Set Up CXone Authentication Using Okta

This page guides you, step-by-step, in setting up authentication for your CXone system using Okta as your external identity provider (IdP).

Before You Begin

• Gain a basic understanding of authentication and authorization concepts and terminology if you've never set up a process like this before.
• Review the CXone-specific process if this is the first time you've worked with authentication in CXone.
• Consider your human users and the levels of access they need. Decide whether people with greater access should have greater levels of security.
• Decide whether you will use custom password requirements, multi-factor authentication (MFA), or both to enforce.
• Based on your decisions, make a list of login authenticators. The list should include the password requirements and MFA status you want to use for each login authenticator.
• Consider whether you need to include authentication and authorization for applications like bots or intelligent virtual assistants (IVAs). If so, you will need to create access keys.
• Gain an understanding of your authentication protocol. CXone supports SAML 2.0 for Okta integration.
• Evaluate the combination of IdP and protocol to ensure your use cases and user flows are supported, and to identify potential issues. This should include actual testing.

Your NICE CXone team can support and guide you in this planning process. Good planning makes for a smoother implementation. Implementing authentication and authorization as immediate needs come up is more likely to lead to issues.

Before you begin, make sure you have access to Okta. You will need to create an application.

Create and Configure an Okta Application with SAML 2.0

1. Log in to your Okta management account.
2. Click Applications menu > Create App Integration.
3. Select SAML 2.0 as the method, and click Next.
4. Enter the name you want to use to identify this integration, and click Next.
5.  Configure SAML:
   1. Enter a placeholder URL like https://cxone.niceincontact.com/need_to_change in the Single sign-on URL field. You will change this value with the URL you receive later.
   2. Enter a placeholder URL like https://cxone.niceincontact.com/need_to_change in the Audience URI field. You will change this value with the URI you receive later.
   3. Specify the Name ID format and Application username to correspond with how you want to identify your users to CXone.
   4. Click Show Advanced Settings.
   5. Change Assertion Signature to Unsigned. Leave Response as Signed.
   6. Ensure that Assertion Encryption is Unencrypted.
6. Click Next, complete the feedback, and then click Finish on the Feedback tab.
7. Click View SAML setup instructions to open a new tab, then:
   1. Click Download certificate to download the signing certificate. Keep this file for your CXone configuration.
   2. Copy the Identity Provider Single Sign-on URL. Keep this URL for your CXone configuration.
   3. Close the SAML Setup Instructions tab. Leave the Configure SAML tab open. You will make changes to your configuration based on CXone settings you will get next.

Set Up a Location

Required permissions: Location Management Create

If you want to require that users log in from a certain IP address, create a location with the IP addresses, IP address ranges, or IP address subnets you want to allow. When you require a configured location for a user, that user must have both the correct credentials and IP address to log in. Otherwise, their login attempt fails and they receive an error. You can have up to 20 locations at a time and up to 10 rules per location.

1. Click the app selector and select Admin.
2. Go to Locations > Location Definitions.
3. Click New Location.
4. Give the location a descriptive Name. If you want to add more details about the location, enter a Description.
5. You can select the Set as Default Location or Remote Location to indicate the type of location. You can only have one default location. These fields don't currently affect any functionality and selecting them is for your own reference.

6. Add any other information you would like using the remaining fields, including the physical address, country, GPS coordinates, time zone, or assigned groups. These fields don't currently affect anything, and the information entered there would be only for your own reference.

   If you add groups to the Assigned Groups field, the users belonging to those groups appear on the Assigned Users tab. However, the location settings won't apply to them. If you assign a location to a login authenticator, the location applies to users who are assigned to that login authenticator and restricts their ability to log in based on their IP address. However, those users will not appear on the Assigned Users tab.

7. Click Save.

8. Back on the Location Definitions page, click the location you just created to open it.

9. Click the Auto-Detection Rules tab.

10. Create a new rule. To do so: 

    1. Click New Rule.

    2. Give the rule a descriptive Name.

    3. Select the Rule Type from the following: 

       • List: A list of specific IP addresses allowed for this location. For example, 100.0.1.100, 100.0.1.101, and 100.0.1.102.

       • Range: An IP address range allowed for this location. For example, 100.0.1.100-100.0.1.125.

       • Subnet: A subnet allowed for this location. For example, 100.0.0.1/32.

    4. Specify the IP Version as one of the following:

       • IPV4: A 32-bit IP address

       • IPV6: A 128-bit hexadecimal address.

    5. Enter the actual IP addresses, range, or subnet in the Rule Definition field, following the formats of the examples in the preceding steps. If you selected List, you can enter up to 100 IP addresses. If you selected Range or Subnet, you can only enter one value.

    6. Click Confirm.

11. Add more rules as needed. You can have up to 10.

12. Click Save.

Set Up a CXone Login Authenticator with SAML 2.0

Required permissions: Login Authenticator Create

1. Click the app selector and select Admin.
2. Click Security > Login Authenticator.
3. Click New Login Authenticator.
4. Enter the Name and Description of the login authenticator.
5. Select SAML as the Authentication Type.

6. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

7. Enter the Identity Provider Single Sign-on URL you received from Okta as the Endpoint URL. See the last step of the preceding task for more details.
8. Click Choose File and select the public signing certificate you downloaded from Okta in the previous task. This certificate must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some additional text.

9. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

10. Click Save and Activate.
11. Open the login authenticator.

12. You will notice two additional read-only fields displayed: the Entity ID and the ACS URL. Make a note of these values. You will need them in the Add CXone Values to Okta task.

Configure an Okta Application with OpenID Connect

1. Log in to your Okta management account.
2. Click Applications menu > Create App Integration.
3. Select OIDC - OpenID Connect as the Sign-in method.
4. Select Web Application as the Application type, and click Next.
5. In the App integration name field, enter the name you want to use to identify this integration.
6. You will need to provide a Sign-in Redirect URI which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder. You will change this value with the URI you receive later.
7. You may need to provide a Sign-out Redirect URI which you don't know at this point. Use https://cxone.niceincontact.com/need_to_change as a placeholder. You will change this value with the URI you receive later.
8. In the Controlled access drop-down, select Skip group assignment for now.
9. Click Save.
10. On the General tab under Client Credentials, select Client authentication.
11. Select one of the following authentication methods:
    1. client_secret_basic: client credentials are passed in a basic header during authentication. After selecting this method, configure the following:
       1. Select Client authentication as the Client secret.
       2. Copy the Client ID and Client Secret and paste them to a secure place on your device. You will need to use them when you configure a login authenticator in CXone.
    2. client_secret_post: client credentials are passed in a body during authentication. After selecting this method, configure the following:
       1. Select Client authentication as the Client secret.
       2. Copy the Client ID and Client Secret and paste them to a secure place on your device. You will need to use them when you configure a login authenticator in CXone.
    3. client_secret_jwt: JWT bearer tokens are used for client authentication. After selecting this method, configure the following:
       1. Select Client authentication as the Client secret.
       2. Copy the Client ID and Client Secret and paste them to a secure place on your device. You will need to use them when you configure a login authenticator in CXone.
    4. private_key_jwt: JWT bearer tokens are used for client authentication. The JWT is signed by the Client Private Key that you will provide in later steps. After selecting this method, configure the following:
       1. Select Client authentication as the Public key / Private key.
       2. Enter a placeholder public key in the Add public key field. You will need to replace the placeholder with the key provided by CXone when you configure your login authenticator.
12. On the Assignments tab, click Assign, then click Assign to People.
13. Assign users to this application.

Set Up a Login Authenticator with OpenID Connect in CXone

1. Click the app selector and select Admin

2. Go to Security Settings > Login Authenticator.

3. Click New Login Authenticator or select the login authenticator you want to edit.
4. Enter the Name and a Description of the login authenticator.
5. Select OIDC as the Authentication Type.

6. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

7. If you have a discovery endpoint from Okta, click Discover Settings. Enter your discovery endpoint and click Discover. The remaining fields are populated for you. Discover Settings does not work with Salesforce discovery endpoints.
8. Enter your Client Identifier and Client Password. Re-type the password in Client Confirm Password. The Client Identifier is the Login ID assigned to your account by Okta.

9. If you don't have a discovery endpoint from Okta, enter your Okta-provided Issuer, JsonWebKeySet Endpoint, Authorization Endpoint, Token Endpoint, UserInfo Endpoint, and Revocation Endpoint.

   Learn more about fields in this step

   Field	Details
   Issuer	Okta's URL without any parameters.
   JsonWebKeySet Endpoint	The URL of Okta's JWK Set.
   Authorization Endpoint	The URL of Okta's OAuth 2.0 Authorization Endpoint.
   Token Endpoint	The URL of Okta's OAuth 2.0 Token Endpoint.
   UserInfo Endpoint	The URL of Okta's UserInfo Endpoint.
   Revocation Endpoint	The URL of Okta's Revocation Endpoint.

10. Select a Client Authentication Method. The method you select must match what you set up in the previous task. It must be an authentication method that Okta supports. If you select private_key_jwt, you must enter your Client Private Key.
11. You can select Enable FICAM Profile to turn on United States government-specific settings. This step is only for FedRAMP users.

12. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

13. Click Save & Activate to validate the provided information and to link your CXone account to your Okta account.
14. Open the login authenticator.

15. Note the Sign-in Redirect URI and Sign-out Redirect URI. You will need them to update your Okta settings.

16. Update your Okta settings, replacing the placeholders used in the previous task with the values you just noted.

17. Ensure that the CXone External Identity for each user that uses the login authenticator is set to the correct value. This field can be accessed in the security section of the employee's profile.

    Okta determines the value that must be used. It can be found in the user's profile in Okta. The value must match exactly what you put in the External Identity field in CXone. The value for this field must be in this format: claim(email):{email configured by your IdP}. For example, if the user's email in the IdP is nick.carraway@classics.com, you would enter claim(email):nickcarraway@classics.com.

18. Have the user log in to CXone. They must use the latest login URL. After entering their username, they will be directed to Okta if needed.

19. When Okta asks you to authenticate your own account, do so as the user you want associated with your currently-logged in CXone account.
20. If your OpenID Connect settings in CXone don't show as validated, use Okta's logs to diagnose the problem.

Add CXone Values to Okta

1. Return to your Okta application and go to the General tab.
2. Click Edit on the SAML Settings window, then click Next.
3. For Single Sign On URL, enter the ACS URL value from your CXone login authenticator.
4. For Audience URI (SP Entity ID), enter the Entity ID value from your CXone login authenticator.
5. Click Next, then click Finish to complete the change.

Verify User Access with Okta Single Sign-On

1. Ensure that the External Identity for each employee who uses the login authenticator is set to the correct value. The value must exactly match External Identity in CXone. The External Identity field is case sensitive.

2. Have one or more test users log in using the latest login URL, https://cxone.niceincontact.com. For FedRAMP, use https://cxone-gov.niceincontact.com. After entering their username, they will be directed to Okta if needed.

3. When you're ready, roll out Okta single sign-on to all employees.

Create Roles

Required permissions: Role Management Create

1. Click the app selector and select Admin.
2. Go to Security Settings > Roles & Permissions.
3. Click New Role.

4. Type a Name and optionally a Description for the role.

   The role's description cannot have more than 200 characters.

5. Click the Permissions tab.

6. Configure the permissions for the role. Permissions are categorized by CXone application, and you can only see applications that are part of your CXone system. Click the role categories on the left to move between them.

7. If the role you're creating (or editing) has permissions similar to one of the CXone's four out-of-the-box (OOTB) roles, click Set To Default, select the relevant OOTB role (Agent, Manager, Administrator, or Evaluator) from the drop-down, and then click Apply. The permissions are set according to the selected out-of-the-box role. Make the changes in the permissions, as required for the role.
8. When you are finished configuring permissions, click Save to save the role in draft status or click Save and Activate to save the role in active status. You cannot assign users to the role until you activate it.

Create or Edit Employees

Required permissions: Employees Create

You can add an employee account by using:

• Create Employee—Create an individual account using the Create Employee window.

• Import Employees—Import multiple employee accounts.

The instructions here are for creating a single employee account in the application. If your company is using ACD, you'll also need to configure ACD user settings for this employee.

To add an employee:

1. Click the app selector and select Admin.

2. Click Employees > Create Employee.

3. Enter the employee's First Name and Last Name. The Middle Name is optional.

4. Enter a valid Email Address. CXone sends emails like activation invitations and password verification codes here. You can use the same email address for multiple employees. When you edit an employee's email address, a verification email is sent to the new email address.

5. Enter the Username you want to assign to an employee. The username must be in the form of an email address. The field is auto filled from the Email Address field. You can edit it if you want to.

6. Assign a Primary Role to an employee from the drop-down.

7. Complete the fields on the General tab.

   Learn more about fields on the General tab

   Field	Details
   Display Name	Enter a Display Name you want to assign to an employee. Users from other teams can view the display name. They cannot view other information about the employee unless they have the View Employee permission enabled.
   Type	Use Type to organize an employee outside of their assigned Role and Team. The type is not tied to permissions or unavailable codes. This makes reporting easier. You can select previously created types from the drop-down. You can also create new types by entering text in the search bar, and clicking Create.
   Hire Date	The date you hired an employee. This field is for your records only. CXone doesn't use this information.
   Time Zone	The employee is automatically assigned to the tenant High-level organizational grouping used to manage technical support, billing, and global settings for your CXone environment time zone unless you change it.
   OS Login	The operating system the employee uses. The CXone Recording application requires this information for screen recording. The field accepts free text and may contain a text string related to an operating system such as Windows 10.
   Rank	This field is visible only if you have CXone WFM in your environment. It determines priority when creating a schedule.
   Assigned to Team	Assign the employee to a team by selecting a team from the drop-down menu. If you haven't created teams yet, or if the employee will belong to a new team, you can just accept the Default Team setting and then change it later.
   Assigned To Groups	Assign the employee to one or more groups by selecting groups from the drop-down menu.
   Assigned To Scheduling Unit	This field is visible only if your system includes CXone WFM. It specifies the scheduling unit for the employee.
   Mobile Number	The employee's mobile or cell phone number. This field is for your records only. CXone doesn't use this information.
   Attributes	Under this drop-down select attributes related to the employee: Can be Evaluated/Coached—This attribute appears only if your system includes CXone QM. It enables the employee to be evaluated, and you will be billed for CXone QM for this employee. The default value is selected for new employees. If you add CXone QM to a system that has existing users, you must manually enable this setting for those users. Can Be Recorded (Screen)—This attribute appears only if your system includes CXone Recording Advanced. It enables the employee's screen to be recorded, and you will be billed for screen recording for this employee. The default value is selected for new employees. If you add CXone Recording Advanced to a system that has existing users, you must manually enable this setting for those users. Can be Recorded (Voice)—This attribute is visible only if your system includes CXone Recording/CXone Recording Advanced. It enables the employee's voice to be recorded. You will be billed for voice recording for this employee. The default value is selected for a new employees. If you add CXone Recording/CXone Recording Advanced to a system that has existing users, you must manually enable this setting for those users. Can be Scheduled—This attribute is visible only if your system includes CXone WFM. It enables the employee to be scheduled. You will be billed for CXone WFM for this employee. The default value is selected for new employees. If you add CXone WFM to a system that has existing users, you must manually enable this setting for those users. Users who don't have this attribute selected won't appear in employee lists when creating weekly rules or shift templates. Removing this attribute from a user deletes that user from any weekly rules or shift templates to which the user is assigned. Can be Analyzed—This attribute appears only if your system includes Interaction Analytics. When this attribute is selected, the employee's recorded interactions are analyzed by Interaction Analytics. You will be billed for Interaction Analytics for this employee. The default value is cleared for new employees. Can Edit BI Reports—Employees with this attribute selected can edit any of the BI reports in the Reporting application as long as they also have the correct permissions. The default value is cleared for all employees, both existing and new. Can View BI Reports—Employees will be able to open any BI reports with this attribute. Reports are in the Reporting application, but employees should have permissions to view the reports there. BI reports have no usage fee for up to 10% of either your concurrent or configured users, depending on your pricing model. Once the 10% threshold is passed, you will be billed for each additional employee with this checkbox selected. The default value is cleared for all employees, both for existing and new. Customer Card—This attribute allows employees who don't work with digital contacts to access available customer cards for omnichannel-routed voice, chat, email, and CXone SMS Messaging contacts. The default value is cleared for new employees. Digital Engagement—This attribute appears only if your system includes Digital Experience. When this attribute is selected, the employee's record is synced to Digital Experience, and they can work on digital contacts. You will be billed for Digital Experience for this employee. The default value is cleared for new employees.

8. Click Create to create the employee profile and continue setting it up. Click Create & Invite if you're ready for the user to activate their account and set up their password.

Authenticate Applications

Users and applications are authenticated in very similar ways. The main difference is that applications are authenticated with an access key while users are authenticated with a username and password. Unlike users, applications are not required to interact through a browser. Applications typically are either back-office functionality or intelligent virtual agents Chatbot or similar application that interacts with a user based on artificial intelligence (IVAs).

To set up an application to interact with CXone, create an employee profile and name the profile after the application. Then create an access key for the application user as follows:

Required permissions: Employees Edit

1. Click the app selector and select Admin.
2. Click Employees and then click the employee profile you're editing to open it.

3. Click the Security tab.

4. Click Add access key.
5. Copy the Access Key ID to a secure location.
6. Click Show Secret Key and copy the secret key to a secure location.
7. Click Save.

Authorization in CXone

Authorization is the process of verifying what resources a user is allowed to access. Resources can include applications, files, and data. You can define users' access to resources with role-based access control. CXone manages authorization automatically during authentication. When a user is authenticated they are given access only to the resources they're authorized for.

A user's authentication method doesn't impact authorization. CXone uses the same authorization process for all users. It doesn't matter whether they are authenticated with access keys or passwords.