• English
  • Hindi
  • العربية
  • 繁體中文
  • Dansk
  • Čeština
  • Nederlands
  • Suomi
  • עִברִית
  • Français
  • Deutsch
  • Italiano
  • 日本語
  • 简体中文
  • 한국어
  • Norsk
  • Polski
  • Portugues
  • Español
  • Svenska
  • ภาษาไทย
  • Türkçe
  • українська

Add Okta as a single sign-on provider

Add Genesys Cloud as an application that organization members can access with the credentials to their Okta account.

Notes:
  • Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
  • Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see .
  • Administrators can choose to store four additional certificates to ensure business continuity. If one certificate becomes invalid or expires, the integration is preserved if one of the additional certificates is valid. 

  • There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.

  • The Genesys Cloud desktop app does not support the installation of browser extensions. If you have configured an Azure Conditional Access policy that requires a browser extension, you will need to use a Genesys Cloud supported browser that has the Microsoft Entra ID extension installed. Single sign-on will not work using the desktop app in this configuration.

Configure Okta

Get the certificate for Okta configuration

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Okta tab.
  4. Under Genesys Cloud Signing Certificate, click Download Certificate.
  5. Save the file.

Create a SAML application

  1. Create a SAML application for Genesys Cloud. Follow the instructions for .

  2. In the General > Single sign on URL field, type the URL of your Genesys Cloud organization based on the AWS region.

    AWS RegionURL
    US East (N. Virginia)https://login.mypurecloud.com/saml
    US East 2 (Ohio)https://login.use2.us-gov-pure.cloud/saml
    US West (Oregon)https://login.usw2.pure.cloud/saml
    Canada (Canada Central)https://login.cac1.pure.cloud/saml
    South America (São Paulo)https://login.sae1.pure.cloud/saml
    EMEA (Frankfurt)https://login.mypurecloud.de/saml
    EMEA (Ireland)https://login.mypurecloud.ie/saml
    EMEA (London)https://login.euw2.pure.cloud/saml
    EMEA (UAE) https://login.mec1.pure.cloud/saml
    EMEA (Zurich) https://login.euc2.pure.cloud/saml
    Asia Pacific (Mumbai)https://login.aps1.pure.cloud/saml
    Asia Pacific (Seoul)https://login.apne2.pure.cloud/saml
    Asia Pacific (Sydney)https://login.mypurecloud.com.au/saml
    Asia Pacific (Tokyo)https://login.mypurecloud.jp/saml
    Asia Pacific (Osaka)https://login.apne3.pure.cloud/saml

  3. In General > Audience URI, the value can be any unique string that you want to use to identify your Genesys Cloud organization.

  4. For General > Name ID Format, choose EmailAddress.

  5. Click Show Advanced Settings.

  6. For the General > Signature Certificate field, click Browse.
  7. Choose the certificate file saved in step 5 of “Get the Certificate for Okta Configuration.”
  8. Click Upload Certificate.

  9. Click the General > Enable Single Logout check box.

  10. In General > Single Logout URL, type the URL of your Genesys Cloud organization based on the AWS region.

    AWS RegionURL
    US East (N. Virginia)https://login.mypurecloud.com/saml/logout
    US East 2 (Ohio)https://login.use2.us-gov-pure.cloud/saml/logout
    US West (Oregon)https://login.usw2.pure.cloud/saml/logout
    Canada (Canada Central)https://login.cac1.pure.cloud/saml/logout
    South America (São Paulo)https://login.sae1.pure.cloud/saml/logout
    EMEA (Frankfurt)https://login.mypurecloud.de/saml/logout
    EMEA (Ireland)https://login.mypurecloud.ie/saml/logout
    EMEA (London)https://login.euw2.pure.cloud/saml/logout
    EMEA (UAE)
    		https://login.mec1.pure.cloud/saml/logout
    EMEA (Zurich)
    		https://login.euc2.pure.cloud/saml/logout
    Asia Pacific (Mumbai)https://login.aps1.pure.cloud/saml/logout
    Asia Pacific (Seoul)https://login.apne2.pure.cloud/saml/logout
    Asia Pacific (Sydney)https://login.mypurecloud.com.au/saml/logout
    Asia Pacific (Tokyo)https://login.mypurecloud.jp/saml/logout
    Asia Pacific (Osaka)https://login.apne3.pure.cloud/saml/logout
  11. Use the default values for other fields.
  12. Specify the organization so that Genesys Cloud users do not need to enter it when they log in. Create a new entry in Attributes Statements (Optional) with the following values: 
    FieldDescription
    NameType OrganizationName.
    Name FormatLeave set to Unspecified.
    ValueType the short name of your Genesys Cloud organization. If you do not know the short name of your organization, click Admin > Account Settings > Organization Settings in Genesys Cloud.
Note: No other options should be changed in the app configuration for Okta. For options such as Application Login Page and Application Access Error Page, the default option is preferred.

SAML attributes

If the following extra SAML attributes are present in the assertion, Genesys Cloud acts on the attributes. The attributes are case-sensitive. 

Attribute nameAttribute value
email Email address of the Genesys Cloud user to be authenticated.
  • You must be an existing Genesys Cloud user.
  • If the identity provider does not use an email address as the subject NameID, you require a valid email address.
ServiceName 

(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

  • directory (redirects to the Genesys Cloud Collaborate client)
  • directory-admin (redirects to the Genesys Cloud Admin UI)

Get the metadata for Genesys Cloud configuration

  1. In Sign on > Settings, click View Setup Instructions to display setup information.
  2. Note the following Identity Provider metadata that you need for the Genesys Cloud configuration. 
    MetadataDescription
    Identity Provider Single Sign-on URLUse for the Target URI setting in Genesys Cloud.
    Identity Provider Single Logout URLUse for the Single Logout URI setting in Genesys Cloud.
    Identity Provider IssuerUse for the Okta Issuer URI setting in Genesys Cloud.
    X.509 CertificateUse for the Okta Certificate setting in Genesys Cloud.

Get the certificate for Genesys Cloud configuration

  1. On the Identity Provider metadata page, click Download certificate.
  2. Save the file as a .crt or .pem file.

Configure Genesys Cloud

  1. In Genesys Cloud, click Admin.
  2. Under Integrations, click Single Sign-on.
  3. Click the Okta tab.
  4. Provide the Identity Provider metadata gathered from Okta.
    FieldDescription
    Certificate

    To upload X.509 certificates for SAML signature validation, do one of the following.

    1. To upload a certificate, click Select Certificates to upload.
    2. Select the X.509 certificate.
    3. Click Open.
    4. Optionally, to load a backup certificate, repeat steps 1–3.

    Or you can:

    1. Drag and drop your certificate file.
    2. Optionally, to load a backup certificate, repeat the first step.

    Uploaded certificates appear with their expiration date. To remove a certificate, click X.

    Note: To renew or update an expiring certificate, follow these instructions to upload X.509 certificates, repeating steps 1--3. You can upload up to five certificates to Genesys Cloud per SSO configuration, and Genesys Cloud chooses the correct certificate during single sign-on and logout.
    Issuer URIType the Identity Provider Issuer.
    Target URLType the Identity Provider Single Sign-on URL. 
    Single Logout URIType the Identity Provider Single Logout URL.
    Single Logout BindingChoose HTTP Redirect.
    Audience (Entity ID) Type the value used in step 3 of “Create a SAML application.”
  5. Click Save.