Manage Login Authenticators

Login authenticators control how users log in to CXone. CXone supports both internal and external authentication based on the login authenticator that is assigned to the user and the type and configuration of that login authenticator.

For more information about authentication and authorization in CXone, click here.

Set Up a Location

Required permissions: Location Management Create

If you want to require that users log in from a certain IP address, create a location with the IP addresses, IP address ranges, or IP address subnets you want to allow. When you require a configured location for a user, that user must have both the correct credentials and IP address to log in. Otherwise, their login attempt fails and they receive an error. You can have up to 20 locations at a time and up to 10 rules per location.

  1. Click the app selector and select Admin.
  2. Go to LocationsLocation Definitions.
  3. Click New Location.
  4. Give the location a descriptive Name. If you want to add more details about the location, enter a Description.
  5. You can select the Set as Default Location or Remote Location to indicate the type of location. You can only have one default location. These fields don't currently affect any functionality and selecting them is for your own reference.
  6. Add any other information you would like using the remaining fields, including the physical address, country, GPS coordinates, time zone, or assigned groups. These fields don't currently affect anything, and the information entered there would be only for your own reference.

    If you add groups to the Assigned Groups field, the users belonging to those groups appear on the Assigned Users tab. However, the location settings won't apply to them. If you assign a location to a login authenticator, the location applies to users who are assigned to that login authenticator and restricts their ability to log in based on their IP address. However, those users will not appear on the Assigned Users tab.

  7. Click Save.

  8. Back on the Location Definitions page, click the location you just created to open it.

  9. Click the Auto-Detection Rules tab.

  10. Create a new rule. To do so: 

    1. Click New Rule.

    2. Give the rule a descriptive Name.

    3. Select the Rule Type from the following: 

      • List: A list of specific IP addresses allowed for this location. For example, 100.0.1.100, 100.0.1.101, and 100.0.1.102.

      • Range: An IP address range allowed for this location. For example, 100.0.1.100-100.0.1.125.

      • Subnet: A subnet allowed for this location. For example, 100.0.0.1/32.

    4. Specify the IP Version as one of the following:

      • IPV4: A 32-bit IP address

      • IPV6: A 128-bit hexadecimal address.

    5. Enter the actual IP addresses, range, or subnet in the Rule Definition field, following the formats of the examples in the preceding steps. If you selected List, you can enter up to 100 IP addresses. If you selected Range or Subnet, you can only enter one value.

    6. Click Confirm.

  11. Add more rules as needed. You can have up to 10.

  12. Click Save.

Configure a System Login Authenticator

Required permissions: Can manage passwords, On.

CXone includes a default system login authenticator but you can create your own as well. After you configure a login authenticator for a particular role, the password field displays the configured login authenticator rules when a user tries to set or change the password.

  1. Click the app selector and select Admin.
  2. Go to Security Settings > Login Authenticator.
  3. Click New Login Authenticator.

  4. Enter a unique Name for the login authenticator.

  5. Enter a Description if you want one.

  6. Select System as the Authentication Type.

  7. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

  8. Set up your password complexity.

    Each user's password is checked against a repository of commonly used passwords. If their password matches one of the commonly used passwords, they will be forced to create a new password. Some of the passwords that are rejected include:

    • Any password that includes the word "password." For example, Password@1234.

    • Any password that includes the user's email address, username, first name, last name, or system name.

    Passwords are checked against this repository whenever:

    • A new user is activated.

    • A user's password expires.

    • A user resets their password.

  9. If you want to enable multi-factor authentication, select Require Multi-Factor Authentication. Set your MFA Type as HOTP (HMAC-Based) and TOTP (Time-Based).

  10. Set your password policy.

  11. Click Save & Activate.

Set Up an External Login Authenticator with SAML 2.0

You can use external authentication when you want a user's password to be managed by another system or identity provider. CXone currently supports SAML 2.0 and OpenID Connect federation protocols.

You can set up IdP-initiated authentication or SP-initiated authentication with the steps in this section.

IdP-Initiated Authentication: IdP stands for identity provider. IdP-initiated authentication means that the external identity provider starts the login process.

SP-Initiated Authentication: SP stands for service provider. SP-initiated authentication means that CXone starts the login process.

If you are using Salesforce Agent, then the external identity provider (IdP) must be configured for SP-initiated authentication.

  1. Ensure that you have access to the external identity provider. You will need to create an integration specific to CXone.
  2. Create the integration in the external identity provider. Different systems use different names for these integrations, see specific instructions for Okta or Azure.
    1. You will need to provide an Entity ID which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    2. You will need to provide an ACS URL which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    3. The identity provider will generate a specific URL where SAML requests must be sent. Copy and save this URL to a place where you can find it. You will need to enter this value in later steps.
    4. The identity provider will generate a public signing certificate for the integration. Download the certificate. You will need to use it in later steps.
  3. Create an external login authenticator in CXone.
    1. Click the app selector and select Admin.
    2. Click SecurityLogin Authenticator.
    3. Enter the Name and Description of the login authenticator.
    4. Select SAML as the Authentication Type.
    5. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

    6. If you select FICAM, the SAML response must have a single AuthnContextClassRef entry. Also, the NamespaceURI of the assertion subject must be: urn:oasis:names:tc:SAML:2.0:assertion. The AuthnContextClassRef and NamespaceURI fields are controlled by the identity provider.
    7. Enter the SAML request Endpoint you received from your provider above as the Endpoint URL.
    8. Click Choose File and select the public signing certificate you received from your provider. This file must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some other text.
    9. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

    10. Click Save and Activate.
    11. Open the login authenticator.
    12. Note the Entity ID and ACS URL. You will need them when updating your IdP settings.

  4. Update your identity provider settings, replacing the placeholders used above with the values you just noted.

  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value. This field can be accessed in the security section of the employee's profile.

    Your identity provider determines the value that must be used. The value must match exactly what you put in the External Identity field in CXone.

  6. Have the user log in. They must use the latest login URL. After entering their username they will be directed to the external identity provider if needed.

Create External Login Authenticators with OpenID Connect

Required permissions: Login Authenticator Create

You can use external authentication when you want a user's password to be managed by another system or identity provider. CXone currently supports SAML 2.0 and OpenID Connect federation protocols.

You can set up SP-initiated authentication with the steps in this section.

SP-Initiated Authentication: SP stands for service provider. SP-initiated authentication means that CXone starts the login process.

If you are using Salesforce Agent, then the external identity provider (IdP) must be configured for SP-initiated authentication.

  1. Ensure that you have access to the external identity provider. You will need to create an integration specific to CXone.
  2. Create the integration in the external identity provider.
    1. You will need to provide a Sign-in Redirect URI which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    2. You may need to provide a Sign-out Redirect URI which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    3. The identity provider will generate a Client ID and a Client Secret. Copy and save these values where you can find them. You will need to enter them in later steps.
  3. Create an external login authenticator in CXone.
    1. Click the app selector and select Admin.

    2. Go to Security SettingsLogin Authenticator.

    3. Click New Login Authenticator or select the login authenticator you want to edit.
    4. Enter the Name and a Description of the login authenticator.
    5. Select OIDC as the Authentication Type.
    6. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

    7. If you have a discovery endpoint for your IdP, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you. Discover Settings does not work with Salesforce discovery endpoints.
    8. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password. The Client Identifier is the login ID assigned to your account by your IdP.
    9. If you don't have a discovery endpoint for your IdP, enter your IdP-provided Issuer, JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, Revocation Endpoint, and End Session Endpoint.

    10. Select a Client Authentication Method. The method you select must be an authentication method that your IdP supports. If you select private_key_jwt, you must enter your Client Private Key.
    11. You can select Enable FICAM Profile to turn on U.S. government-specific settings.
    12. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

    13. Click Save & Activate to validate the provided information and to link your CXone account to your IdP account.
    14. Open the login authenticator.
    15. Note the Sign-in Redirect URI and Sign-out Redirect URI. You will need them when updating your IdP settings.

  4. Update your identity provider settings, replacing the placeholders used above with the values you just noted.

  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value. This field can be accessed in the security section of the employee's profile.

    Your identity provider determines the value that must be used. The value must match exactly what you put in the External Identity field in CXone. The value for this field must be in this format: claim(email):{email configured by your IdP}. For example, if the user's email in the IdP is nick.carraway@classics.com, you would enter claim(email):nickcarraway@classics.com.

  6. Have the user log in. They must use the latest login URL. After entering their username they will be directed to the external identity provider, if needed.

  7. When your IdP asks you to authenticate, do so as the user on the IdP you want associated with your currently logged in CXone account.
  8. If your OpenID Connect settings in CXone don't show as validated, use your IdP logs to diagnose the problem.

Linking New Users with Claim-based OpenID Connect

CXone can use a different claim value, like an email address, to establish the user's identity at their first login. CXone then automatically switches to the unique OpenID Connect subject identifier. This allows you to pre-configure a user's federated identity.

PKCE for Front-End Authentication

You may have difficulty using the OpenID Connect authorization code flow. This flow requires a client_secret as part of the token exchange. Coding the client_secret into a web application is a security risk. OpenID Connect allows an alternative flow called PKCE (Proof Key for Code Exchange). PKCE uses a different authentication method. NICE CXone supports PKCE flows for front-end integrations.

Deactivate Login Authenticators

Required permissions: Login Authenticator Disable

You can deactivate system and SAML 2.0 login authenticators on the Login Authenticator Page.

All users assigned to a deactivated login authenticator (LA) will lose access to CXone. These users also won't be able to use the Forgot Password link to activate their account or change their password. Users won't be notified of their loss of access. They won't be able to regain access until you:

  • Assign them to an active LA.

  • Reactivate their assigned LA.

To avoid revoking access from your users, assign them to a different LA before you deactivate.

  1. Click the app selector and select Admin.
  2. Go to Security Settings > Login Authenticator.
  3. Locate the login authenticator you want to deactivate.
  4. Click actions The three stacked dots icon on the right side of the login authenticator..
  5. Click Deactivate.