Manage Login Authenticators

Login authenticators control how users log in to CXone. CXone supports both internal and external authentication based on the login authenticator that is assigned to the user and the type and configuration of that login authenticator.

For more information about authentication and authorization in CXone, click here.

Configure a System Login Authenticator

Required permissions: Can manage passwords, On.

CXone includes a default system login authenticator but you can create your own as well. After you configure a login authenticator for a particular role, the password field displays the configured login authenticator rules when a user tries to set or change the password.

  1. Click the app selector and select Admin.
  2. Go to Security Settings > Login Authenticator.
  3. Click New Login Authenticator.

  4. Enter a unique Name for the login authenticator.

  5. Enter a Description if you want one.

  6. Select System as the Authentication Type.

  7. Set up your password complexity.

    Each user's password is checked against a repository of commonly used passwords. If their password matches one of the commonly used passwords, they will be forced to create a new password. Some of the passwords that are rejected include:

    • Any password that includes the word "password." For example, Password@1234.

    • Any password that includes the user's email address, username, first name, last name, or system name.

    Passwords are checked against this repository whenever:

    • A new user is activated.

    • A user's password expires.

    • A user resets their password.

  8. If you want to enable multi-factor authentication, select Require Multi-Factor Authentication. Set your MFA Type as HOTP (HMAC-Based) and TOTP (Time-Based).

  9. Set your password policy.

  10. Click Save & Activate.

Set Up an External Login Authenticator with SAML 2.0

You can use external authentication when you want a user's password to be managed by another system or identity provider. CXone currently supports SAML 2.0 and OpenID Connect federation protocols.

You can set up IdP-initiated authentication or SP-initiated authentication with the steps in this section.

IdP-Initiated Authentication: IdP stands for identity provider. IdP-initiated authentication means that the external identity provider starts the login process.

SP-Initiated Authentication: SP stands for service provider. SP-initiated authentication means that CXone starts the login process.

If you are using Salesforce Agent, then the external identity provider (IdP) must be configured for SP-initiated authentication.

  1. Ensure that you have access to the external identity provider. You will need to create an integration specific to CXone.
  2. Create the integration in the external identity provider. Different systems use different names for these integrations, see specific instructions for Okta or Azure.
    1. You will need to provide an Entity ID which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    2. You will need to provide an ACS URL which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    3. The identity provider will generate a specific URL where SAML requests must be sent. Copy and save this URL to a place where you can find it. You will need to enter this value in later steps.
    4. The identity provider will generate a public signing certificate for the integration. Download the certificate. You will need to use it in later steps.
  3. Create an external login authenticator in CXone.
    1. Click the app selector and select Admin.
    2. Click SecurityLogin Authenticator.
    3. Enter the Name and Description of the login authenticator.
    4. Select SAML as the Authentication Type.
    5. If you select FICAM, the SAML response must have a single AuthnContextClassRef entry. Also, the NamespaceURI of the assertion subject must be: urn:oasis:names:tc:SAML:2.0:assertion. The AuthnContextClassRef and NamespaceURI fields are controlled by the identity provider.
    6. Enter the SAML request Endpoint you received from your provider above as the Endpoint URL.
    7. Click Choose File and select the public signing certificate you received from your provider. This file must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some other text.
    8. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

    9. Click Save and Activate.
    10. Open the login authenticator.
    11. Note the Entity ID and ACS URL. You will need them when updating your IdP settings.

  4. Update your identity provider settings, replacing the placeholders used above with the values you just noted.

  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value. This field can be accessed in the security section of the employee's profile.

    Your identity provider determines the value that must be used. The value must match exactly what you put in the External Identity field in CXone.

  6. Have the user log in. They must use the latest login URL. After entering their username they will be directed to the external identity provider if needed.

Create External Login Authenticators with OpenID Connect

Required permissions: Login Authenticator Create

You can use external authentication when you want a user's password to be managed by another system or identity provider. CXone currently supports SAML 2.0 and OpenID Connect federation protocols.

You can set up IdP-initiated authentication or SP-initiated authentication with the steps in this section.

IdP-Initiated Authentication: IdP stands for identity provider. IdP-initiated authentication means that the external identity provider starts the login process.

SP-Initiated Authentication: SP stands for service provider. SP-initiated authentication means that CXone starts the login process.

If you are using Salesforce Agent, then the external identity provider (IdP) must be configured for SP-initiated authentication.

  1. Ensure that you have access to the external identity provider. You will need to create an integration specific to CXone.
  2. Create the integration in the external identity provider.
    1. You will need to provide a Sign-in Redirect URI which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    2. You may need to provide a Sign-out Redirect URI which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder.
    3. The identity provider will generate a Client ID and a Client Secret. Copy and save these values where you can find them. You will need to enter them in later steps.
  3. Create an external login authenticator in CXone.
    1. Click the app selector and select Admin

    2. Go to Security SettingsLogin Authenticator.

    3. Click New Login Authenticator or select the login authenticator you want to edit.
    4. Enter the Name and a Description of the login authenticator.
    5. Select OIDC as the Authentication Type.
    6. If you have a discovery endpoint for your IdP, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you.
    7. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password. The Client Identifier is the login ID assigned to your account by your IdP.
    8. If you don't have a discovery endpoint for your IdP, enter your IdP-provided Issuer, JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, and Revocation Endpoint.

    9. Select a Client Authentication Method. The method you select must be an authentication method that your IdP supports. If you select private_key_jwt, you must enter your Client Private Key.
    10. You can select Enable FICAM Profile to turn on U.S. government-specific settings.
    11. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

    12. Click Save & Activate to validate the provided information and to link your CXone account to your IdP account.
    13. Open the login authenticator.
    14. Note the Sign-in Redirect URI and Sign-out Redirect URI. You will need them when updating your IdP settings.

  4. Update your identity provider settings, replacing the placeholders used above with the values you just noted.

  5. Ensure that the External Identity for each user that uses the login authenticator is set to the correct value. This field can be accessed in the security section of the employee's profile.

    Your identity provider determines the value that must be used. The value must match exactly what you put in the External Identity field in CXone. The value for this field must be in this format: claim(email):{email configured by your IdP}. For example, if the user's email in the IdP is nick.carraway@classics.com, you would enter claim(email):nickcarraway@classics.com.

  6. Have the user log in. They must use the latest login URL. After entering their username they will be directed to the external identity provider if needed.

  7. When your IdP asks you to authenticate, do so as the user on the IdP you want associated with your currently logged in CXone account.
  8. If your OpenID Connect settings in CXone don't show as validated, use your IdP logs to diagnose the problem.

Linking New Users with Claim-based OpenID Connect

CXone can use a different claim value, like an email address, to establish the user's identity at their first login. CXone then automatically switches to the unique OpenID Connect subject identifier. This allows you to pre-configure a user's federated identity.

PKCE for Front-End Authentication

You may have difficulty using the OpenID Connect authorization code flow. This flow requires a client_secret as part of the token exchange. Coding the client_secret into a web application is a security risk. OpenID Connect allows an alternative flow called PKCE (Proof Key for Code Exchange). PKCE uses a different authentication method. NICE CXone supports PKCE flows for front-end integrations.

Deactivate Login Authenticators

Required permissions: Login Authenticator Disable

You can deactivate system and SAML 2.0 login authenticators on the Login Authenticator Page.

All users assigned to a deactivated login authenticator (LA) will lose access to CXone. These users also won't be able to use the Forgot Password link to activate their account or change their password. Users won't be notified of their loss of access. They won't be able to regain access until you:

  • Assign them to an active LA.

  • Reactivate their assigned LA.

To avoid revoking access from your users, assign them to a different LA before you deactivate.

  1. Click the app selector and select Admin.
  2. Go to Security Settings > Login Authenticator.
  3. Locate the login authenticator you want to deactivate.
  4. Click actions The three stacked dots icon on the right side of the login authenticator..
  5. Click Deactivate.