Authentication Troubleshooting

When users log in to any application suite, including CXone, these two steps typically occur in the order shown:

  • Authentication—Is the user who they claim to be?
  • Authorization—Should the authenticated user have the access they've requested?

All users must be authenticated and authorized before they can access CXone.

Users can be people or applications. For example, chatbots and virtual assistants often run by means of a user account. Most application suites use the same processes for human and virtual users. In these online help pages about authentication and authorization, we've used the term user to apply to both people and applications. If there are differences, they're clearly explained.

Authentication is meant to be exact. Any configuration issue will likely cause failures. The following steps can be followed to narrow down any problems.

For more information on authentication and authorization in CXone, click here.

When Nobody Can Authenticate

The following steps apply to both OpenID Connect and SAML 2.0 authentication protocols.

For SAML 2.0 there are additional checks to make.

  • Double check that the signing certificate used by the identity provider is the same one loaded into the login authenticator.

  • Make sure that encryption isn't enabled. CXone doesn't support additional encryption.

  • Check that the signing method for the SAML 2.0 response is "Message" and not "Assertion" or "Message and Assertion"

When Only Some Users Can Authenticate

The following steps apply to both OpenID Connect and SAML 2.0 authentication protocols.

  • Make sure that the user's role matches the role assigned to the login authenticator.

For SAML 2.0 there are additional checks to make.

  • Double-check the external identity. Install a SAML-tracer tool on the user's machine and try to log in. Find the "SAML" line and under details, it will show the NameID. Verify that it exactly matches what is configured for the user's external identity (not the user's email or username).