Add Ping Identity as a single sign-on provider

PrerequisitesClick to expand

Add Genesys Cloud as an application that organization members can access with the credentials to their Ping Identity account.

Notes:

Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see .
Administrators can choose to store four additional certificates to ensure business continuity. If one certificate becomes invalid or expires, the integration is preserved if one of the additional certificates is valid.
There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.
The Genesys Cloud desktop app does not support the installation of browser extensions. If you have configured an Azure Conditional Access policy that requires a browser extension, you will need to use a Genesys Cloud supported browser that has the Microsoft Entra ID extension installed. Single sign-on will not work using the desktop app in this configuration.

Configure Ping Identity

Create a custom Genesys Cloud application

In PingIdentity, click Connections > Applications.
Click the plus sign next to Applications.
Click Web App and click Configure for the SAML option.
In the Create App Profile page, complete the following fields and leave the remaining fields blank or at the default settings.
Field Description
Application Name Type your Genesys Cloud application name.
Application Description Type a short description of the application.

Field	Description
Application Name	Type your Genesys Cloud application name.
Application Description	Type a short description of the application.

In the Configure SAML Connection page, complete the following fields and leave the remaining fields blank or at the default settings.

Field	Description
ACS URLS	Type the URL of your Genesys Cloud organization for the AWS region: US East (N. Virginia): `https://login.mypurecloud.com/saml` US East 2: (Ohio): `https://login.use2.us-gov-pure.cloud/saml` US West (Oregon): `https://login.usw2.pure.cloud/saml`Canada (Canada Central): `https://login.cac1.pure.cloud/saml` South America (São Paulo): `https://login.sae1.pure.cloud/saml` EU (Frankfurt): `https://login.mypurecloud.de/saml` EU (Ireland): `https://login.mypurecloud.ie/saml` EU (London): `https://login.euw2.pure.cloud/saml` Asia Pacific (Mumbai): `https://login.aps1.pure.cloud/saml` Asia Pacific (Seoul): `https://login.apne2.pure.cloud/saml` Asia Pacific (Sydney): `https://login.mypurecloud.com.au/saml` Asia Pacific (Tokyo): `https://login.mypurecloud.jp/saml`
Signing Key	Click Download Signing Certificate. Choose X509 PEM (.crt). Save the file.
Signing Algorithm	Select RSA_SHA256.
Entity ID	Type a unique string that you want to use to identify your Genesys Cloud organization, for example: `genesys.cloud.my-org`.
SLO Endpoint	Type the URL of your Genesys Cloud organization for the AWS region: US East (N. Virginia): `https://login.mypurecloud.com/saml/logout` US East 2 (Ohio): `https://login.use2.us-gov-pure.cloud/saml/logout` US West (Oregon): `https://login.usw2.pure.cloud/saml/logout`Canada (Canada Central): `https://login.cac1.pure.cloud/saml/logout` South America (São Paulo): `https://login.sae1.pure.cloud/saml/logout` EU (Frankfurt): `https://login.mypurecloud.de/saml/logout` EU (Ireland): `https://login.mypurecloud.ie/saml/logout` EU (London): `https://login.euw2.pure.cloud/saml/logout` Asia Pacific (Mumbai): `https://login.aps1.pure.cloud/saml/logout` Asia Pacific (Seoul): `https://login.apne2.pure.cloud/saml/logout` Asia Pacific (Sydney): `https://login.mypurecloud.com.au/saml/logout` Asia Pacific (Tokyo): `https://login.mypurecloud.jp/saml/logout`
SLO Binding	Select HTTP Redirect.
Subject NameID Format	Select “urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.”
Assertion Validity Duration (In Seconds)	Type a value that determines how long the assertions in the SAML authentication response are valid. 60 seconds are sufficient.

In the Attribute Mapping page, add these attributes.

Attribute	Description
Email	Select Email Address.
OrganizationName	Click Add Attribute. Click Advanced Expression. In the Expression field, type your Genesys Cloud organization short name in quotes. Example: “my-org-name.” Click Save.
ServiceName	(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords: directory (redirects to the Genesys Cloud Collaborate client) directory-admin (redirects to the Genesys Cloud Admin UI) Click Add Attribute. Click Advanced Expression. In the Expression field, type your Genesys Cloud organization short name in quotes. Example: “directory.” Click Save.

Attribute

Description

Select Email Address.

OrganizationName

Click Add Attribute.
Click Advanced Expression.
In the Expression field, type your Genesys Cloud organization short name in quotes. Example: “my-org-name.”
Click Save.

ServiceName

(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

directory (redirects to the Genesys Cloud Collaborate client)
directory-admin (redirects to the Genesys Cloud Admin UI)

Click Add Attribute.
Click Advanced Expression.
In the Expression field, type your Genesys Cloud organization short name in quotes. Example: “directory.”
Click Save.

Click Save and Publish.

Get the metadata for Genesys Cloud configuration

In PingIdentity, click Connections > Applications.

Expand the application created for Genesys cloud, click the Configuration tab. Note the following Identity Provider metadata that you need for the Genesys Cloud configuration.

Metadata	Description
Issuer ID	Use for the Ping Issuer URI setting in Genesys Cloud.
Single Logout Service	Use for the Single Logout URI setting in Genesys Cloud.
Single Signon Service	Use for the Target URL setting in Genesys Cloud.

Configure Genesys Cloud

In Genesys Cloud, click Admin.
Under Integrations, click Single Sign-on.
Click Menu > IT and Integrations > Single Sign-on.
Click the Ping Identity tab.

Enter the Identity Provider metadata gathered from PingIdentity.

Field	Description
Certificate	To upload X.509 certificates for SAML signature validation, do one of the following. To upload a certificate, click Select Certificates to upload. Select the X.509 certificate. Click Open. Optionally, to load a backup certificate, repeat steps 1–3. Or you can: Drag and drop your certificate file. Optionally, to load a backup certificate, repeat the first step. Uploaded certificates appear with their expiration date. To remove a certificate, click X. Note: To renew or update an expiring certificate, follow these instructions to upload X.509 certificates, repeating steps 1--3. You can upload up to five certificates to Genesys Cloud per SSO configuration, and Genesys Cloud chooses the correct certificate during single sign-on and logout.
Issuer URI	Type the Issuer ID.
Target URL	Type the Single Signon Service.
Single Logout URI	Type the Single Logout Service.
Single Logout Binding	Select HTTP Redirect.
Relying Party Identifier	Type the unique string that you specified as the Entity ID in PingIdentity.

Click Save.

[NEXT] Was this article helpful?

Get user feedback about articles.