Set Up OpenID Connect Single Sign-On

Required security profile permissions: External Business Unit Edit

OpenID Connect is an authentication protocol you can use to integrate your identity provider (IdP) with the NICE CXone platform to create a single sign-on (SSO) experience. When you configure OpenID Connect for your business unit, your IdP owns user authentication and the platform honors the flow of the IdP. When a user logs in to the platform for the first time with OpenID Connect and that user does not already have an account, the platform automatically creates a new user profile and links it to the IdP.

If you don't already have OpenID Connect enabled in your environment, contact your CXone Account Representative to enable it for you and help you set up a custom hostname for your login.

Screenshot of the OpenID Connect tab of a business unit in edit mode

Field

Details
Business Unit Hostname The hostname of the login page. This is only editable by NICE CXone. For example, the company, Classics, Inc., could have a custom hostname of classicsinc.

Disable NICE inContact Authentication

Specifies whether the default method for logging in—entering a username and password—is allowed. When selected, the option to type a username and password to log in is disabled. You can only enable this option after you have configured OpenID Connect. When you select Disable NICE inContact Authentication, users can only log in with external authentication. When you don't select the setting, users log in based on priority of login methods: 1) OpenID Connect 2) SAML 2.0, and 3) internal login.
Discovery Settings Prompts you for a discovery URL, which your IdP may have given you. It automatically populates the fields on this page, which are required for you to connect to your IdP.
Issuer The issuer assigned to your account by your IdP.
Client Identifier and Client Password The login ID assigned to your account by your IdP and your password.
Client Authentication Method The authentication method your IdP supports.
Enable FICAM (Federal Identity Credential, and Access Management) Profile When selected, turns on U.S. government-specific settings.
Validation Status Indicates whether or not the configuration data in the preceding fields has been validated.
  1. If you haven't already done so, configure your IdP. Make note of your client identifier and client secret. Configure a redirection URI that is specific to your business unitClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone environment. This URI is based on the custom hostname you configured with your NICE CXone account representative. It may look similar to this, depending on your setup: 
    • https://{custom-domain}.incontact.com
    • https://(custom).niceincontact.com
    • https://(custom).nice-incontact.com/inContact
    • https://(custom).incontact.eu

  2. Click the app selector and select ACD.

  3. Go to ACD ConfigurationBusiness Units.

  4. Click the business unit where you want to use OpenID Connect.
  5. Click the OpenID Connect tab and click Edit.
  6. Select the Default Security Profile and Default Team you want to apply to the platform user accounts that are automatically created the first time a new user logs in with SSO.
  7. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password.
  8. If you have a discovery endpoint for your IdP, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you.
  9. If you don't have a discovery endpoint for your IdP, enter your IdP-provided JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, and Revocation Endpoint.
  10. Click Done to validate the provided information and to link your account to your IdP account.
  11. When your IdP asks you to authenticate, do so as the user on the IdP you want associated with your currently logged in CXone user.
  12. If your OpenID Connect settings in CXone don't show as validated, use your IdP logs to diagnose the problem.
  13. If you want to disable the default username and password login method, click Edit again, select the Disable NICE inContact Authentication checkbox, and click Done.

The account linking and validation functionality in CXone always uses one of the following subdomain-based redirect URIs:

  • https://(custom).incontact.com/inContact/LoginByCode.aspx
  • https://(custom).niceincontact.com/inContact/LoginByCode.aspx
  • https://(custom).nice-incontact.com/inContact/LoginByCode.aspx
  • https://(custom).incontact.eu/inContact/LoginByCode.aspx

Enable OpenID Connect for Users

Required security profile permissions: Users Edit

  1. Click the app selector and select Admin.

  2. Click Users.

  3. Create a new user or open the user profile where you want to enable OpenID Connect.
  4. In the General tab, click Edit.
  5. If your environment has both OpenID Connect and SAML 2.0 enabled, click the External Identity Type drop-down and select OpenID Connect.

  6. In the Federated Identity field, enter the unique value to be passed as part of the authentication assertion. This value is case-sensitive. It must also be configured in your IdP system for the user requesting access to NICE CXone.

    When your IdP makes an authentication assertion to the NICE CXone platform, it must contain an LDAP claim with the same Federated Identity value configured for the user. The claim values are:

    • Name ID (required) — Matches the user's configured Federated Identity.
    • SecurityProfileID (optional) — Matches a valid security profile in your business unit. This security profile is mapped to your NICE CXone user and is used going forward. If no claim is present, the current Security Profile mapped to this user profile is used.

    To configure the signing message, sign only the message ("response") and not the claim.

  7. Click Done.

Alternatively, your users can link their accounts manually. If your users don't already have CXone user accounts, user accounts are automatically created for them and linked to their IdP username the first time they log in to CXone. If your users already have CXone user accounts, they can link their accounts to their IdP username manually by logging in to CXone, going to Admin > My Account, and clicking Link Account.

Linking New Users with Claim-based OpenID Connect

CXone can use a different claim value, like an email address, to establish the user's identity at their first login. CXone then automatically switches to the unique OpenID Connect subject identifier. This allows you to pre-configure a user's federated identity.