5. Select OIDC as the Authentication Type.
  6. If you have a discovery endpoint from Azure, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you. Discover Settings does not work with Salesforce discovery endpoints.
  7. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password. The Client Identifier is the login ID assigned to your account by Azure.

  8. If you don't have a discovery endpoint from Azure, enter your Azure-provided Issuer, JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, Revocation Endpoint, and End Session Endpoint.

    Field

    Details
    Issuer

    Azure's URL without any parameter.
    JsonWebKeySet Endpoint The URL of Azure's JWK Set.
    Authorization Endpoint The URL of Azure's OAuth 2.0 Authorization Endpoint.
    Token Endpoint The URL of Azure's OAuth 2.0 Token Endpoint.
    UserInfo Endpoint The URL of Azure's UserInfo Endpoint.
    Revocation Endpoint The URL of Azure's Revocation Endpoint.
    End Session Endpoint

    The URL of Azure's End Session Endpoint. This field allows you to create a single logout experience for your users. If configured, when they log out of CXone Mpower, they will also be logged out of their Azure account. For single logout to work, you must whitelist the Sign-out Redirect URI in Azure.

    If Salesforce is your IdP, then you need to configure a logout URL in Salesforce. To do so, go to Settings > Security > Session Settings > Logout Page Settings. Update the Logout URL field. You'll use this URL as your End Session Endpoint.
  9. Select a Client Authentication Method. The method you select must match what you set up in the previous task. It must be an authentication method that Azure supports.
  10. You can select Enable FICAM Profile to turn on United States government-specific settings. This step is for FedRAMP users only.
  11. Click Create Login Authenticator to validate the provided information and to link your CXone Mpower account to your Azure account.
  12. Open the login authenticator.

  13. Note the Sign-in Redirect URI and Sign-out Redirect URI. You will need them when you update your Azure settings.

  14. Update your Azure settings, replacing the placeholders used in the previous task with the values you just noted.

  15. Ensure that the CXone Mpower External Identity for each user that uses the login authenticator is set to the correct value.

    Azure determines the value that must be used. It can be found in the user's profile in Azure. The value must match exactly what you put in the External Identity field in CXone Mpower. The value for this field must be in this format: claim(email):{email configured by your IdP}. For example, if the user's email in the IdP is nick.carraway@classics.com, you would enter claim(email):nickcarraway@classics.com.

  16. Have the user log in to CXone Mpower. They must use the latest login URL. After entering their username, they will be directed to Azure, if needed.

  17. When Azure asks you to authenticate your own account, do so as the user in Azure you want associated with your currently logged in CXone Mpower account.
  18. If your OpenID Connect settings in CXone Mpower don't show as validated, use Azure's logs to diagnose the problem.

Assign Users to the Login Authenticator

  1. Click the app selector icon of app selector and select Admin.

  2. Click Users.

  3. Select the user that you want to assign to the login authenticator, or click Create New to create a new user.

  4. On the General tab, click Edit.

  5. In the Security section, select the login authenticator you made previously from the Login Authenticator drop-down.

  6. Click Done.

Add CXone Mpower Values to Azure

  1. Return to your Azure application and on the Basic SAML Configuration panel, click Edit.
  2. For Identifier (Entity ID), enter the Entity ID value from your CXone Mpower login authenticator.
  3. For Reply URL, enter the Assertion URL value from your CXone Mpower login authenticator.
  4. Click Save and close the Basic SAML Configuration panel.

  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value.

    1. Your identity provider determines the value that must be used. The value must match exactly the Unique User Identifier in Azure and the External Identity in CXone Mpower.

  6. Have the user log in to CXone Mpower. They must use the latest CXone Mpower login URL. After entering their username, they will be directed to the external identity provider if needed. CXone Mpower does not support an IdP initiated process through Azure.

Verify User Access with Azure Single Sign-On

  1. Ensure that the External Identity for each user who uses the login authenticator is set to the correct value. The value must match exactly the Unique User Identifier in Azure and the Federated Identity in CXone Mpower.

  2. Have one or more test users log in using the latest CXone Mpower login URL. After entering their username, they will be directed to Azure if needed.

  3. When you're ready, roll out Azure single sign-on to all users.