Set Up CXone Authentication Using the Built-in Identity Provider

This page guides you, step-by-step, in setting up authentication for your CXone system using the built-in identity provider.

Complete each of these tasks in the order given.

Before You Begin

  • Gain a basic understanding of authentication and authorization ideas and terminology if you've never set up a process like this before.
  • Review the CXone-specific process if this is the first time you've worked with authentication in CXone.
  • Consider your human users and the levels of access they need. Decide whether people with greater access should have greater levels of security.
  • Decide whether you will use custom password requirements, multi-factor authentication (MFA), or both to enforce.
  • Make a list of the login authenticators you'll need based on your decisions. The list should include the password requirements and MFA status you want to use for each login authenticator.
  • Consider whether you need to include authentication and authorization for applications like bots or intelligent virtual assistants (IVAs). If so, you will need to create access keys.

Your NICE CXone team can support and guide you in this planning process. Good planning makes for a smoother implementation. Implementing authentication and authorization as immediate needs come up is more likely to lead to issues.

Create Login Authenticators

Required permissions: Login Authenticator Create

The built-in CXone IdP authenticates users with usernames and passwords. Password criteria are managed using login authenticators. You can create different login authenticators for different users.

  1. Click the app selector and select Admin.
  2. Go to Login Authenticator.
  3. Click Create New.

  4. Enter a unique Name for the login authenticator.

  5. Enter a Description if you want one.

  6. Select System as the Authentication Type.

  7. Set up your password complexity.

    Each user's password is checked against a repository of commonly used passwords. If their password matches one of the commonly used passwords, they will be forced to create a new password. Some of the passwords that are rejected include:

    • Any password that includes the word "password." For example, Password@1234.

    • Any password that includes the user's email address, username, first name, last name, or system name.

    Passwords are checked against this repository whenever:

    • A new user is activated.

    • A user's password expires.

    • A user resets their password.

  8. If you want to enable multi-factor authentication, select Require Multi-Factor Authentication. Set your MFA Type as HOTP and TOTP.

  9. Set your password policy.

  10. Click Create Login Authenticator.

Create Security Profiles

Required permissions: Security Profile Create

  1. Use one of the following methods to create the security profile and give it a name: 

    • To create a new blank security profile:

      1. Click the app selector and select Admin.
      2. Go to Security Profiles.
      3. Click Create New.

      4. Enter a unique Name for the security profile.

      5. Enter a Description if you want one.

      6. For Create, select a blank Security Profile.

    • To quickly create a new security profile that copies an existing one:

      1. Click the app selector and select Admin.
      2. Go to Security Profiles.
      3. Open the security profile you want to copy.

      4. Click Copy.

      5. Enter a unique Name for the security profile.

      6. Enter a Description if you want one.

  2. Click Next.

  3. Enable permissions for each product and feature you want users to have. Some permissions, like User Settings and Security, are grouped. To see the permissions inside the groups, click Individual next to the group name.

  4. Click Next.

  5. Enable permissions for each report you want users to have.

  6. Click Next.

  7. Restrict data access by CampaignsClosed A grouping of skills used to run reports., Teams, Assignable Profiles, Groups, and Business UnitsClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone environment. For each data type, select whether you want users to access All & Future data of that type, None, or Custom.

  8. If you chose Custom for a data type, use the pop-up window to specify which entities of that data type the users can access. Click Done.

    New campaigns, teams, security profiles, groups, and business units aren't automatically added to custom lists when they're created. You must update the custom list if you want users to access the new data.

  9. Click Next.
  10. Click Create Security Profile.

Create Users

Required permissions: Users Create

When you create new users, you have the option to create new individual users or to upload multiple new user accounts at the same time. These instructions are for creating single users in the Admin application. See Manage Multiple Users at Once for instructions on creating or editing multiple users at the same time.

CXone offers many options and settings so you can customize your users. It's a good idea to read through this entire task and make sure you know which settings you need to configure before you begin.

  1. Click the app selector and select Admin.
  2. Click Users.

  3. Open the new user creation form in one of the following ways: 

    • If you want to create a new user with a blank form, click Create New and select Single User.
    • If you want to create a new user based on an existing user's profile, open that user's profile and click Copy.
  4. Enter the user's First Name, Last Name, Email, Username (in the form of an email address), Security Profile, Team, User will use (timezone), City, and Country. If the fields are available, set the password using the Password and Confirm Password fields. Enter any other information you want to add to the user profile.

  5. Select a login authenticator (LA).

    All users must be assigned to a login authenticator, or they won't be able to log in to CXone.

    The type of LA will determine how the user will log in to CXone. You can set up two types of login authenticators.

    System LAs: Users assigned to a system LA will log in using credentials managed by CXone.

    External LAs: Users assigned to an external LA will complete their log in through an external identity provider (IdP). External LAs are configured with either SAML 2.0 or OpenID Connect.

  6. If you have Integrated Softphone (WebRTC) custom URLs enabled, configure the Integrated Softphone URLs and URL Weights as needed.

  7. Click Save and Continue.
  8. Set the user's Refusal Timeouts for each channel, default Dialing Pattern, and Agent Voice Threshold. If you want to, select Suppress Ringing - Personal Connection.

  9. If your environment enabled for static delivery, set the default number of Concurrent Chats and Auto-Parked Emails. Specify whether the user can Request Contact.

  10. If your environment is enabled for dynamic delivery, set the maximum number of simultaneous contacts the user can handle per channel. If you have granular dynamic delivery settings enabled, set the Delivery Mode and Total Contact Count for the user.

  11. If you have a WFO integration enabled other than CXone WFO (such as Uptivity WFO) and want to set up recording, enter the System Domain, System Username, and Phones.

  12. In the MAX Version section, you can determine which version of MAX you want this user to use.
  13. If you have CXone WFM enabled, configure the agent's notification settings.

  14. If you have NICE CXone WFO and you want to integrate with a CRM, enter the agent's CRM Username to associate it with the user.

  15. Click Save.

Authenticate Applications

Users and applications are authenticated in very similar ways. The main difference is that applications are authenticated with an access key while users are authenticated with a username and password. Unlike users, applications are not required to interact through a browser. Applications typically are either back-office functionality or intelligent virtual agentsClosed Chatbot or similar application that interacts with a user based on artificial intelligence (IVAs).

To set up an application to interact with CXone, create a user profile and name the profile after the application. Then create an access key for the application user as follows:

Authorization in CXone

Authorization is the process of verifying what resources a user is allowed to access. Resources can include applications, files, and data. You can define users' access to resources with role-based access control. CXone manages authorization automatically during authentication. When a user is authenticated they are given access only to the resources they're authorized for.

A user's authentication method doesn't impact authorization. CXone uses the same authorization process for all users. It doesn't matter whether they are authenticated with access keys or passwords.