Set Up CXone Authentication Using Microsoft Azure as an External Identity Provider

This page guides you, step-by-step, in setting up authentication for your CXone system using Microsoft Azure as your external identity provider (IdP). If you're setting up Azure as an IdP for an existing CXone system, you won't need to do some of the tasks described here. Refer to the Manage Federation with Azure help page instead.

Before You Begin

  • Gain a basic understanding of authentication and authorization concepts and terminology if you've never set up a process like this before.
  • Review the CXone-specific process if this is the first time you've worked with authentication in CXone.
  • Consider your human users and the levels of access they need. Decide whether people with greater access should have greater levels of security.
  • Decide whether you will use custom password requirements, multi-factor authentication (MFA), or both to enforce.
  • Based on your decisions, make a list of login authenticators. The list should include the password requirements and MFA status you want to use for each login authenticator.
  • Consider whether you need to include authentication and authorization for applications like bots or intelligent virtual assistants (IVAs). If so, you will need to create access keys.
  • Gain an understand of the SAML 2.0 authentication protocol. CXone supports SAML 2.0 for Azure integration.
  • Evaluate the combination of IdP and protocol to ensure your use cases and user flows are supported, and to identify potential issues. This should include actual testing.

Your NICE CXone team can support and guide you in this planning process. Good planning makes for a smoother implementation. Implementing authentication and authorization as immediate needs come up is more likely to lead to issues.

Complete each of these tasks in the order given.

Before you begin, make sure you have access to the Microsoft Azure ID management console. You will need to create an application.

Manage Federation with Azure with SAML 2.0

Complete each of these tasks in the order given.

Create and Configure an Azure Application with SAML 2.0

  1. Login to your Azure AD management account.
  2. Create an application.
    1. Click Enterprise applications > New Application.
    2. Click Create your own application.
    3. Enter a Name (for example, NICE CXone).
    4. Select Integrate any other application you don’t find in the gallery (Non-gallery).
    5. Click Create.
  3. Assign users and groups as appropriate.
  4. Under Set up single sign on, click Get Started and then select SAML.
  5.  On the Basic SAML Configuration panel, click Edit and configure SAML:
    1. Under Identifier (Entity ID), click Add Identifier and enter https://cxone.niceincontact.com/need_to_change. You will change this value to the URL you receive later.
    2. Under Reply URL, click Add reply URL and in the Audience URI field, enter https://cxone.niceincontact.com/need_to_change. You will change this value to the URI you receive later.
  6. Click Save and close the Basic SAML Configuration panel.
  7. In the Attributes & Claims section, select the correct Unique User Identifier. The value you choose will be the Federated Identity in CXone.
  8. Azure AD should automatically create a SAML signing certificate. Download the certificate named Certificate (Base64).
  9. On the SAML Signing Certificate panel, click Edit and then:
    1. Change the Signing Option to Sign SAML response.
    2. Click Save and close the SAML Signing Certificate panel. Keep this file for your CXone configuration.
  10. On the Set up <application name> panel, copy the Login URL value. Keep this for your CXone configuration.
  11. Keep your window open. You will make changes to your Azure application settings based on values you receive in the next task.

Set Up a Login Authenticator with SAML 2.0 in CXone

Required permissions: Login Authenticator Create

  1. Click the app selector and select Admin.
  2. Go to Security SettingsLogin Authenticator.
  3. Click Create New.
  4. Enter the Name and Description of the login authenticator.
  5. Select SAML2 as the Authentication Type .
  6. Enter the SAML request Endpoint URL you received from Azure as the Endpoint URL.

    If you're using Entra ID (Azure), delete the string populated in the Requested Authentication Context field. Otherwise, users attempting to log in to CXone could receive Microsoft error AADSTS75011 and be prevented from logging in.

  7. Click Choose File and select the public signing certificate you downloaded from Azure in the previous task. This file must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some additional text.
  8. Click Create Login Authenticator.
  9. Open the login authenticator.
  10. You will notice two additional read-only fields displayed, the Entity ID and the Assertion URL. Make a note of these values. You will need them in the Add CXone Values to Azure task.

Assign Users to the Login Authenticator

  1. Click the app selector and select Admin.
  2. Click Users.

  3. Select the user that you want to assign to the login authenticator, or click Create New to create a new user.

  4. On the General tab, click Edit.

  5. In the Security section, select the login authenticator you made previously from the Login Authenticator drop-down.

  6. Click Done.

Add CXone Values to Azure

  1. Return to your Azure application and on the Basic SAML Configuration panel, click Edit.
  2. For Identifier (Entity ID), enter the Entity ID value from your CXone login authenticator.
  3. For Reply URL, enter the Assertion URL value from your CXone login authenticator.
  4. Click Save and close the Basic SAML Configuration panel.
  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value.

    1. Your identity provider determines the value that must be used. The value must match exactly the Unique User Identifier in Azure and the External Identity in CXone.

  6. Have the user log in to CXone. They must use the latest CXone login URL. After entering their username, they will be directed to the external identity provider if needed. CXone does not support an IdP initiated process through Azure.

Verify User Access with Azure Single Sign-On

  1. Ensure that the External Identity for each user who uses the login authenticator is set to the correct value. The value must match exactly the Unique User Identifier in Azure and the Federated Identity in CXone.

  2. Have one or more test users log in using the latest CXone login URL. After entering their username, they will be directed to Azure if needed.

  3. When you're ready, roll out Azure single sign-on to all users.

Manage Federation with Azure with OpenID Connect

Complete each of these tasks in the order given.

Configure an Azure Application with OpenID Connect

  1. Log in to your Azure management account.

  2. Under App registrations, click New Registration.

  3. Go to Authentication > Web.

  4. You will need to provide Redirect URIs, which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.

  5. Click Certificates and secrets.

  6. Select client_secret_basic or client_secret_post as your authentication method. The authentication method, private_key_jwt, is not currently supported in CXone.

  7. In the Client secrets field, select New client secret.

  8. Add a description and select Expires.

  9. Copy the Client ID and Client Secret and paste them to a secure place on your device. You will need to use them when you configure a login authenticator in CXone.

  10. Go to Token Configuration > Optional Claims.

  11. Click Add Optional Claim.

  12. Select ID as your Token type.

  13. Select email and add your email address.

  14. Click Save.

Set Up a CXone Login Authenticator with OpenID Connect

  1. Click the app selector and select Admin.

  2. Click Login Authenticator.

  3. Click Create New or select the login authenticator you want to edit.
  4. Enter the Name and a Description of the login authenticator.
  5. Select OIDC as the Authentication Type.
  6. If you have a discovery endpoint from Azure, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you. Discover Settings does not work with Salesforce discovery endpoints.
  7. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password. The Client Identifier is the login ID assigned to your account by Azure.
  8. If you don't have a discovery endpoint from Azure, enter your Azure-provided Issuer, JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, Revocation Endpoint, and End Session Endpoint.

  9. Select a Client Authentication Method. The method you select must match what you set up in the previous task. It must be an authentication method that Azure supports.
  10. You can select Enable FICAM Profile to turn on United States government-specific settings. This step is for FedRAMP users only.
  11. Click Create Login Authenticator to validate the provided information and to link your CXone account to your Azure account.
  12. Open the login authenticator.
  13. Note the Sign-in Redirect URI and Sign-out Redirect URI. You will need them when you update your Azure settings.

  14. Update your Azure settings, replacing the placeholders used in the previous task with the values you just noted.

  15. Ensure that the CXone External Identity for each user that uses the login authenticator is set to the correct value.

    Azure determines the value that must be used. It can be found in the user's profile in Azure. The value must match exactly what you put in the External Identity field in CXone. The value for this field must be in this format: claim(email):{email configured by your IdP}. For example, if the user's email in the IdP is nick.carraway@classics.com, you would enter claim(email):nickcarraway@classics.com.

  16. Have the user log in to CXone. They must use the latest login URL. After entering their username, they will be directed to Azure, if needed.

  17. When Azure asks you to authenticate your own account, do so as the user in Azure you want associated with your currently logged in CXone account.
  18. If your OpenID Connect settings in CXone don't show as validated, use Azure's logs to diagnose the problem.

Assign Users to the Login Authenticator

  1. Click the app selector and select Admin.
  2. Click Users.

  3. Select the user that you want to assign to the login authenticator, or click Create New to create a new user.

  4. On the General tab, click Edit.

  5. In the Security section, select the login authenticator you made previously from the Login Authenticator drop-down.

  6. Click Done.

Add CXone Values to Azure

  1. Return to your Azure application and on the Basic SAML Configuration panel, click Edit.
  2. For Identifier (Entity ID), enter the Entity ID value from your CXone login authenticator.
  3. For Reply URL, enter the Assertion URL value from your CXone login authenticator.
  4. Click Save and close the Basic SAML Configuration panel.
  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value.

    1. Your identity provider determines the value that must be used. The value must match exactly the Unique User Identifier in Azure and the External Identity in CXone.

  6. Have the user log in to CXone. They must use the latest CXone login URL. After entering their username, they will be directed to the external identity provider if needed. CXone does not support an IdP initiated process through Azure.

Verify User Access with Azure Single Sign-On

  1. Ensure that the External Identity for each user who uses the login authenticator is set to the correct value. The value must match exactly the Unique User Identifier in Azure and the Federated Identity in CXone.

  2. Have one or more test users log in using the latest CXone login URL. After entering their username, they will be directed to Azure if needed.

  3. When you're ready, roll out Azure single sign-on to all users.

Create Security Profiles

Required permissions: Security Profile Create

  1. Use one of the following methods to create the security profile and give it a name: 

    • To create a new blank security profile:

      1. Click the app selector and select Admin.
      2. Go to Security Profiles.
      3. Click Create New.

      4. Enter a unique Name for the security profile.

      5. Enter a Description if you want one.

      6. For Create, select a blank Security Profile.

    • To quickly create a new security profile that copies an existing one:

      1. Click the app selector and select Admin.
      2. Go to Security Profiles.
      3. Open the security profile you want to copy.

      4. Click Copy.

      5. Enter a unique Name for the security profile.

      6. Enter a Description if you want one.

  2. Click Next.

  3. Enable permissions for each product and feature you want users to have. Some permissions, like User Settings and Security, are grouped. To see the permissions inside the groups, click Individual next to the group name.

  4. Click Next.

  5. Enable permissions for each report you want users to have.

  6. Click Next.

  7. Restrict data access by CampaignsClosed A grouping of skills used to run reports., Teams, Assignable Profiles, Groups, and Business UnitsClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone environment. For each data type, select whether you want users to access All & Future data of that type, None, or Custom.

  8. If you chose Custom for a data type, use the pop-up window to specify which entities of that data type the users can access. Click Done.

    New campaigns, teams, security profiles, groups, and business units aren't automatically added to custom lists when they're created. You must update the custom list if you want users to access the new data.

  9. Click Next.
  10. Click Create Security Profile.

Create or Edit Users

Required permissions: Users Create

If you are setting up authentication with an external IdP for an existing CXone business unit, you do not have to create new user accounts. You will need to edit user accounts and configure the External Identity Type and Federated Identity fields. This must be done for each user who will authenticate via the external IdP. The fields are explained in step 4 of this task.

When you create new users, you have the option to create new individual users or to upload multiple new user accounts at the same time. These instructions are for creating single users in the Admin application. See Manage Multiple Users at Once for instructions on creating or editing multiple users at the same time.

CXone offers many options and settings so you can customize your users. It's a good idea to read through this entire task and make sure you know which settings you need to configure before you begin.

  1. Click the app selector and select Admin.
  2. Click Users.

  3. Open the new user creation form in one of the following ways: 

    • If you want to create a new user with a blank form, click Create New and select Single User.
    • If you want to create a new user based on an existing user's profile, open that user's profile and click Copy.
  4. Enter the user's First Name, Last Name, Email, Username (in the form of an email address), Security Profile, Team, User will use (timezone), City, and Country. If the fields are available, set the password using the Password and Confirm Password fields. Enter any other information you want to add to the user profile.

  5. Select a login authenticator (LA).

    All users must be assigned to a login authenticator, or they won't be able to log in to CXone.

    The type of LA will determine how the user will log in to CXone. You can set up two types of login authenticators.

    System LAs: Users assigned to a system LA will log in using credentials managed by CXone.

    External LAs: Users assigned to an external LA will complete their log in through an external identity provider (IdP). External LAs are configured with either SAML 2.0 or OpenID Connect.

  6. If you have Integrated Softphone (WebRTC) custom URLs enabled, configure the Integrated Softphone URLs and URL Weights as needed.

  7. Click Save and Continue.
  8. Set the user's Refusal Timeouts for each channel, default Dialing Pattern, and Agent Voice Threshold. If you want to, select Suppress Ringing - Personal Connection.

  9. If your environment enabled for static delivery, set the default number of Concurrent Chats and Auto-Parked Emails. Specify whether the user can Request Contact.

  10. If your environment is enabled for dynamic delivery, set the maximum number of simultaneous contacts the user can handle per channel. If you have granular dynamic delivery settings enabled, set the Delivery Mode and Total Contact Count for the user.

  11. If you have a WFO integration enabled other than CXone WFO (such as Uptivity WFO) and want to set up recording, enter the System Domain, System Username, and Phones.

  12. In the MAX Version section, you can determine which version of MAX you want this user to use.
  13. If you have CXone WFM enabled, configure the agent's notification settings.

  14. If you have NICE CXone WFO and you want to integrate with a CRM, enter the agent's CRM Username to associate it with the user.

  15. Click Save.

Authenticate Applications

Users and applications are authenticated in very similar ways. The main difference is that applications are authenticated with an access key while users are authenticated with a username and password. Unlike users, applications are not required to interact through a browser. Applications typically are either back-office functionality or intelligent virtual agentsClosed Chatbot or similar application that interacts with a user based on artificial intelligence (IVAs).

To set up an application to interact with CXone, create a user profile and name the profile after the application. Then create an access key for the application user as follows:

Authorization in CXone

Authorization is the process of verifying what resources a user is allowed to access. Resources can include applications, files, and data. You can define users' access to resources with role-based access control. CXone manages authorization automatically during authentication. When a user is authenticated they are given access only to the resources they're authorized for.

A user's authentication method doesn't impact authorization. CXone uses the same authorization process for all users. It doesn't matter whether they are authenticated with access keys or passwords.