Add Salesforce as a single sign-on provider

PrerequisitesClick to expand

Add Genesys Cloud as an application that organization members can access with the credentials to their Salesforce account.

Notes:

Genesys Cloud does not support assertion encryption for single sign-on third-party identity providers. The Genesys Cloud log in service requires Transport Layer Security (TLS). Since the channel is encrypted, there is no need to encrypt parts of the message.
Administrators can optionally disable the default Genesys Cloud login and enforce authentication using an SSO provider only. For more information, see .
Administrators can choose to store four additional certificates to ensure business continuity. If one certificate becomes invalid or expires, the integration is preserved if one of the additional certificates is valid.
There is a general problem when a Service Provider (SP) receives a SAML response from an Identity Provider (IdP) and their system clocks are not in sync. This problem can result in users getting locked out of their single sign-on when logging in. The problem might be caused by the length of the clock skew between the SP and the IdP. Clock skews between Genesys Cloud and your identity provider cannot be greater than 10 seconds.
The Genesys Cloud desktop app does not support the installation of browser extensions. If you have configured an Azure Conditional Access policy that requires a browser extension, you will need to use a Genesys Cloud supported browser that has the Microsoft Entra ID extension installed. Single sign-on will not work using the desktop app in this configuration.

Configure Salesforce

Troubleshoot errors using the Identity Provider Event Log.

To create a connected app for Genesys Cloud, in the App Manager select New Connected App.

On the New Connected App page, enter the following settings in the connected app for Genesys Cloud.

Note: Under Web App Settings, make sure you select Enable SAML.

Field	Description
Entity ID	The value can be any unique string that you want to use to identify your Genesys Cloud organization.
ACS URL	The AWS region of your Genesys Cloud organization: US East (N. Virginia): `https://login.mypurecloud.com/saml` US East 2 (Ohio): `https://login.use2.us-gov-pure.cloud/saml` US West (Oregon): `https://login.usw2.pure.cloud/saml`Canada (Canada Central): `https://login.cac1.pure.cloud/saml` South America (São Paulo): `https://login.sae1.pure.cloud/saml` EU (Frankfurt): `https://login.mypurecloud.de/saml` EU (Ireland): `https://login.mypurecloud.ie/saml` EU (London): `https://login.euw2.pure.cloud/saml` Asia Pacific (Mumbai): `https://login.aps1.pure.cloud/saml` Asia Pacific (Seoul): `https://login.apne2.pure.cloud/saml` Asia Pacific (Sydney): `https://login.mypurecloud.com.au/saml` Asia Pacific (Tokyo): `https://login.mypurecloud.jp/saml`
Enable Single Logout	Check the box.
Single Logout URL	The AWS region of your Genesys Cloud organization: US East (N. Virginia): `https://login.mypurecloud.com/saml/logout` US East 2 (Ohio): `https://login.use2.us-gov-pure.cloud/saml/logout` US West (Oregon): `https://login.usw2.pure.cloud/saml/logout`Canada (Canada Central): `https://login.cac1.pure.cloud/saml/logout` South America (São Paulo): `https://login.sae1.pure.cloud/saml/logout` EU (Frankfurt): `https://login.mypurecloud.de/saml/logout` EU (Ireland): `https://login.mypurecloud.ie/saml/logout` EU (London): `https://login.euw2.pure.cloud/saml/logout` Asia Pacific (Mumbai): `https://login.aps1.pure.cloud/saml/logout` Asia Pacific (Seoul): `https://login.apne2.pure.cloud/saml/logout` Asia Pacific (Sydney): `https://login.mypurecloud.com.au/saml/logout` Asia Pacific (Tokyo): `https://login.mypurecloud.jp/saml/logout`
Single Logout Binding	Select HTTP Redirect.
Subject Type	User name
Issuer	Your Salesforce domain name (https://`yourID`.my.salesforce.com)
Name ID Format	urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

Gather the following data from the app page:

Field	Description
Certificate	Click the certificate name next to IdP Certificate. On the Certificate and Key Detail page, click Download Certificate. Save the certificate as a .cer file.
Issuer URI	Copy the Issuer value.
Target URI	Copy the value labeled SP-Initiated Redirect Endpoint.
Single Logout URI	Copy the value labeled Single Logout Endpoint.

Provide Salesforce users with access to the connected app for Genesys Cloud.
1. In Manage Users > Users, click Edit on a user.
2. Click the required profile type, for example, Sales, Services, or Administrator to open the profile page.
3. Under connected app Access, click the connected app for Genesys Cloud.

SAML attributes

If the following SAML attributes are present in the assertion, Genesys Cloud acts on those attributes. The attributes are case-sensitive.

Attribute name	Attribute value
OrganizationName	For identity provider-initiated single sign-on: Use the organization short name. For service provider-initiated single sign-on: Make sure that the organization name matches the organization name that you select. It is applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider.
email	Email address of the Genesys Cloud user to be authenticated. You must be an existing Genesys Cloud user. If the identity provider does not use an email address as the subject NameID, you require a valid email address.
ServiceName	(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords: directory (redirects to the Genesys Cloud Collaborate client) directory-admin (redirects to the Genesys Cloud Admin UI)

Attribute name

Attribute value

OrganizationName

For identity provider-initiated single sign-on: Use the organization short name.
For service provider-initiated single sign-on: Make sure that the organization name matches the organization name that you select. It is applicable when an organization maintains multiple Genesys Cloud organizations using a single identity provider.

Email address of the Genesys Cloud user to be authenticated.

You must be an existing Genesys Cloud user.
If the identity provider does not use an email address as the subject NameID, you require a valid email address.

ServiceName

(Optional) A valid URL for the browser to be redirected to after successful authentication, or one of the following keywords:

directory (redirects to the Genesys Cloud Collaborate client)
directory-admin (redirects to the Genesys Cloud Admin UI)

Configure Genesys Cloud

In Genesys Cloud, click Admin.
Under Integrations, click Single Sign-on.
Click Menu > IT and Integrations > Single Sign-on.
Click the Salesforce tab.

Enter the information gathered from Salesforce.

Field	Description
Certificate	To upload X.509 certificates for SAML signature validation, do one of the following. To upload a certificate, click Select Certificates to upload. Select the X.509 certificate. Click Open. Optionally, to load a backup certificate, repeat steps 1–3. Or you can: Drag and drop your certificate file. Optionally, to load a backup certificate, repeat the first step. Uploaded certificates appear with their expiration date. To remove a certificate, click X. Note: To renew or update an expiring certificate, follow these instructions to upload X.509 certificates, repeating steps 1--3. You can upload up to five certificates to Genesys Cloud per SSO configuration, and Genesys Cloud chooses the correct certificate during single sign-on and logout.
Issuer URI	Enter your Salesforce domain name (https://`yourID`.my.salesforce.com)
Target URI	Enter the URL labeled SP-Initiated Redirect Endpoint in the Salesforce app page.
Single Logout URI	Enter the URL labeled Single Logout Endpoint in the Salesforce app page.
Single Logout Binding	Select HTTP Redirect.
Relying Party Identifier	Add the unique identifier that you provided as the Entity ID in the Salesforce app page.

Click Save.

[NEXT] Was this article helpful?

Get user feedback about articles.