Set Up CXone Authentication Using an External Identity Provider

This page guides you, step-by-step, in setting up authentication for your CXone system using an external identity provider (IdP).

Complete each of these tasks in the order given.

Before You Begin

  • Gain a basic understanding of authentication and authorization concepts and terminology if you've never set up a process like this before.
  • Review the CXone-specific process if this is the first time you've worked with authentication in CXone.
  • Consider your human users and the levels of access they need. Decide whether people with greater access should have greater levels of security.
  • Decide whether you will use custom password requirements, multi-factor authentication (MFA), or both to enforce.
  • Based on your decisions, make a list of login authenticators. The list should include the password requirements and MFA status you want to use for each login authenticator. You don't have to create custom login authenticators if the default login authenticator meets your password management needs.
  • Consider whether you need to include authentication and authorization for applications like bots or intelligent virtual assistants (IVAs). If so, you will need to create access keys.
  • Identify your external IdP. CXone supports both hosted and cloud service IdPs. If necessary, involve your company's authentication experts in this process. There may already be established processes for integrating systems like CXone with your external IdP. Following these processes and meeting your specific security needs is ultimately your responsibility.
  • Define your authentication protocol. CXone supports SAML 2.0 and OpenID Connect.
  • Evaluate the combination of IdP and protocol to ensure your use cases and user flows are supported, and to identify potential issues. This should include actual testing.

Your NICE CXone team can support and guide you in this planning process. Good planning makes for a smoother implementation. Implementing authentication and authorization as immediate needs come up is more likely to lead to issues.

Required security profile permissions: Login Authenticator Create

  1. Click the app selector and select Admin.
  2. Go to Login Authenticator.
  3. Click Create New.

  4. Enter a unique Name for the login authenticator.

  5. Enter a Description if you want one.

  6. Select System or SAML 2 as the Authentication Type.

  7. Click Create.

Create Security Profiles

Required security profile permissions: Security Profile Create

  1. Use one of the following methods to create the security profile and give it a name: 

    • To create a new blank security profile:

      1. Click the app selector and select Admin.
      2. Go to Security Profiles.
      3. Click Create New.

      4. Enter a unique Name for the security profile.

      5. Enter a Description if you want one.

      6. For Create, select a blank Security Profile.

    • To quickly create a new security profile that copies an existing one:

      1. Click the app selector and select Admin.
      2. Go to Security Profiles.
      3. Open the security profile you want to copy.

      4. Click Copy.

      5. Enter a unique Name for the security profile.

      6. Enter a Description if you want one.

  2. Click Next.

  3. Enable permissions for each product and feature you want users to have. Some permissions, like User Settings and Security, are grouped. To see the permissions inside the groups, click Individual next to the group name.

  4. Click Next.

  5. If you have NICE CXone WFO enabled in your environment, enable permissions for each WFO feature you want users to have. This doesn't include the CXone-native WEM apps.

  6. Click Next.

  7. Enable permissions for each report you want users to have.

  8. Click Next.

  9. Restrict data access by CampaignsClosed A grouping of skills used to run reports., Teams, Assignable Profiles, Groups, and Business UnitsClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone environment. For each data type, select whether you want users to access All & Future data of that type, None, or Custom.

  10. If you chose Custom for a data type, use the pop-up window to specify which entities of that data type the users can access. Click Done.

    New campaigns, teams, security profiles, groups, and business units aren't automatically added to custom lists when they're created. You must update the custom list if you want users to access the new data.

  11. Click Next.
  12. Click Create Security Profile.

Create or Edit Users

Required security profile permissions: Users Create

If you are setting up authentication with an external IdP for an existing CXone business unit, you do not have to create new user accounts. You will need to edit user accounts and configure the External Identity Type and Federated Identity fields. This must be done for each user who will authenticate via the external IdP. The fields are explained in step 4 of this task.

When you create new users, you have the option to create new individual users or to upload multiple new user accounts at the same time. These instructions are for creating single users in the Admin application. See Manage Multiple Users at Once for instructions on creating or editing multiple users at the same time.

CXone offers many options and settings so you can customize your users. It's a good idea to read through this entire task and make sure you know which settings you need to configure before you begin.

  1. Click the app selector and select Admin.
  2. Click Users.

  3. Open the new user creation form in one of the following ways: 

    • If you want to create a new user with a blank form, click Create New and select Single User.
    • If you want to create a new user based on an existing user's profile, open that user's profile and click Copy.
  4. Enter the user's First Name, Last Name, Email, Username (in the form of an email address), Security Profile, Team, User will use (timezone), City, and Country. If the fields are available, set the password using the Password and Confirm Password fields. Enter any other information you want to add to the user profile.

  5. If you have Integrated Softphone (WebRTC) custom URLs enabled, configure the Integrated Softphone URLs and URL Weights as needed.

  6. Click Save and Continue.
  7. Set the user's Refusal Timeouts for each channel, default Dialing Pattern, and Agent Voice Threshold. If you want to, select Suppress Ringing - Personal Connection.

  8. If your environment is single-channel, set the default number of Concurrent Chats and Auto-Parked Emails. Specify whether the user can Request Contact.

  9. If your environment is enabled for Omnichannel Session Handling (OSH), set the maximum number of simultaneous contacts the user can handle per channel. If you have granular OSH settings enabled, set the Delivery Mode and Total Contact Count for the user.

  10. If you have a WFO integration enabled other than CXone WFO (such as Uptivity WFO) and want to set up recording, enter the System Domain, System Username, and Phones.

  11. In the MAX Version section, you can determine which version of MAX you want this user to use.
  12. If you have WFM enabled, configure the agent's notification settings.

  13. If you have NICE CXone WFO and you want to integrate with a CRM, enter the agent's CRM Username to associate it with the user.

  14. Click Save.

Authenticate Applications

Users and applications are authenticated in very similar ways. The main difference is that applications are authenticated with an access key while users are authenticated with a username and password. Unlike users, applications are not required to interact through a browser. Applications typically are either back-office functionality or intelligent virtual agentsClosed Chatbot or similar application that interacts with a user based on artificial intelligence (IVAs).

To set up an application to interact with CXone, create a user profile and name the profile after the application. Then create an access key for the application user as follows:

Authorization in CXone

Authorization is the process of verifying what resources a user is allowed to access. Resources can include applications, files, and data. You can define users' access to resources with role-based access control. CXone manages authorization automatically during authentication. When a user is authenticated they are given access only to the resources they're authorized for.

A user's authentication method doesn't impact authorization. CXone uses the same authorization process for all users. It doesn't matter whether they are authenticated with access keys or passwords.