Set Up OpenID Connect Single Sign-On

Required security profile permissions: External Business Unit Edit

OpenID Connect is an authentication protocol you can use to integrate your identity provider (IdP) with the NICE CXone platform to create a single sign-on (SSO) experience. When you configure OpenID Connect for your business unit, your IdP owns user authentication and the platform honors the flow of the IdP. When a user logs in to the platform for the first time with OpenID Connect and that user does not already have an account, the platform automatically creates a new user profile and links it to the IdP.

If you don't already have OpenID Connect enabled in your environment, contact your CXone Account Representative to enable it for you and help you set up a custom hostname for your login.

  1. If you haven't already done so, configure your IdP. Make note of your client identifier and client secret. Configure a redirection URI that is specific to your business unitClosed High-level organizational grouping used to manage technical support, billing, and global settings for your CXone environment. This URI is based on the custom hostname you configured with your NICE CXone account representative. It may look similar to this, depending on your setup: 
    • https://{custom-domain}.incontact.com
    • https://(custom).niceincontact.com
    • https://(custom).nice-incontact.com/inContact
    • https://(custom).incontact.eu
  2. Click the app selector and select ACD.

  3. Go to ACD ConfigurationBusiness Units.

  4. Click the business unit where you want to use OpenID Connect.
  5. Click the OpenID Connect tab and click Edit.
  6. Select the Default Security Profile and Default Team you want to apply to the platform user accounts that are automatically created the first time a new user logs in with SSO.
  7. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password.
  8. If you have a discovery endpoint for your IdP, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you.
  9. If you don't have a discovery endpoint for your IdP, enter your IdP-provided JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, and Revocation Endpoint.
  10. Click Done to validate the provided information and to link your account to your IdP account.
  11. When your IdP asks you to authenticate, do so as the user on the IdP you want associated with your currently logged in CXone user.
  12. If your OpenID Connect settings in CXone don't show as validated, use your IdP logs to diagnose the problem.
  13. If you want to disable the default username and password login method, click Edit again, select the Disable NICE inContact Authentication checkbox, and click Done.

The account linking and validation functionality in CXone always uses one of the following subdomain-based redirect URIs:

  • https://(custom).incontact.com/inContact/LoginByCode.aspx
  • https://(custom).niceincontact.com/inContact/LoginByCode.aspx
  • https://(custom).nice-incontact.com/inContact/LoginByCode.aspx
  • https://(custom).incontact.eu/inContact/LoginByCode.aspx

Enable OpenID Connect for Users

Required security profile permissions: Users Edit

  1. Click the app selector and select Admin.

  2. Click Users.

  3. Create a new user or open the user profile where you want to enable OpenID Connect.
  4. In the General tab, click Edit.
  5. If your environment has both OpenID Connect and SAML 2.0 enabled, click the External Identity Type drop-down and select OpenID Connect.
  6. In the Federated Identity field, enter the unique value to be passed as part of the authentication assertion. This value is case-sensitive. It must also be configured in your IdP system for the user requesting access to NICE CXone.

    When your IdP makes an authentication assertion to the NICE CXone platform, it must contain an LDAP claim with the same Federated Identity value configured for the user. The claim values are:

    • Name ID (required) — Matches the user's configured Federated Identity.
    • SecurityProfileID (optional) — Matches a valid security profile in your business unit. This security profile is mapped to your NICE CXone user and is used going forward. If no claim is present, the current Security Profile mapped to this user profile is used.

    To configure the signing message, sign only the message ("response") and not the claim.

  7. Click Done.

Alternatively, your users can link their accounts manually. If your users don't already have CXone user accounts, user accounts are automatically created for them and linked to their IdP username the first time they log in to CXone. If your users already have CXone user accounts, they can link their accounts to their IdP username manually by logging in to CXone, going to Admin > My Account, and clicking Link Account.

Linking New Users with Claim-based OpenID Connect

CXone can use a different claim value, like an email address, to establish the user's identity at their first login. CXone then automatically switches to the unique OpenID Connect subject identifier. This allows you to pre-configure a user's federated identity.