Genesys Cloud - Main

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.

Hi Sergey

OrganizationName under Attributes & Claims should be the short name of your Genesys Cloud organization, just making sure you have got it right.

Also in Relying Party Identifier, configure the APP ID of SSO app

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.

What I discovered so far:

1. I thougt that Azure AD SSO creates new users in GC when they login via SSO provider for the first time (which is not). I assume I should configure GC SCIM for this.
2. When I created new Custom Genesys Application (not gallery) and manually added user to GC, I was able to successfuly sign in to genesys account via SSO fot that user.
3. When I switched back to Azure GC gallery application with the same configurations as I did for custom application, my SSO login didn't work again. Fot the same user from prev step.

------------------------------
Sergey Dzyuba
Individual Only Contact Account

Original Message:
Sent: 04-04-2023 06:41
From: Sergey Dzyuba
Subject: SSO error login with Azure AD (message says: Oh No something went wrong)

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.

#Implementation
#Integrations

------------------------------
Sergey Dzyuba
Individual Only Contact Account
------------------------------

Is your test user not assigned to the SSO app?

and yes you need to use SCIM to auto provision the user accounts. 

------------------------------
Cheers
Zubair

Original Message:
Sent: 04-04-2023 17:33
From: Sergey Dzyuba
Subject: SSO error login with Azure AD (message says: Oh No something went wrong)

What I discovered so far:

1. I thougt that Azure AD SSO creates new users in GC when they login via SSO provider for the first time (which is not). I assume I should configure GC SCIM for this.
2. When I created new Custom Genesys Application (not gallery) and manually added user to GC, I was able to successfuly sign in to genesys account via SSO fot that user.
3. When I switched back to Azure GC gallery application with the same configurations as I did for custom application, my SSO login didn't work again. Fot the same user from prev step.

------------------------------
Sergey Dzyuba
Individual Only Contact Account

Original Message:
Sent: 04-04-2023 06:41
From: Sergey Dzyuba
Subject: SSO error login with Azure AD (message says: Oh No something went wrong)

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.

#Implementation
#Integrations

------------------------------
Sergey Dzyuba
Individual Only Contact Account
------------------------------

What I discovered so far:

1. I thougt that Azure AD SSO creates new users in GC when they login via SSO provider for the first time (which is not). I assume I should configure GC SCIM for this.
2. When I created new Custom Genesys Application (not gallery) and manually added user to GC, I was able to successfuly sign in to genesys account via SSO fot that user.
3. When I switched back to Azure GC gallery application with the same configurations as I did for custom application, my SSO login didn't work again. Fot the same user from prev step.

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.

The difference in your non-gallery success vs. gallery failure is going to be in the SAML config/claim config.  I'd suggest doing a side by side to spot the difference.  FWIW, we ended up ditching the attempts to use the gallery one and going custom as well.  You seem to have already done that work, so no real harm in keeping it.

GC SSO does not support Just In Time provisioning, so SCIM is your next hurdle, if you're looking to automate that in addition to supporting SSO.

What we have is

* A single custom enterprise app in Azure
* App is configured for SSO per the GC docs
* App is configured for SCIM per the GC docs.  Pay special note to the Manager mapping for hierarchy, this is finicky to build by hand with the non-gallery approach
* Groups are added as members to the Azure app, and those gruops are manually created in GC as Public (non-social) Groups with identical naming (this is important)
* The group is configured to support Role assignment, so grant permissions and proper licensing to the users
When users are added to the AAD group, they get provisioned in GC, and SSO tile is visible from the Microsoft apps portal (o365 or MyApps)

What I discovered so far:

1. I thougt that Azure AD SSO creates new users in GC when they login via SSO provider for the first time (which is not). I assume I should configure GC SCIM for this.
2. When I created new Custom Genesys Application (not gallery) and manually added user to GC, I was able to successfuly sign in to genesys account via SSO fot that user.
3. When I switched back to Azure GC gallery application with the same configurations as I did for custom application, my SSO login didn't work again. Fot the same user from prev step.

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.

Thanks for extensive reply.
I already confuged User provisioning from AD to GC and it's doing a basic sync job.

 The next step I need to figure out is the mapping between AD entities and attributes and GC.
- Is AD user groups is the same as GC Directory - Groups?
- What is CG Divisions in AD?
- Is AD roles should match to GC roles (Should I create say Telephony admin role in AD so users in GC would have such role)? For now all my users is adding with User role to GC.

And most important, does Genesys recomend to keep and configure as many attributes as possible in Azure AD? Such as user skills (proficiency), languages, work hours, roles specific to GC.
Or provisioning is needed only for syncronizing default user profile data?

Thanks.

The difference in your non-gallery success vs. gallery failure is going to be in the SAML config/claim config.  I'd suggest doing a side by side to spot the difference.  FWIW, we ended up ditching the attempts to use the gallery one and going custom as well.  You seem to have already done that work, so no real harm in keeping it.

GC SSO does not support Just In Time provisioning, so SCIM is your next hurdle, if you're looking to automate that in addition to supporting SSO.

What we have is

* A single custom enterprise app in Azure
* App is configured for SSO per the GC docs
* App is configured for SCIM per the GC docs.  Pay special note to the Manager mapping for hierarchy, this is finicky to build by hand with the non-gallery approach
* Groups are added as members to the Azure app, and those gruops are manually created in GC as Public (non-social) Groups with identical naming (this is important)
* The group is configured to support Role assignment, so grant permissions and proper licensing to the users
When users are added to the AAD group, they get provisioned in GC, and SSO tile is visible from the Microsoft apps portal (o365 or MyApps)

What I discovered so far:

1. I thougt that Azure AD SSO creates new users in GC when they login via SSO provider for the first time (which is not). I assume I should configure GC SCIM for this.
2. When I created new Custom Genesys Application (not gallery) and manually added user to GC, I was able to successfuly sign in to genesys account via SSO fot that user.
3. When I switched back to Azure GC gallery application with the same configurations as I did for custom application, my SSO login didn't work again. Fot the same user from prev step.

Hi Genesys community
I'm trying to enable SSO via Azure AD for my organization but experiencing an error when trying to Sign In with new user.

What was done:

1. Created new free Azure account
2. Configured the Genesys Cloud gallery application relying on articles from Resource center and Azure learn
   
   
3. Added one new user to my Azure AD (besides account admin user)
4. Configured SSO integration in Genesys Cloud
   
   
5. Genesys Cloud -> Organization settings -> Open admission is ON, Disable Genesys Cloud Login is OFF
6. Succesfully tested SSO in via test tool (under both my AD users)
   
   
7. Result
   
   
   
   What have I missed? Thanks
   Related discussion topic didn't help.
   
   Attaching SAM request and response.