Set Up CXone Mpower Authentication Using Onelogin as an External Identity Provider

This page guides you, step-by-step, in setting up authentication for your CXone Mpower system using Onelogin as your external identity provider (IdP).

Before You Begin

  • Gain a basic understanding of authentication and authorization concepts and terminology if you've never set up a process like this before.
  • Review the CXone Mpower-specific process if this is the first time you've worked with authentication in CXone Mpower.
  • Consider your human users and the levels of access they need. Decide whether people with greater access should have greater levels of security.
  • Decide whether you will use custom password requirements, multi-factor authentication (MFA), or both to enforce.
  • Based on your decisions, make a list of login authenticators. The list should include the password requirements and MFA status you want to use for each login authenticator.
  • Consider whether you need to include authentication and authorization for applications like bots or intelligent virtual assistants (IVAs). If so, you will need to create access keys.
  • Gain an understanding of your authentication protocol. CXone Mpower supports SAML 2.0 for Onelogin integration.
  • Evaluate the combination of IdP and protocol to ensure your use cases and user flows are supported, and to identify potential issues. This should include actual testing.

Your CXone Mpower team can support and guide you in this planning process. Good planning makes for a smoother implementation. Implementing authentication and authorization as immediate needs come up is more likely to lead to issues.

Complete each of these tasks in the order given.

Set Up an IDP Application in Onelogin

Generate the Relay State Value

The relay state value is required for the SAML Onelogin application that you'll create in the next task. This value is different for every region your organization operates in.

  1. Locate your client ID, which you can obtain from

  2. Format your client ID as {"clientId":"{UUID}"}, where UUID is your client ID. For example, {"clientId":"{10g9f8e7d6c5b4a3z2y1x}"}.

  3. Base64-encode the string from the preceding step. The example string from the preceding step becomes eyJjbGllbnRJZCI6InsxMGc5ZjhlN2Q2YzViNGEzejJ5MXh9In0= when base64-encoded.

  4. Save the string to use in the next task.

Create an Application in Onelogin

  1. Log in to Onelogin as an administrator.
  2. Go to Applications Applications and click Add App.
  3. Search for SAML Text Connector (IdP), then select it and save.
  4. In the Application section, select App Configuration.
  5. Enter a Display Name for the application.
  6. If you want to, select an icon and add a description.
  7. Save your application.
  8. Move to the next task to configure settings.

Configure Single Sign-On and Configure SAML Settings

  1. If you haven't created a certificate in Onelogin yet, do so now:
    1. Go to Security > Certificates and click New.
    2. Give the certificate a name and select a Signature. The recommended option is SHA-256.
    3. Click Save.
    4. From the Signature fingerprint drop-down, select the same option that you chose for Signature.
    5. Click Save.
    6. Download the certificate.
  2. In the application you created, click Configuration in the left menu.
  3. In the RelayState field, enter the encoded relay state value you generated in the preceding task.
  4. For the Audience, enter a placeholder URL, such as https://need_to_change. You will replace the placeholder with the Entity ID from your CXone Mpower login authenticator in a later step.
  5. In the Recipient, ACS (Consumer) URL Validator and ACS (Consumer) URL fields, enter another placeholder URL. You will get the actual Assertion Consumer Service (ACS) URL from your CXone Mpower login authenticator in a later step.
  6. Click SSO in the left menu.
  7. Under X.509, click Change, the select the certificate your created from the drop-down.
  8. Select a SAML Signature Algorithm. The recommended algorithm is SHA-256.
  9. Select Login Hint and Assumed Sign-In.
  10. Go to the Users page and add all users that need to be able to use Onelogin to log in to CXone Mpower.
  11. Click Privileges in the left menu and add one or more users as admins for this application.
  12. Leave the window open. You will make changes to your configuration based on CXone Mpower settings you will get later.

Create a Login Authenticator with SAML 2.0

Required permissions: Login Authenticator Create

  1. Click the app selector icon of app selector and select Admin.
  2. Click SecurityLogin Authenticator.
  3. Click New Login Authenticator.
  4. Enter the Name and Description of the login authenticator. For the description, use plain text only. URLs or markup such as HTML will not be saved.
  5. Select SAML as the Authentication Type.

  6. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

  7. If you want to enable service provider (SP)-initiated login for this login authenticator, complete this step. In the Endpoint URL field, enter the SAML 2.0 endpoint you copied from Onelogin in the previous task.
  8. Click Choose File and select the public signing certificate you downloaded from Onelogin in the previous task. This certificate must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some additional text.

  9. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

  10. Click Save and Activate.
  11. Open the login authenticator.

  12. You will notice two additional read-only fields displayed: the Entity ID and the ACS URL. Make a note of these values. You will need them in the next task.

Add CXone Mpower Values to Onelogin

Complete this step in Onelogin.

  1. Log in to Onelogin as an administrator.

  2. Under Web App Settings in the connected app you created, paste the values you copied from your login authenticator in CXone Mpower:

    • In the Recipient, ACS (Consumer) URL Validator and ACS (Consumer) URLfields, delete the placeholder URL and paste in the one you copied from the ACS URL field in your CXone Mpower login authenticator in the preceding task.
    • In the Audience field, delete the placeholder URL and paste in the one you copied from the Entity ID field in your CXone Mpower login authenticator in the preceding task.

Configure CXone Mpower Users

Complete this task in CXone Mpower for all CXone Mpower users who require single sign-on with Onelogin. You can also complete this step using the bulk upload template.

  1. In CXone Mpower, click the app selector and select Admin.

  2. Click Employees.

  3. Select the employee profile to modify and click Edit.

  4. If you haven't already done so, go to the Security tab and select the login authenticator you created previously.

  5. Ensure that the External Identity is set to the correct value. The value must match exactly the Unique User Identifier in Onelogin.

  6. Save your changes.

Test the SAML Integration

Before assigning the SAML login authenticator to users in CXone Mpower, you should test the SAML integration. If the test fails, review your configurations and make changes to the settings.

  1. Initiate a login from the Onelogin dashboard.
  2. Verify that the SAML authentication flow works as you expect it to.