Add Google Workspace as a single sign-on provider

PrerequisitesClick to expand

Add Genesys Cloud as an application that organization members can access with the credentials to their Google Workspace account.

Notes:

Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
Administrators can optionally disable the default Genesys Cloud login and enforce authentication using a single sign-on provider. For more information, see .
Google Workspace does not support the automatic log out of SSO provider.
The Google Workspace SSO integration does not work with third-party applications, including Chromium-based apps.
Administrators can choose to store one more certificate to ensure business continuity. If one certificate becomes invalid or expires, the backup certificate preserves the integration.
There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.

Configure Google Workspace

Create a custom Genesys Cloud application

In the Admin console, click Google > Apps > SAML.
Click (+) in the bottom-right corner.
In Step 1 Enable SSO for SAML Application, click Setup my own custom app.

In Step 2 Google IdP Information, complete the following fields and leave the rest of the fields blank or at the default settings.

Field	Description
SSO URL	Copy and save this URL to use as the Target URI in the Genesys Cloud configuration.
Entity ID	Copy and save this URL to use as the Issuer URI in the Genesys Cloud configuration.
Certificate	Download the certificate.

In Step 3 Basic Information for your Custom App, complete the following field and leave the rest of the fields blank or at the default settings.
Field Description
Application Name Type your Genesys Cloud application name.

Field	Description
Application Name	Type your Genesys Cloud application name.

In Step 4 Service Provider Details, complete the following fields and leave the rest of the fields blank or at the default settings.

Field	Description
ACS URL	Type the URL of your Genesys Cloud organization for the AWS region: US East (N. Virginia): `https://login.mypurecloud.com/saml` US East 2 (Ohio): `https://login.use2.us-gov-pure.cloud/saml` US West (Oregon): `https://login.usw2.pure.cloud/saml`Canada (Canada Central): `https://login.cac1.pure.cloud/saml` South America (São Paulo): `https://login.sae1.pure.cloud/saml` EU (Frankfurt): `https://login.mypurecloud.de/saml` EU (Ireland): `https://login.mypurecloud.ie/saml` EU (London): `https://login.euw2.pure.cloud/saml` Asia Pacific (Mumbai) `https://login.aps1.pure.cloud/saml` Asia Pacific (Osaka) `https://login.apne3.pure.cloud/saml` Asia Pacific (Seoul): `https://login.apne2.pure.cloud/saml` Asia Pacific (Sydney): `https://login.mypurecloud.com.au/saml` Asia Pacific (Tokyo): `https://login.mypurecloud.jp/saml`
Entity ID	Type a unique string that you want to use to identify the Entity ID, for example: `mypurecloud.com/google`
Name ID Format	From the list, select TRANSIENT.

In Step 5 Attribute Mapping, leave the default settings.
Click Finish.

SAML attributes

If the following extra SAML attributes are present in the assertion, Genesys Cloud acts on the attributes. The attributes are case-sensitive.

Attribute name	Attribute value
OrganizationName	For identity provider-initiated single sign-on: Use the organization short name. For service provider-initiated single sign-on: Make sure that the organization name matches the organization name that you select. It is applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider.
email	Email address of the Genesys Cloud user to be authenticated. You must be an existing Genesys Cloud user. If the identity provider does not use an email address as the subject NameID, you require a valid email address.
ServiceName	(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords: directory (redirects to the Genesys Cloud Collaborate client) directory-admin (redirects to the Genesys Cloud Admin UI)

Attribute name

Attribute value

OrganizationName

For identity provider-initiated single sign-on: Use the organization short name.
For service provider-initiated single sign-on: Make sure that the organization name matches the organization name that you select. It is applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider.

Email address of the Genesys Cloud user to be authenticated.

You must be an existing Genesys Cloud user.
If the identity provider does not use an email address as the subject NameID, you require a valid email address.

ServiceName

(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

directory (redirects to the Genesys Cloud Collaborate client)
directory-admin (redirects to the Genesys Cloud Admin UI)

Configure Genesys Cloud

In Genesys Cloud, click Admin.
Under Integrations, click Single Sign-on.
Click the Google G Suite tab.

Type the identity provider metadata gathered from Google Workspace.

Field	Description
Certificate	To upload X.509 certificates for SAML signature validation, do one of the following. To upload a certificate, click Select Certificates to upload. Select the X.509 certificate. Click Open. Optionally, to load a backup certificate, repeat steps 1–3. Or you can: Drag and drop your certificate file. Optionally, to load a backup certificate, repeat the first step. Uploaded certificates appear with their expiration date. To remove a certificate, click X. Note: To renew or update an expiring certificate, follow these instructions to upload X.509 certificates, repeating steps 1--3. You can upload up to five certificates to Genesys Cloud per SSO configuration, and Genesys Cloud chooses the correct certificate during single sign-on and logout.
Issuer URI	Type the Entity ID from Step 2 Google IDP Information in the Google Workspace Genesys Cloud custom application, for example: `https://accounts.google.com/o/saml2?idpid=C0151g8I9`
Target URI	Type the SSO URL from Step 2 Google IDP Information in the Google Workspace Genesys Cloud custom application, for example: `https://accounts.google.com/o/saml2/idp?idpid=C0151g8I9`
Relying Party Identifier	Type the Entity ID from Step 4 Service Provider Details in the Google Workspace Genesys Cloud custom application, for example: `mypurecloud.com/google` Note: The values and functionality of the Entity ID in the Google IDP Information is different from the Entity ID in the Service Provider Details for your Genesys Cloud application.

Click Save.

[NEXT] Was this article helpful?

Get user feedback about articles.