Just an update, we did get this to work.
- In your Genesys Cloud SSO settings:
Name Identifier Format=Unspecified << your SSO should be sending the same thing.
- Next, you have to update the User's External ID using the SCIM API interface. I did it using the API Explorer.
There is no ability to update the External ID using the UI.
- Using API Explorer, it is not the first externalid field you see. You must:
- Expand urn:ietf:params:scim:schemas:extension:genesys:purecloud:2.0:User
- Expand ScimUserExtensions
- Expand ScimGenesysUserExternalId
- Update authority = {keyName}
The "KeyName" should match what is being sent from your SSO provider.
- Update value = {loginId}
The "loginId" should be your id you want to match.
PUT /api/v2/scim/users/{userID} HTTP/1.1
{"urn:ietf:params:scim:schemas:extension:genesys:purecloud:2.0:User":{"externalIds":[{"authority":"{keyName}","value":"{loginId}"}]}}
Example:
PUT /api/v2/scim/users/9j5c632e-33ad-9234-b47e-fb3dc6276c4a HTTP/1.1
{"urn:ietf:params:scim:schemas:extension:genesys:purecloud:2.0:User":{"externalIds":[{"authority":"ADID","value":"ABCD1234"}]}}
------------------------------
Tony Morrow
Sr. Genesys Engineer
------------------------------
Original Message:
Sent: 07-15-2025 18:07
From: Tony Morrow
Subject: SSO with non-email address identifier?
Did anyone happen to get this working?
------------------------------
Tony Morrow
Sr. Genesys Engineer
Original Message:
Sent: 04-05-2023 09:28
From: Timo Valimaki
Subject: SSO with non-email address identifier?
Hi,
Genesys Cloud supports SSO login with non-email address identifier, and we'd like to get this configured in our org. We do have SSO enabled and working fine, and users have been provisioned with SCIM externalid data. It's just that email address is used as user identifier and we'd like to start using externalid.
What is unclear is how this should be configured on the IdP side. This has been documented at https://help.mypurecloud.com/articles/configure-sso-identity-provider-without-email-address/ , but in my eyes, this is not 100% clear.
In current setup, the IdP sets attributes "OrganizationName", "ServiceName", and "email" in the SAML assertion, as instructed at https://help.mypurecloud.com/articles/add-a-generic-single-sign-on-provider/ :
<saml:AttributeStatement><saml:Attribute Name="OrganizationName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">myorg</saml:AttributeValue></saml:Attribute><saml:Attribute Name="ServiceName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">directory</saml:AttributeValue></saml:Attribute><saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">foobar@myowndomain.com</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>
How should we construct the assertion, if non-email address identifier would be used? Do you have example available? Should we replace the "email" attribute with "urn:ietf:params:scim:schemas:extension:genesys:purecloud:2.0:User:externalIds[authority eq "{Identity Provider Issuer URI}"].value", and put externalid value in that?
If someone has done this, example would be appreciated.
Thanks,
#API/Integrations
------------------------------
Timo Välimäki
DXC Technology Finland Oy
------------------------------