Genesys Cloud (formerly PureCloud)

Discussion Thread View
Expand all | Collapse all

SSO integration with ADFS/Azure AD - Auto Provisioning

  • 1.  SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-23-2021 06:44

    Hi There,

    Would you please let me know if it is possible to have auto-provisioning of Genesys cloud users based on Azure AD application access group and utilize groups for access and provisioning?

    Currently Salesforce and Service Now apps have this auto provisioning users/access groups using SSO integration.

    In general, users will be added to the Genesys cloud access group in the Azure AD, where you have the option to specify the access groups ( such as Admin, users, MasterAdmin etc). based on that info when customers org is enabled for SSO integration, they wanted users allocated with necessary roles in the GC during login. i.e. auto-provisioning end-users with login group information in the Genesys cloud.

    Let us know if there are any API's available for SSO integration.

    Thanks


    #Implementation
    #Integrations
    #PlatformAdministration
    #SystemAdministration

    ------------------------------
    prem
    ------------------------------


  • 2.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-23-2021 10:27
    Hello!
    Yep, there is a SCIM connector that allows you to do that. You can filter users by groups and many other attributes (I'm currently testing it before going live):

    https://help.mypurecloud.com/articles/configure-azure-active-directory-for-genesys-cloud-scim-identity-management/


    ------------------------------
    Piotr Danielewski
    Ernst & Young Global Services Limited
    ------------------------------



  • 3.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Top 25 Contributor
    Posted 02-23-2021 13:32
    Hi Piotr, will be interested in knowing the outcome of your testing and go-live.  Up until now most of my customers have been happy with just SSO but I've been trying to push them to SCIM because it takes away some admin stuff I still need to do for them.  I'm not an Azure person but I know there were a few discrepancies/confusing wordings in the SSO resource centre articles so hoping you can confirm the SCIM steps are accurate :)

    ------------------------------
    Vaun McCarthy
    NTT New Zealand Limited
    ------------------------------



  • 4.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-23-2021 15:14
    For now it worked fine on our Dev ORG and Dev Azure - it imported ~500 users, and default field mapping seems to be working quite well.
    I'm thinking about pushing new users to some dedicated division and granting them some default roles (other than "employee")...

    Anyway - I'll keep updating this thread with my findings.

    ------------------------------
    Piotr Danielewski
    Ernst & Young Global Services Limited
    ------------------------------



  • 5.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-23-2021 17:44
    Edited by prem venkatesh 02-23-2021 22:03

    Thanks, Piotr for the update.

    Employee role is the default base role and it will be assigned by the system when new users are created.
    Auto-provisioning create groups in Genesys cloud and allocate roles to the Groups. When users are synched from Azure to Genesys it will be allocated to the groups based on the group info configured in Azure. 

    Also, you mentioned the SCIM connector for this integration. From the notes, SCIM uses APIs to sync user entities from cloud or on-premises identity management systems to Genesys Cloud. Do I need any connector?


    ------------------------------
    prem
    ------------------------------



  • 6.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 03-02-2021 14:54
      |   view attached
    Hi Everyone, just a small update if someone wants to push users to specific Division: it actually works fine.
    all you need to do is assign division name to a constant and push it as
    So basically all you need to do is add one additional field to be mapped.


    ------------------------------
    Piotr Danielewski
    Ernst & Young Global Services Limited
    ------------------------------



  • 7.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 20 days ago

    @Piotr Danielewski With the mapping of a user to a specific division using constant value works fine.

    I would like to check with you how do we assign different divisions if we have created a single application for SSO setup and also configured SCIM integration for auto-provisioning, In our GC org we have two divisions.​ In Azure single application was create for SSO, mapping of the constant value was done outside of the groups so I can assign a single division, we tried in the groups and it doesn't have the same target attribute.

    Is there a different way we can map the user to each division within the Azure?

    Any further thoughts?




    ------------------------------
    prem
    ------------------------------



  • 8.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-24-2021 03:13
    Following. I'm interested in this functionality as well.

    ------------------------------
    Tommy Braes
    Consultant Professional Services
    Proximus PLC
    ------------------------------



  • 9.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-24-2021 22:49

    We did further testing with SSO integration for Genesys cloud i.e. basic SSO and it works ok. We haven't started testing the SCIM (Auto-provisioning functionality) because we encounter an issue with the Unique user identifier filed.

    The following question was raised by the customer, Does anyone have any solution or workaround?

    Currently, in the attribute name Genesys recommends to use the value "user.userprincipalname" or user.email to match the email address for the user in Genesys cloud.

    Here customer doesn't want to use the email ID as a unique user identifier field.

    The customer has set the current Unique User Identifier in Azure SSO is user.onpremisessamaccountname  

    i.e. in our test employeeID which is the local AD SamAccountName known as user.onpremisessamaccountname in Azure SSO

    This Value is the only unique value for all users in the customer's domain. It looks like from the basic testing that Genesys cloud application is using email as the Unique User Identifier which can change in the organisation and will cause security concerns.

    Does anyone know if it is possible to use user.onpremisessamaccountname and map it to Genesys cloud as a unique user identifier for login rather than an email address?



    ------------------------------
    prem
    ------------------------------



  • 10.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-25-2021 02:58
    Hello Prem, think we need to split this issue into 2 separate cases.

    One would be SSO, and there, user.userprincipalname is required (at least from what I understand). From my (very limited) understanding of MS SSO it uses your email as your main identifier when requesting a token from Azure, so think you'd need to ask some Azure expert if it's even possible to change that identifier.

    The second one would be SCIM, which would allow you to create account in Genesys Cloud with any ID you want. Based on "Azure Active Directory Attribute"(i.e. "email" you can modify "PureCloud Attribute" - this field accepts regular expressions.

    Basically, I'm suggesting to use two separate "enterprise applications" in your azure for these two features - it may give you a bit more flexibility.




    ------------------------------
    Piotr Danielewski
    Ernst & Young Global Services Limited
    ------------------------------



  • 11.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-25-2021 04:55
    As far as I know, Genesys Cloud requires you to use email address as an ID, so you could try "user.onpremisessamaccountname@DummyDomain.com".




    ------------------------------
    Piotr Danielewski
    Ernst & Young Global Services Limited
    ------------------------------



  • 12.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-25-2021 21:20

    Thanks, Piotr for the update.

    We will test by setting the Attribute value email to user.onpremisessamaccountname in the Azure "User Attributes & Claims" section and use transformation to email id format i.e. user.onpremisessamaccountname@DummyDomain.com. Then configure Genesys cloud user with "user.onpremisessamaccountname@DummyDomain.com" in the main email id filed.

    With SCIM also we will test my changing the attribute value for new account creation and map it to user.onpremisessamaccountname for the email ID

    Another question: this Email ID user.onpremisessamaccountname@DummyDomain.com is configured as the main email ID in Genesys cloud, which is not the actual user's email ID, but it is fine customer can use this ID to log in to the GC. Is it ok to add the work email address as the actual user email as per below and make it primary?



    ------------------------------
    prem
    ------------------------------



  • 13.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-26-2021 01:32

    Hi Piotr,

    Tested basic SSO functionality with the above setup and it works fine. In Azure, we used a unique user id field and set it as user.onpremisessamaccountname and transformed the value into email id format. i.e. user.onpremisessamaccountname@DummyDomain.com

    In the Genesys cloud  following are set in the user's profile
    Main email -->  user.onpremisessamaccountname@DummyDomain.com
    Work Email --> set to users email address

    SSO works OK,  but when the alert email notifications are sent it always targets the main email address though the work email was set to primary.

    Is there any option to change in alerts so that it can use the primary email address for any communication?

    Thanks



    ------------------------------
    prem
    ------------------------------



  • 14.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 02-26-2021 02:56
    Hi Prem, sorry, but no - nothing comes to my mind at the moment.

    ------------------------------
    Piotr Danielewski
    Ernst & Young Global Services Limited
    ------------------------------



  • 15.  RE: SSO integration with ADFS/Azure AD - Auto Provisioning

    Posted 03-02-2021 17:27

    Thanks, Piotr for the updates.

    BTW, with the email alert notifications using the main email address rather than the primary email set on the user's profile, Dev has confirmed this is a bug and have put it into their queue to address. Since its a low priority,  I will keep you updated once they are available.

    Because of this bug/limitation, we used the email filed in the claims and attribution for SSO.

    With Auto-provisioning we are still testing. I will post the update here once it is completed.



    ------------------------------
    prem
    ------------------------------