Genesys Cloud - Main

 View Only

Discussion Thread View
  • 1.  SSO with non-email address identifier?

    Posted 04-05-2023 09:28

    Hi,

    Genesys Cloud supports SSO login with non-email address identifier, and we'd like to get this configured in our org. We do have SSO enabled and working fine, and users have been provisioned with SCIM externalid data. It's just that email address is used as user identifier and we'd like to start using externalid.

    What is unclear is how this should be configured on the IdP side. This has been documented at https://help.mypurecloud.com/articles/configure-sso-identity-provider-without-email-address/ , but in my eyes, this is not 100% clear.

    In current setup, the IdP sets attributes "OrganizationName", "ServiceName", and "email" in the SAML assertion, as instructed at https://help.mypurecloud.com/articles/add-a-generic-single-sign-on-provider/ :

    <saml:AttributeStatement>
    <saml:Attribute Name="OrganizationName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
    myorg
    </saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="ServiceName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
    directory
    </saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
    foobar@myowndomain.com
    </saml:AttributeValue>
    </saml:Attribute>
    </saml:AttributeStatement>

    How should we construct the assertion, if non-email address identifier would be used? Do you have example available? Should we replace the "email" attribute with "urn:ietf:params:scim:schemas:extension:genesys:purecloud:2.0:User:externalIds[authority eq "{Identity Provider Issuer URI}"].value", and put externalid value in that?

    If someone has done this, example would be appreciated.

    Thanks,


    #Integrations

    ------------------------------
    Timo Välimäki
    DXC Technology Finland Oy
    ------------------------------


  • 2.  RE: SSO with non-email address identifier?

    Posted 12-29-2023 10:33

    Has anyone got this working?



    ------------------------------
    Timo Välimäki
    DXC Technology Finland Oy
    ------------------------------



  • 3.  RE: SSO with non-email address identifier?

    Posted 07-11-2024 04:36

    Hi @Timo Välimäki

    Did you finally get this configuration? I am in the same situation and can't find any documentation about it.

    Thanks in advance.
    Best regards.



    ------------------------------
    Carlos Camacho Jimenez
    Telefonica Cybersecurity & Cloud Tech, S.L.U.
    ------------------------------



Need Help finding something?

Check out the Genesys Knowledge Network - your all-in-one access point for Genesys resources