SAML 2.0 is an authentication protocol you can use to integrate CXone with your identity provider (IdP) to create a single sign-on (SSO) experience in your CXone environment. Using SAML 2.0 for SSO is supported for logging in to CXone, MAX, and Supervisor, but it doesn't apply to Studio, the Developer Portal, or the University websites. Currently, SSO with SAML 2.0 doesn't support Federation.
Complete each of the following tasks in the given order to set up SAML 2.0 SSO. If you haven't already done so, contact your NICE inContact account representative to enable SAML 2.0 SSO. You must then create an account with an external identity provider (IdP). The IdP will provide you with the information that you need to use SSO with CXone.
Configure Your Business Unit for SAML 2.0 SSO
Required security profile permissions: External Business Unit Edit
A pre-populated, non-editable global unique ID that your SAML 2.0 IdP may require you to enter on their side. The IdP includes it as the entity ID of the issuer in the SAML request message. Some IdPs, including Okta and OneLogin, don't require you to configure the entity ID on their side. Others, including Salesforce, do.
The endpoint URL provided by your IdP.
A pre-populated, non-editable URL your IdP requires to set up any SAML flow. It serves as an endpoint URL for receiving and parsing an authentication assertion. You must enter this ID in your IdP configuration, usually in the ACS URL field. Some IdPs call it something other than ACS. For example, in the Okta SAML template, you enter this URL in the Single Sign On URL field.
|Certificate||Upload the security certificate you received from your IdP.|
- Log in to your IdP and download the security certificate. Leave the browser window open.
- In the ACD application, click ACD Configuration → Business Units.
- Click the Federated Identity tab.
- Click Edit.
- In the Certificate Information section, click Choose File.
- Find the security certificate on your machine, select it, and click Open.
- In the IdP browser window, locate the endpoint URL and copy it. Paste it into CXone in the Endpoint URL field.
- If your IdP requires an entity ID, copy the Entity ID from CXone and paste it into the corresponding field in your IdP window.
- Copy the Assertion URL from CXone and paste it into the ACD URL or related field in the IdP browser window.
- Save your settings in the IdP browser window.
- Click Done in CXone.
Enable SAML 2.0 SSO for Users
Required security profile permissions: Users Edit
After you configure SAML 2.0 SSO for your business unit, you must provide a unique value in the Federated Identity field for each user profile that you want to use SSO.
- In the Admin application, click Users.
- Create a new user or open the user profile where you want to enable SAML 2.0 SSO.
- In the General tab, click Edit.
In the Federated Identity field, enter the unique value to be passed as part of the authentication assertion. This value is case-sensitive. It must also be configured in your IdP system for the user requesting access to NICE inContact.
When your IdP makes an authentication assertion to the NICE inContact platform, it must contain an LDAP claim with the same Federated Identity value configured for the user. The claim values are:
- Name ID (required) — Matches the user's configured Federated Identity.
- SecurityProfileID (optional) — Matches a valid security profile in your business unit. This security profile is mapped to your NICE inContact user and is used going forward. If no claim is present, the current Security Profile mapped to this user profile is used.
To configure the signing message, sign only the message ("response") and not the claim.
- Click Done.