Genesys Cloud - Main

 View Only

Sign Up

Back to discussions
Expand all | Collapse all

Genesys Cloud SSO certificate expiry notification 01/Jan/2024

  Thread closed by the administrator, not accepting new replies.

  • 1.  Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-06-2023 12:19
    No replies, thread closed.

    Ahead of a formal deprecation announcement which will be issued shortly, I want to alert the Community that the Genesys Cloud SSO certificate will expire on Jan 1st, 2024.  This potentially impacts customers who use the Single Logout feature.

    Am I affected?

    If you use the Single Logout feature and your identity provider supports signature verification for single log out requests, you must upload a new certificate to your identity provider, so that the Single Logout feature continues to function.  There is no impact to any other functionality.

    How can I prepare for this expiry?

    To fetch the Genesys Cloud SSO certificate, visit https://github.com/MyPureCloud/genesys-cloud-sso-certificates and download the file that corresponds to your organization's AWS region.

    If your identity provider allows you to upload multiple certificates, you can upload the new certificate at any time.

    If your identity provider does not allow you to upload multiple certificates, upload the new certificate on or after January 1st, 2024.

    Refer to your identity provider's documentation for instructions to upload the certificate.


    #PlatformAdministration
    #Security
    #SystemAdministration

    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------


  • 2.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-13-2023 03:39
    No replies, thread closed.

    Hi,

    This very same certificate gets also added in Azure AD when 'Genesys Cloud for Azure' is added from Microsoft Entra Application gallery. Is it used by automatic user provisioning (Genesys SCIM integration)? In other words, do we need to upload the new certificate if we are using Genesys Cloud for Azure for automated user provisioning?

    You said it's only impacting Single Logout, but wanted to double check this.



    ------------------------------
    Timo Välimäki
    DXC Technology Finland Oy
    ------------------------------

    Original Message


  • 3.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-13-2023 10:26
    No replies, thread closed.

    No, this cert isn't used by scim.  Scim utilizes a client credential grant oauth client, which then interfaces with our public API.  The only certificate involved is our certificate, which is provided via the AWS certificate authority, and managed by Genesys Cloud.



    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------

    Original Message


  • 4.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-14-2023 01:28
    No replies, thread closed.

    Thanks.



    ------------------------------
    Timo Välimäki
    DXC Technology Finland Oy
    ------------------------------

    Original Message


  • 5.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-14-2023 11:56
    No replies, thread closed.

    Hi David,

    Why do I need to wait until January 1, 2024 to make this change? My Okta identity provider (does not allow multiple certifications) can remove the old Genesys Cloud SSO cert and add the new Genesys Cloud SSO cert within the Okta application today. 

    David 



    ------------------------------
    David Martinez
    Motorola Solutions Inc
    ------------------------------

    Original Message


  • 6.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-14-2023 12:23
    No replies, thread closed.

    Hi David,

    The feedback I received when I asked this question previously is that if you replace the current cert early (i.e. before Jan 1st), it will cause Single Logout to stop working.  That may not be true for all Identity Providers so, if you plan to try this, make sure you test it out and revert if there is an issue.



    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------

    Original Message


  • 7.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-21-2023 21:12
    No replies, thread closed.

    Also just to clarify, if you're using Azure vs ADFS for SSO, this certificate expiry shouldn't impact as you only export/import the Genesys certificate for ADFS, and not for Azure.  Is this correct?  Is this because the Genesys certificate within Azure for SSO is automatically renewed?



    ------------------------------
    Vaun McCarthy
    ------------------------------

    Original Message


  • 8.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-22-2023 10:56
    No replies, thread closed.

    There would be no difference between Azure AD and ADFS in relation to this issue.  The key point to understand is whether your Identity Provider requires a certificate for Single Logout.  If they do not, you don't need to worry about this.  However, if they do, when you originally implemented SSO for Genesys Cloud you would have previously had to upload a certificate to the location specified by the Identity Provider and this is the cert that needs to be replaced.  



    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------

    Original Message


  • 9.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-22-2023 13:44
    No replies, thread closed.
    Thanks David, my point being the Genesys resource centre guides for Azure and ADFS SSO differ in that the signing cert is not mentioned at all in the Azure steps. 

    Can anyone else confirm they didn't use this cert when deploying Azure SSO?


    Sensitivity Label: General




    Original Message


  • 10.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-24-2023 02:33
    No replies, thread closed.

    Dear David,

    How can we check (in the Azure AD) if it using the certificate or not?

    May be You can share some "print screens" (also that will describe how to install the new certificate)?



    ------------------------------
    Best regards,

    Yvgeni Liberman
    ITNAV-Pro Ltd.
    ------------------------------

    Original Message


  • 11.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-26-2023 18:32
    No replies, thread closed.

    I'm no Azure expert by far, but this is what I believe is the case:

    Using the Genesys signing cert in Azure is optional.  It's not mentioned at all in the resource centre guide for setting this up for Azure.  However I believe the section that would be relevant if the Azure admin had enabled it is this:

    Hopefully someone else can jump in and correct me if I'm off the mark.



    ------------------------------
    Vaun McCarthy
    ------------------------------

    Original Message


  • 12.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-27-2023 15:02
    Edited by Simon Mckenzie 12-27-2023 15:03
    No replies, thread closed.

    I checked in with our Cloud team to see if i had to upload a new cert on 1/1/2024 or not. They advised even though they have the Logout URL filled out on the Azure side, the Single Logout URI field on the SSO page of our Genesys Cloud site was blank. Therefor we have nothing to worry about....as we are not using the single logout feature.
    E.g.





    ------------------------------
    Simon Mckenzie
    Farmers Mutual Group
    ------------------------------

    Original Message


  • 13.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-27-2023 15:14
    No replies, thread closed.

    Good point.  If the Single Logout URI field is not populated, then you definitely don't need to worry about the cert expiry.  So, that would be a good field to check.  



    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------

    Original Message


  • 14.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-26-2023 18:47
    No replies, thread closed.

    Hi David

    A comment here please if you could pass this on.  While hopefully most people can have this sorted, having a certificate with an expiry of Jan 1st where even some orgs have to renew on or after that is likely problematic for some.  A number of organisations around the world are actually closed on January 1st, meaning there's potentially no resource to actually do this or potentially no business test users available.

    In that scenario the first opportunity to do it if multiple certs aren't supported is the very first day users would be trying to login - if you're saying they can't be swapped out ahead of time for some providers.

    For future notifications of this expiry, can we please have all the information gathered this time around and added to that update at the time (next expiry looks to be in 2026).



    ------------------------------
    Vaun McCarthy
    ------------------------------

    Original Message


  • 15.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-27-2023 15:11
    No replies, thread closed.

    Yes, I agree that this is not the best timing for this.  I will conduct a review of this cert change in January to determine how we can do this better next time around and to have more answers for the questions that are being asked on this thread.  I appreciate people posting comments regarding their experiences of this change and whether the cert is or is not required for their particular identity provider as, unfortunately, I don't have this information.  



    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------

    Original Message


  • 16.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-27-2023 15:23
    No replies, thread closed.

    Thanks David



    ------------------------------
    Vaun McCarthy
    ------------------------------

    Original Message


  • 17.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-27-2023 21:32
    No replies, thread closed.

    I would suggest you renew your certs in May or June and give us 5 to 6 months.   Also, it shouldn't be hard to ask MS or Okta is they use and determine affect.



    ------------------------------
    Robert Wakefield-Carl
    ttec Digital
    Sr. Director - Innovation Architects
    Robert.WC@ttecdigital.com
    https://www.ttecDigital.com
    https://RobertWC.Blogspot.com
    ------------------------------

    Original Message


  • 18.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-28-2023 19:23
    No replies, thread closed.

    Just adding to this, my assumption here is that this is January 1st in whatever region the org is in?  Can we also clarify the following:

    1. I don't see any place in the enterprise app where you'd add this certificate other than the screenshot I included earlier
    2. What is the behaviour of the 'logout' function if that single sign out field is left blank in Genesys Cloud?


    ------------------------------
    Vaun McCarthy
    ------------------------------

    Original Message


  • 19.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 12-29-2023 06:22
    No replies, thread closed.

    I'm assuming this only applies to Okta Single Sign On, as that's where you download a certificate in the installation steps.
    Looking through the Azure AD installation it seem you only download certificate from Azure and upload it to Genesys.

    The Login URL and Logout URL uses the same domain on both AD and Okta integration, so if those certificates were affected it should affect login as well.
    I looked at those certificates on different regions and the all seem to expire in September 2024.

    Next time I hope we can get better information on exactly which services will be affected so this confusion doesn't happen.



    ------------------------------
    Jan Heinonen
    Contact Center Specialist
    GlobalConnect AB
    ------------------------------

    Original Message


  • 20.  RE: Genesys Cloud SSO certificate expiry notification 01/Jan/2024

    Posted 01-03-2024 12:05
    No replies, thread closed.

    Thanks for the feedback on this topic.  We are working on some improvements to automate this process in future (for IDPs that support this) and to provide more advance notice of the change as well as more detailed information on the impact.  Now that the new certificate is in use, I was just wondering whether there have been any customer-reported issues over the past couple of days associated with this change?



    ------------------------------
    David Murray
    Principal Product Manager
    Genesys Cloud
    ------------------------------

    Original Message


Related Content