Set Up CXone Mpower Authentication Using Salesforce as an External Identity Provider

This page guides you in setting up authentication for your CXone Mpower system using Salesforce as your external identity provider (IdP).

Before You Begin

  • Gain a basic understanding of authentication and authorization concepts and terminology if you've never set up a process like this before.
  • Review the CXone Mpower-specific process if this is the first time you've worked with authentication in CXone Mpower.
  • Consider your human users and the levels of access they need. Decide whether people with greater access should have greater levels of security.
  • Decide whether you will use custom password requirements, multi-factor authentication (MFA), or both to enforce.
  • Based on your decisions, make a list of login authenticators. The list should include the password requirements and MFA status you want to use for each login authenticator.
  • Consider whether you need to include authentication and authorization for applications like bots or intelligent virtual assistants (IVAs). If so, you will need to create access keys.
  • Gain an understanding of your authentication protocol. CXone Mpower supports SAML 2.0 for Salesforce integration.
  • Evaluate the combination of IdP and protocol to ensure your use cases and user flows are supported, and to identify potential issues. This should include actual testing.

Your CXone Mpower team can support and guide you in this planning process. Good planning makes for a smoother implementation. Implementing authentication and authorization as immediate needs come up is more likely to lead to issues.

Complete each of these tasks in the order given.

Set Up an IdP Application in Salesforce

Create an Application

  1. Log in to Salesforce as an administrator.
  2. Create an application.
  3. Enable Identity for your application:
    1. Go to Setup.
    2. In the quick find box, type Identity and select Identity Provider under Identity.
    3. Click Enable Identity Provider. Salesforce generates a unique Salesforce Certificate for SAML. This is required for signing SAML assertions.
    4. Save the generated certificate.
  4. Enable single sign-on for your application:
    1. Under Identity, go to Single Sign-On Settings.
    2. Select SAML Enabled under Federated Single Sign-On Using SAML.
  5. Finish creating the application

Create a Connected App and Configure SAML Settings

  1. On your new application's management page, go to the Manage section.
  2. Click Single Sign-On and select SAML as the Single Sign-On method.
  3. Go to Platform ToolsAppsExternal Client Apps Settings.
  4. Enable the following options:
    • Allow access to External Client App consumer secrets via REST API
    • Allow creation of connected apps
  5. Click New Connected App.
  6. Under Basic Information, enter the Connected App Name, API Name, and Contact Email. You can use the same name for the IdP application and the connected app. For the contact email, use an email you have access to.
  7. Under Web App Settings, select Enable SAML.
  8. In the ACS URL field, enter a placeholder URL, such as https://need_to_change. You will get the actual Assertion Consumer Service (ACS) URL from your CXone Mpower login authenticator in a later step.
  9. In the Audience Restriction field, enter another placeholder URL similar to the one from the previous step. In a later step, you will replace the placeholder with the Entity ID from your CXone Mpower login authenticator.

  10. Under SAML Service Provider Settings, select the Subject Type you're using to identify users.

    Update the Name ID Format field with the appropriate format. Your selection here determines how you configure the External ID field in your CXone Mpower users' employee profiles. You will configured these in a later step.

  11. Select the IdP Certificate you saved earlier. To recreate the certificate, go to Settings > Security Certificate and Key Management.
  12. Select the Signing Algorithm for SAML Messages that you want to use. The recommended algorithm is SHA-256.

  13. Click Save.

  14. Go to Platform Tools > Apps > Connected Apps and click Manage Connected Apps, then select your application.
  15. On the application's management page, go to the Profiles section and click Manage Profiles.
  16. Select Standard Platform User, Standard User, and System Administrator on the Application Profile Assignment page.
  17. Save your changes.
  18. Leave the window open. You will make changes to your configuration based on CXone Mpower settings you will get later.

Assign Users to the Application

After creating and configuring your IdP application, you need to add users. You should add all Salesforce users who will use Salesforce as an external IdP to log in to CXone Mpower.

  1. In your new application, go to Administration Users Users New User.

  2. Ensure that for all users, the name in the Username column on the All Users page in Salesforce is the name you should use as the External ID in each user's corresponding employee profile in CXone Mpower. The user names must match exactly or they won't be able to log in to CXone Mpower.

  3. Add users to the application

Create a Login Authenticator with SAML 2.0

Required permissions: Login Authenticator Create

  1. Click the app selector icon of app selector and select Admin.
  2. Click SecurityLogin Authenticator.
  3. Click New Login Authenticator.
  4. Enter the Name and Description of the login authenticator. For the description, use plain text only. URLs or markup such as HTML will not be saved.
  5. Select SAML as the Authentication Type.

  6. If you want to require that users log in from a certain IP address, select the Location you set up in the preceding section.

  7. Click Choose File and select the public signing certificate you downloaded from Okta in the previous task. This certificate must be a PEM file. It will be a text file and the first line will contain BEGIN CERTIFICATE with some additional text.

  8. Select the Assigned Users tab. Select the users that you want to assign to the login authenticator you are creating. You can also assign users directly to the login authenticator in their employee profile.

  9. Click Save and Activate.
  10. Open the login authenticator.

  11. You will notice two additional read-only fields displayed: the Entity ID and the ACS URL. Make a note of these values. You will need them in the next task.

Add CXone Mpower Values to Salesforce

Complete this step in Salesforce.

  1. Log in to Salesforce as an administrator.

  2. Under Web App Settings in the connected app you created, paste the values you copied from your login authenticator in CXone Mpower:

    • In the ACS URL field, delete the placeholder URL and paste in the one you copied from the ACS URL field in your CXone Mpower login authenticator in the preceding task.
    • In the Audience Restriction field, delete the placeholder URL and paste in the one you copied from the Entity ID field in your CXone Mpower login authenticator in the preceding task.

Generate the Relay State Value for Your Login URL

When using Salesforce as the IdP, you must generate a relay state value to append to the login URL. The relay state value is different for every region your organization operates in.

  1. Locate your client ID, which you can obtain from your app registration.

  2. Format your client ID as {"clientId":"{UUID}"}, where UUID is your client ID. For example, {"clientId":"{10g9f8e7d6c5b4a3z2y1x}"}.

  3. Base64-encode the string from the preceding step. The example string from the preceding step becomes eyJjbGllbnRJZCI6InsxMGc5ZjhlN2Q2YzViNGEzejJ5MXh9In0= when base64-encoded.

  4. Append the base64-encoded string to the end of your IdP-Initiated Login URL. You can find this URL on your app's management page in Salesforce under SAML Login Information. 

Test the SAML Integration

Before assigning the SAML login authenticator to users in CXone Mpower, you should test the SAML integration. If the test fails, review your configurations and make changes to the settings.

  1. Log in to Salesforce as an administrator and open the IdP app you created previously.

  2. Go to the app's management page.

  3. Under SAML Login Information, copy the IdP-Initiated Login URL.

  4. Paste into the address bar of a web browser but do not press Enter yet.

  5. Append the relay state value you generated in a previous task to the end of the URL in the address bar using this parameter: ?RelayState=[value]. For example:

    https://IdP-initiated.URL.from..com/idp/login?app=123abc45?RelayState=eyJjbGllbnRJZCI6InsxMGc5ZjhlN2Q2YzViNGEzejJ5MXh9In0=

  6. Press Enter. If you are successfully logged in to CXone Mpower, you can add users to the login authenticator.

Configure Users and Add to the SAML Login Authenticator

Complete this task in CXone Mpower for all CXone Mpower users who require single sign-on with Salesforce. You can modify multiple users at the same time using the bulk upload template.

  1. In CXone Mpower, click the app selector and select Admin.

  2. Click Employees.

  3. Select the employee profile to modify and click Edit.

  4. If you haven't already done so, go to the Security tab and select the login authenticator you created previously.

  5. Ensure that the External Identity is set to the correct value. The value must exactly match the user's corresponding unique Salesforce user ID. The type and format of this ID is configured in the connected app you created in a preceding step in Salesforce.

  6. Save your changes.