Manage Federation with Azure

Azure is just one of the supported external identity providers (IdPs) that you can use with CXone. This page guides you, step-by-step, in setting up authentication for your CXone system using Azure.

If you're doing the initial implementation of your CXone system, there are additional steps to consider. We recommend reading the following online help pages which include these considerations:

Before you begin, make sure you have access to the Microsoft Azure ID management console. You will need to create an application.

Manage Federation with Azure with SAML 2.0

Complete each of these tasks in the order given.

Create and Configure an Azure Application with SAML 2.0

  1. Login to your Azure AD management account.
  2. Create an application.
    1. Click Enterprise applications > New Application.
    2. Click Create your own application.
    3. Enter a Name (for example, NICE CXone).
    4. Select Integrate any other application you don’t find in the gallery (Non-gallery).
    5. Click Create.
  3. Assign users and groups as appropriate.
  4. Under Set up single sign on, click Get Started and then select SAML.
  5.  On the Basic SAML Configuration panel, click Edit and configure SAML:
    1. Under Identifier (Entity ID), click Add Identifier and enter https://cxone.niceincontact.com/need_to_change. You will change this value to the URL you receive later.
    2. Under Reply URL, click Add reply URL and in the Audience URI field, enter https://cxone.niceincontact.com/need_to_change. You will change this value to the URI you receive later.
  6. Click Save and close the Basic SAML Configuration panel.
  7. In the Attributes & Claims section, select the correct Unique User Identifier. The value you choose will be the External Identity in CXone.
  8. Azure AD should automatically create a SAML signing certificate. Download the certificate named Certificate (Base64).
  9. On the SAML Signing Certificate panel, click Edit and then:
    1. Change the Signing Option to Sign SAML response.
    2. Click Save and close the SAML Signing Certificate panel. Keep this file for your CXone configuration.
  10. On the Set up <application name> panel, copy the Login URL value. Keep this for your CXone configuration.
  11. Keep your window open. You will make changes to your Azure application settings based on values you receive in the next task.

Set Up a Location

Required permissions: Location Management Create

If you want to require that users log in from a certain IP address, create a location with the IP addresses, IP address ranges, or IP address subnets you want to allow. When you require a configured location for a user, that user must have both the correct credentials and IP address to log in. Otherwise, their login attempt fails and they receive an error. You can have up to 20 locations at a time and up to 10 rules per location.

  1. Click the app selector and select Admin.
  2. Go to LocationsLocation Definitions.
  3. Click New Location.
  4. Give the location a descriptive Name. If you want to add more details about the location, enter a Description.
  5. You can select the Set as Default Location or Remote Location to indicate the type of location. You can only have one default location. These fields don't currently affect any functionality and selecting them is for your own reference.
  6. Add any other information you would like using the remaining fields, including the physical address, country, GPS coordinates, time zone, or assigned groups. These fields don't currently affect anything, and the information entered there would be only for your own reference.

    If you add groups to the Assigned Groups field, the users belonging to those groups appear on the Assigned Users tab. However, the location settings won't apply to them. If you assign a location to a login authenticator, the location applies to users who are assigned to that login authenticator and restricts their ability to log in based on their IP address. However, those users will not appear on the Assigned Users tab.

  7. Click Save.

  8. Back on the Location Definitions page, click the location you just created to open it.

  9. Click the Auto-Detection Rules tab.

  10. Create a new rule. To do so: 

    1. Click New Rule.

    2. Give the rule a descriptive Name.

    3. Select the Rule Type from the following: 

      • List: A list of specific IP addresses allowed for this location. For example, 100.0.1.100, 100.0.1.101, and 100.0.1.102.

      • Range: An IP address range allowed for this location. For example, 100.0.1.100-100.0.1.125.

      • Subnet: A subnet allowed for this location. For example, 100.0.0.1/32.

    4. Specify the IP Version as one of the following:

      • IPV4: A 32-bit IP address

      • IPV6: A 128-bit hexadecimal address.

    5. Enter the actual IP addresses, range, or subnet in the Rule Definition field, following the formats of the examples in the preceding steps. If you selected List, you can enter up to 100 IP addresses. If you selected Range or Subnet, you can only enter one value.

    6. Click Confirm.

  11. Add more rules as needed. You can have up to 10.

  12. Click Save.

Set Up a Login Authenticator with SAML 2.0 in CXone

Required permissions: Login Authenticator Create

  1. Click the app selector and select Admin.
  2. Go to Security SettingsLogin Authenticator.
  3. Click New Login Authenticator.
  4. Enter the Name and Description of the login authenticator.
  5. Select SAML as the Authentication Type .
  6. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

  7. Enter the SAML request Endpoint URL you received from Azure as the Endpoint URL.

    If you're using Entra ID (Azure), delete the string populated in the Requested Authentication Context field. Otherwise, users attempting to log in to CXone could receive Microsoft error AADSTS75011 and be prevented from logging in.

  8. Click Choose File and select the public signing certificate you downloaded from Azure in the previous task. This file must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some additional text.
  9. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

  10. Click Save & Activate.
  11. Open the login authenticator.
  12. You will notice two additional read-only fields displayed, the Entity ID and the ACS URL. Make a note of these values. You will need them in the Add CXone Values to Azure task.

Add CXone Values to Azure

  1. Return to your Azure application and on the Basic SAML Configuration panel, click Edit.
  2. For Identifier (Entity ID), enter the Entity ID value from your CXone login authenticator.
  3. For Reply URL, enter the ACS URL value from your CXone login authenticator.
  4. Click Save and close the Basic SAML Configuration panel.
  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value.

    1. Your identity provider determines the value that must be used. The value must match exactly the Unique User Identifier in Azure and the External Identity in CXone.

  6. Have the user log in . They must use the latest login URL. After entering their username, they will be directed to the external identity provider if needed.

Verify User Access with Azure Single Sign-On

  1. Ensure that the External Identity for each employee who uses the login authenticator is set to the correct value. The value must match exactly the Unique User Identifier in Azure and the External Identity in CXone.

  2. Have one or more test users log in using the latest login URL. After entering their username, they will be directed to Azure if needed.

  3. When you're ready, roll out Azure single sign-on to all employees.

Manage Federation with Azure with OpenID Connect

Complete each of these tasks in the order given.

Configure an Azure Application with OpenID Connect

  1. Log in to your Azure management account.

  2. Under App registrations, click New Registration.

  3. Go to Authentication > Web.

  4. You will need to provide Redirect URIs, which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.

  5. Click Certificates and secrets.

  6. Select client_secret_basic or client_secret_post as your authentication method. The authentication method, private_key_jwt, is not currently supported in CXone.

  7. In the Client secrets field, select New client secret.

  8. Add a description and select Expires.

  9. Copy the Client ID and Client Secret and paste them to a secure place on your device. You will need to use them when you configure a login authenticator in CXone.

  10. Go to Token Configuration > Optional Claims.

  11. Click Add Optional Claim.

  12. Select ID as your Token type.

  13. Select email and add your email address.

  14. Click Save.

Set Up a Location

Required permissions: Location Management Create

If you want to require that users log in from a certain IP address, create a location with the IP addresses, IP address ranges, or IP address subnets you want to allow. When you require a configured location for a user, that user must have both the correct credentials and IP address to log in. Otherwise, their login attempt fails and they receive an error. You can have up to 20 locations at a time and up to 10 rules per location.

  1. Click the app selector and select Admin.
  2. Go to LocationsLocation Definitions.
  3. Click New Location.
  4. Give the location a descriptive Name. If you want to add more details about the location, enter a Description.
  5. You can select the Set as Default Location or Remote Location to indicate the type of location. You can only have one default location. These fields don't currently affect any functionality and selecting them is for your own reference.
  6. Add any other information you would like using the remaining fields, including the physical address, country, GPS coordinates, time zone, or assigned groups. These fields don't currently affect anything, and the information entered there would be only for your own reference.

    If you add groups to the Assigned Groups field, the users belonging to those groups appear on the Assigned Users tab. However, the location settings won't apply to them. If you assign a location to a login authenticator, the location applies to users who are assigned to that login authenticator and restricts their ability to log in based on their IP address. However, those users will not appear on the Assigned Users tab.

  7. Click Save.

  8. Back on the Location Definitions page, click the location you just created to open it.

  9. Click the Auto-Detection Rules tab.

  10. Create a new rule. To do so: 

    1. Click New Rule.

    2. Give the rule a descriptive Name.

    3. Select the Rule Type from the following: 

      • List: A list of specific IP addresses allowed for this location. For example, 100.0.1.100, 100.0.1.101, and 100.0.1.102.

      • Range: An IP address range allowed for this location. For example, 100.0.1.100-100.0.1.125.

      • Subnet: A subnet allowed for this location. For example, 100.0.0.1/32.

    4. Specify the IP Version as one of the following:

      • IPV4: A 32-bit IP address

      • IPV6: A 128-bit hexadecimal address.

    5. Enter the actual IP addresses, range, or subnet in the Rule Definition field, following the formats of the examples in the preceding steps. If you selected List, you can enter up to 100 IP addresses. If you selected Range or Subnet, you can only enter one value.

    6. Click Confirm.

  11. Add more rules as needed. You can have up to 10.

  12. Click Save.

Set Up a CXone Login Authenticator with OpenID Connect

  1. Click the app selector and select Admin.

  2. Go to Security SettingsLogin Authenticator.

  3. Click New Login Authenticator or select the login authenticator you want to edit.
  4. Enter the Name and a Description of the login authenticator.
  5. Select OIDC as the Authentication Type.
  6. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

  7. If you have a discovery endpoint from Azure, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you. Discover Settings does not work with Salesforce discovery endpoints.
  8. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password. The Client Identifier is the login ID assigned to your account by Azure.
  9. If you don't have a discovery endpoint from Azure, enter your Azure-provided Issuer, JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, Revocation Endpoint, and End Session Endpoint.

  10. Select a Client Authentication Method. The method you select must match what you set up in the previous task. It must be an authentication method that Azure supports.
  11. You can select Enable FICAM Profile to turn on United States government-specific settings. This step is for FedRAMP users only.
  12. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

  13. Click Save & Activate to validate the provided information and to link your CXone account to your Azure account.
  14. Open the login authenticator.
  15. Note the Sign-in Redirect URI and Sign-out Redirect URI. You will need them when you update your Azure settings.

  16. Update your Azure settings, replacing the placeholders used in the previous task with the values you just noted.

  17. Ensure that the CXone External Identity for each user that uses the login authenticator is set to the correct value. This field can be accessed in the security section of the employee's profile.

    Azure determines the value that must be used. It can be found in the user's profile in Azure. The value must match exactly what you put in the External Identity field in CXone. The value for this field must be in this format: claim(email):{email configured by your IdP}. For example, if the user's email in the IdP is nick.carraway@classics.com, you would enter claim(email):nickcarraway@classics.com.

  18. Have the user log in to CXone. They must use the latest login URL. After entering their username, they will be directed to Azure, if needed.

  19. When Azure asks you to authenticate your own account, do so as the user in Azure you want associated with your currently logged in CXone account.
  20. If your OpenID Connect settings in CXone don't show as validated, use Azure's logs to diagnose the problem.

Add CXone Values to Azure

  1. Return to your Azure application and on the Basic SAML Configuration panel, click Edit.
  2. For Identifier (Entity ID), enter the Entity ID value from your CXone login authenticator.
  3. For Reply URL, enter the ACS URL value from your CXone login authenticator.
  4. Click Save and close the Basic SAML Configuration panel.
  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value.

    1. Your identity provider determines the value that must be used. The value must match exactly the Unique User Identifier in Azure and the External Identity in CXone.

  6. Have the user log in . They must use the latest login URL. After entering their username, they will be directed to the external identity provider if needed.

Verify User Access with Azure Single Sign-On

  1. Ensure that the External Identity for each employee who uses the login authenticator is set to the correct value. The value must match exactly the Unique User Identifier in Azure and the External Identity in CXone.

  2. Have one or more test users log in using the latest login URL. After entering their username, they will be directed to Azure if needed.

  3. When you're ready, roll out Azure single sign-on to all employees.