Set Up SAML 2.0 Single Sign-On

SAML 2.0 is an authentication protocol you can use to integrate CXone with your identity provider (IdP) to create a single sign-on (SSO) experience in your CXone environment. Using SAML 2.0 for SSO is supported for logging in to CXone, MAX, and Supervisor, but it doesn't apply to Studio, the Developer Portal, or the University websites. Currently, SSO with SAML 2.0 doesn't support Federation.

Complete each of these tasks in the order given.

Configure Your Business Unit for SAML 2.0

Required security profile permissions: External Business Unit Edit

Screenshot of the business unit Federated Identity tab

Field

Details
Entity ID

A pre-populated, non-editable global unique ID that your SAML 2.0 IdP may require you to enter on their side. The IdP includes it as the entity ID of the issuer in the SAML 2.0 request message. Some IdPs, including Okta and OneLogin, don't require you to configure the entity ID on their side. Others, including Salesforce, do.

Endpoint URL

The endpoint URL provided by your IdP.
Assertion URL

A pre-populated, non-editable URL your IdP requires to set up any SAML 2.0 flow. It serves as an endpoint URL for receiving and parsing an authentication assertion. You must enter this ID in your IdP configuration, usually in the ACS URL field. Some IdPs call it something other than ACS. For example, in the Okta SAML 2.0 template, you enter this URL in the Single Sign On URL field.
Certificate Upload the security certificate you received from your IdP.

If you haven't already done so, contact your NICE CXone account representative to enable SAML 2.0 SSO. You must then create an account with an external identity provider (IdP). The IdP will provide you with the information that you need to use SSO with CXone.

  1. Log in to your IdP and download the security certificate. Leave the browser window open.

  2. Click the app selector and select ACD.

  3. Go to ACD ConfigurationBusiness Units.

  4. Click the Federated Identity tab.
  5. Click Edit.
  6. In the Certificate Information section, click Choose File.
  7. Find the security certificate on your machine, select it, and click Open.
  8. In the IdP browser window, locate the endpoint URL and copy it. Paste it into CXone in the Endpoint URL field.
  9. If your IdP requires an entity ID, copy the Entity ID from CXone and paste it into the corresponding field in your IdP window.
  10. Copy the Assertion URL from CXone and paste it into the ACD URL or related field in the IdP browser window.
  11. Save your settings in the IdP browser window.
  12. Click Done in CXone.

Enable SAML 2.0 SSO for Users

Required security profile permissions: Users Edit

Screenshot of a user profile with the Federated Identity field filled

  1. Click the app selector and select Admin.

  2. Click Users.

  3. Create a new user or open the user profile where you want to enable SAML 2.0 SSO.
  4. In the General tab, click Edit.

  5. If your environment has both OpenID Connect and SAML2 enabled, click the External Identity Type drop-down and select SAML2.

  6. In the Federated Identity field, enter the unique value to be passed as part of the authentication assertion. This value is case-sensitive. It must also be configured in your IdP system for the user requesting access to NICE CXone.

    When your IdP makes an authentication assertion to the NICE CXone platform, it must contain an LDAP claim with the same Federated Identity value configured for the user. The claim values are:

    • Name ID (required) — Matches the user's configured Federated Identity.
    • SecurityProfileID (optional) — Matches a valid security profile in your business unit. This security profile is mapped to your NICE CXone user and is used going forward. If no claim is present, the current Security Profile mapped to this user profile is used.

    To configure the signing message, sign only the message ("response") and not the claim.

  7. Click Done.