Set Up SAML 2.0 Single Sign-On

SAML 2.0 is an authentication protocol you can use to integrate CXone with your identity provider (IdP) to create a single sign-on (SSO) experience in your CXone environment. Using SAML 2.0 for SSO is supported for logging in to CXone, MAX, and Supervisor, but it doesn't apply to Studio, the Developer Portal, or the University websites. Currently, SSO with SAML 2.0 doesn't support Federation.

Complete each of the following tasks in the given order to set up SAML 2.0 SSO. If you haven't already done so, contact your NICE inContact account representative to enable SAML 2.0 SSO. You must then create an account with an external identity provider (IdP). The IdP will provide you with the information that you need to use SSO with CXone.

Configure Your Business Unit for SAML 2.0 SSO

Required security profile permissions: External Business Unit Edit

  1. Log in to your IdP and download the security certificate. Leave the browser window open.
  2. In the ACD application, click ACD ConfigurationBusiness Units.
  3. Click the Federated Identity tab.
  4. Click Edit.
  5. In the Certificate Information section, click Choose File.
  6. Find the security certificate on your machine, select it, and click Open.
  7. In the IdP browser window, locate the endpoint URL and copy it. Paste it into CXone in the Endpoint URL field.
  8. If your IdP requires an entity ID, copy the Entity ID from CXone and paste it into the corresponding field in your IdP window.
  9. Copy the Assertion URL from CXone and paste it into the ACD URL or related field in the IdP browser window.
  10. Save your settings in the IdP browser window.
  11. Click Done in CXone.

Enable SAML 2.0 SSO for Users

Required security profile permissions: Users Edit

After you configure SAML 2.0 SSO for your business unit, you must provide a unique value in the Federated Identity field for each user profile that you want to use SSO.

  1. In the Admin application, click Users.
  2. Create a new user or open the user profile where you want to enable SAML 2.0 SSO.
  3. In the General tab, click Edit.
  4. In the Federated Identity field, enter the unique value to be passed as part of the authentication assertion. This value is case-sensitive. It must also be configured in your IdP system for the user requesting access to NICE inContact.

    When your IdP makes an authentication assertion to the NICE inContact platform, it must contain an LDAP claim with the same Federated Identity value configured for the user. The claim values are:

    • Name ID (required) — Matches the user's configured Federated Identity.
    • SecurityProfileID (optional) — Matches a valid security profile in your business unit. This security profile is mapped to your NICE inContact user and is used going forward. If no claim is present, the current Security Profile mapped to this user profile is used.

    To configure the signing message, sign only the message ("response") and not the claim.

  5. Click Done.