Set Up OpenID Connect Single Sign-On

Required security profile permissions: External Business Unit Edit

OpenID Connect is an authentication protocol you can use to integrate your identity provider (IdP) with the NICE inContact platform to create a single sign-on (SSO) experience. When you configure OpenID Connect for your business unit, your IdP owns user authentication and the platform honors the flow of the IdP. When a user logs in to the platform for the first time with OpenID Connect and that user does not already have an account, the platform automatically creates a new user profile and links it to the IdP.

If you don't already have OpenID Connect enabled in your environment, contact your NICE inContact account manager to enable it for you. Your account manager will also help you set up a custom hostname for your login.

  1. If you haven't already done so, configure your IdP. Note your client identifier and client secret. Configure a redirection URI that is specific to your business unitClosedHigh-level organizational grouping used to manage technical support, billing, and global settings for your NICE inContact environment. This URI is based on the custom hostname you configured with your NICE inContact account representative. It may look similar to this, depending on your setup: 
    • https://{custom-domain}
    • https://(custom)
    • https://(custom)
    • https://(custom)
  2. In the Admin application, click Account SettingsBusiness Units.
  3. Click the business unit where you want to use OpenID Connect.
  4. Click the OpenID Connect tab and click Edit.
  5. Select the Default Security Profile and Default Team you want to apply to the platform user accounts that are automatically created the first time a new user logs in with SSO.
  6. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password.
  7. If you have a discovery endpoint for your IdP, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you.
  8. If you don't have a discovery endpoint for your IdP, enter your IdP-provided JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, and Revocation Endpoint.
  9. Click Done to validate the provided information and to link your account to your IdP account.
  10. When your IdP asks you to authenticate, do so as the user on the IdP you want to associated with your currently logged in CXone user.
  11. If your Open ID Connect settings in CXone don't show as validated, use your IdP logs to diagnose the problem.
  12. If you want to disable the default username and password login method, click Edit again, select the Disable inContact Authentication checkbox, and click Done.

The account linking and validation functionality in CXone always uses one of the following subdomain-based redirect URIs:

  • https://(custom)
  • https://(custom)
  • https://(custom)
  • https://(custom)

Enable OpenID Connect for Users

  1. In the Admin application, click Users.
  2. Create a new user or open the user profile where you want to enable OpenID Connect.
  3. In the General tab, click Edit.
  4. If your environment has both OpenID Connect and SAML2 enabled, click the External Identity Type drop-down and select OpenID Connect.
  5. In the Federated Identity field, enter the unique value to be passed as part of the authentication assertion. This value is case-sensitive. It must also be configured in your IdP system for the user requesting access to NICE inContact.

    When your IdP makes an authentication assertion to the NICE inContact platform, it must contain an LDAP claim with the same Federated Identity value configured for the user. The claim values are:

    • Name ID (required) — Matches the user's configured Federated Identity.
    • SecurityProfileID (optional) — Matches a valid security profile in your business unit. This security profile is mapped to your NICE inContact user and is used going forward. If no claim is present, the current Security Profile mapped to this user profile is used.

    To configure the signing message, sign only the message ("response") and not the claim.

  6. Click Done.

Alternatively, your users can link their accounts manually. If your users don't already have CXone user accounts, user accounts are automatically created for them and linked to their IdP username the first time they log in to CXone. If your users already have CXone user accounts, they can link their accounts to their IdP username manually by logging in to CXone, going to AdminMy Account, and clicking Link Account.