Set Up SAML 2.0 Single Sign-On

SAML 2.0 is an authentication protocol you can use to integrate CXone with your identity provider (IdP) to create a single sign-on (SSO) experience in your CXone environment. Using SAML 2.0 for SSO is supported for logging in to CXone, MAX, and Supervisor, but it doesn't apply to Studio, the Developer Portal, or the University websites. Currently, SSO with SAML 2.0 doesn't support Federation.

Complete each of these tasks in the order given.

Configure Your Business Unit for SAML 2.0

Required security profile permissions: External Business Unit Edit

If you haven't already done so, contact your NICE CXone account representative to enable SAML 2.0 SSO. You must then create an account with an external identity provider (IdP). The IdP will provide you with the information that you need to use SSO with CXone.

  1. Log in to your IdP and download the security certificate. Leave the browser window open.
  2. Click the app selector and select ACD.

  3. Go to ACD ConfigurationBusiness Units.

  4. Click the Federated Identity tab.
  5. Click Edit.
  6. In the Certificate Information section, click Choose File.
  7. Find the security certificate on your machine, select it, and click Open.
  8. In the IdP browser window, locate the endpoint URL and copy it. Paste it into CXone in the Endpoint URL field.
  9. If your IdP requires an entity ID, copy the Entity ID from CXone and paste it into the corresponding field in your IdP window.
  10. Copy the Assertion URL from CXone and paste it into the ACD URL or related field in the IdP browser window.
  11. Save your settings in the IdP browser window.
  12. Click Done in CXone.

Enable SAML 2.0 SSO for Users

Required security profile permissions: Users Edit

  1. Click the app selector and select Admin.

  2. Click Users.

  3. Create a new user or open the user profile where you want to enable SAML 2.0 SSO.
  4. In the General tab, click Edit.
  5. If your environment has both OpenID Connect and SAML2 enabled, click the External Identity Type drop-down and select SAML2.

  6. In the Federated Identity field, enter the unique value to be passed as part of the authentication assertion. This value is case-sensitive. It must also be configured in your IdP system for the user requesting access to NICE CXone.

    When your IdP makes an authentication assertion to the NICE CXone platform, it must contain an LDAP claim with the same Federated Identity value configured for the user. The claim values are:

    • Name ID (required) — Matches the user's configured Federated Identity.
    • SecurityProfileID (optional) — Matches a valid security profile in your business unit. This security profile is mapped to your NICE CXone user and is used going forward. If no claim is present, the current Security Profile mapped to this user profile is used.

    To configure the signing message, sign only the message ("response") and not the claim.

  7. Click Done.