We have added a new SAML attribute, AuthorizedClientIDs, for use in single sign-on integrations. This new attribute can be used by an Identity Provider to enumerate the client IDs that the authenticated user is authorized to access. If an authenticated user attempts to access a client which is not included in the AuthorizedClientIDs list, instead of creating an access token for that client, the user will be redirected back to the Identity Provider for additional verification.
Why have we added this attribute?
Many organizations use VDI for their Contact Center implementation to lock down access and prevent customer data leakage, particularly for users working remotely and using personal devices to access Genesys Cloud. VDI infrastructure helps secure customer data because, when the VDI session ends, the user no longer has access to customer data and nothing is stored locally on the user's workstation.
However, while VDI is great for securing customer data, it has some challenges with areas such as audio quality and mobile phone apps. As a result, Genesys has developed solutions such as:
- WebRTC Media Helper
Genesys Cloud's WebRTC Media Helper is designed to allow you to successfully use WebRTC phones in a VDI environment without the need for fine tuning or additional VDI enhancements. More specifically, WebRTC Media Helper allows the WebRTC real-time media flow to run independently, outside of a VDI session even though the Genesys Cloud interface operates within VDI. Bypassing the VDI environment and terminating directly on the client workstation allows a WebRTC phone to function much like a hardware phone in a VDI environment. This provides an optimal audio quality experience.
- Genesys Tempo
Genesys Tempo, the mobile application for workforce management, allows you to manage your work schedule from your personal device. You can download Genesys Tempo from either the Google Play store or the Apple store. In Genesys Tempo, you can receive push notifications, submit time-off requests, and trade shifts, and you can let your supervisor know that you are running late.
Both of these solutions operate outside of the VDI container, which creates challenges from a security perspective. By logging into WebRTC Media Helper or Genesys Tempo (outside the VDI container), users can use those same credentials to login to the full Genesys Cloud UI from their personal workstation/phone, effectively circumventing the security provided by the VDI infrastructure. Of course, we already provide a solution for this scenario, via the Allowed IP Addresses feature. Organizations can further secure their Genesys Cloud environment by limiting access to only those users visiting from a specified IP address. As the IP range for the VDI infrastructure is well known, and both WebRTC Media Helper and Genesys Tempo are allowed by default, this provides a simple way of addressing this security challenge. With the Allowed IP Addresses feature, users trying to login to the full Genesys Cloud UI outside of the VDI infrastructure are prevented from doing so.
However, while very effective from a security perspective, the Allowed IP Addresses feature can be a bit too restrictive for some customers who need to have the flexibility of allowing (some) users to be able to connect to Genesys Cloud from home or other remote locations. Trying to maintain an up-to-date list of IP addresses for all these users is just too challenging for an enterprise organization, with large numbers of users. We will be able to provide this level of flexibility/granularity in the near future via Attribute Based Access Control (ABAC) which will allow for different rules to be created for different groups of users, with respect to how they are allowed to access Genesys Cloud. But, in advance of that, we have now implemented a solution for organizations which require their users to login in via SSO.
How does it work?
When Genesys Cloud receives an authorization request:
- If the user's session includes authorization for the requested client, Genesys Cloud will issue a token as expected.
- If not, the user will be redirected to SSO for reauthentication following the standard flow.
This functionality allows the Identity Provider to determine which clients the authenticated user is allowed to access, via this new SAML attribute, AuthorizedClientIDs. If an authenticated user attempts to access a client which is not included in the AuthorizedClientIDs list, instead of creating an access token for that client, the user will be redirected back to the Identity Provider for additional verification.
In summary, this enhancement provides an additional layer of security by enabling organizations using SSO to securely allow access to specific applications such as WebRTC Media Helper or Genesys Tempo—both within and outside VDI environments—without relying on the more restrictive Allowed IP Addresses feature.
Associated Workflow Scenarios:
Initial SSO login:
- User logs in to Genesys Cloud via SSO.
- The Identity Provider generates a SAML response containing the list of authorized client IDs (e.g. WebRTC Media Helper)
- User session created containing list of authorized client IDs.
Authorized client access (e.g. WebRTC Media Helper):
- User requests token for WebRTC Media Helper
- Genesys Cloud confirms that the associated client ID is included in the list of authorized client IDs
- Genesys Cloud issues access token
- User can access WebRTC Media Helper
Unauthorized client access attempt:
- User requests token for unauthorized client
- Genesys Cloud confirms that associated client ID is not included in the list of authorized client IDs
- Genesys Cloud redirects the user back to the Identity Provider for additional verification
- Identity Provider checks the user permissions to determine whether they are authorized for the associated app
- Identity Provider denies access
SAML Assertion format
The following is the format for adding the list of authorized clients to the SAML assertion:
<saml:Assertion>
<saml:AttributeStatement>
<saml:Attribute Name="AuthorizedClientIDs">
<saml:AttributeValue>allowed-client-id</saml:AttributeValue> <saml:AttributeValue>another-allowed-client-id</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
For example:
- WebRTC Media Helper client id = "64cd7f8c-207b-4caf-b888-56b8e17384a6"
- Genesys Tempo client ID for Android = "a726a4a8-9915-4966-9ac2-b8c9064fe30d”
- Genesys Tempo client ID for iOS = “9fa531f6-e8a9-4f83-b6d6-12f66f7edb5e"
So the associated configuration would be:
<saml:Assertion>
<saml:AttributeStatement>
<saml:Attribute Name="AuthorizedClientIDs">
<saml:AttributeValue>64cd7f8c-207b-4caf-b888-56b8e17384a6</saml:AttributeValue> <saml:AttributeValue>a726a4a8-9915-4966-9ac2-b8c9064fe30d</saml:AttributeValue> <saml:AttributeValue>9fa531f6-e8a9-4f83-b6d6-12f66f7edb5e</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
When will this be available?
This functionality is already available and will be announced in the Genesys Cloud Release Notes shortly. If you need this functionality, go ahead and try it out now.
#API/Integrations
#Security
------------------------------
David Murray
Principal Product Manager
Genesys Cloud
------------------------------